-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey Erinn, funny you mention that actually, I was adding service principles when i was first troubleshooting that.
SSO is definitely on the planned cards for me to be honest. I'll send through the details to the list one I have a reproducible configuration :-) thanks for the positive feedback. Dale On 01/30/2012 07:41 PM, Erinn Looney-Triggs wrote: > On 01/30/2012 10:20 AM, Dale Macartney wrote: >> >> Hi Erinn >> >> I originally asked the question as I was thinking my auth attempts were >> failing when using ipa, however this was not the case. >> >> On closer inspection, i found that the authentication was successful yet >> dovecot was failing to read a "missing" mailbox. >> >> I found that dovecot was simply missing the mailbox_location directive, >> detailed below. >> >> mail_location = mbox:~/mail:INBOX=/var/mail/%u >> >> Once I restarted dovecot with this extra line, the authentication was >> again validated. I was then prompted to accept the self-signed >> certificate from dovecot and I was able to retrieve the mail as intended. >> >> Does this help clear things up? >> >> >> Dale > >>> So I am a bit confused here, is this working for you or not? It looked >>> like you were asking a question to begin with, but then at then end you >>> are saying it is 100% working? >> >>> Just trying to figure out whether you need help, >>> -Erinn >> > > Hey sounds good to me, just glad it is working for you :). The only > other question/suggestion I have is that it looks like you aren't > leveraging kerberos in your configuration for SSO, You might want to > think about doing this as it can be a pretty nice configuration. > > Essentially you would just need to add service principles for the host > in the form of imap and or pop, and change the auth line in your dovecot > config to allow for gssapi auth, like so: > > sed -i -r "s&(\smechanisms =).*&\1 gssapi plain&" > > Then assuming your user has a ticket, and their client is properly > configured, they no longer need to do anything upon logging into their > system, kerb will auth the rest. > > If you are on a multihomed system, you will need two additional changes, > service principles for the other host name, and the following modification: > sed -i -r 's&#auth_gssapi_hostname.*&auth_gssapi_hostname = $ALL&' > > I got a little caught up when you referenced the /etc/krb5.keytab file > as possibly part of the problem so I thought this was more a kerb issue. > > -Erinn > > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPJvSFAAoJEAJsWS61tB+qG9oP/0pDktSo4y5iRKEvMVOplSEx NFIl2cRm3OsjcOJuCMoFotMTFon90H6KxYQz0sYvtERZZWrB7nkpKneRGHZ/ri9R e4eEV/Edp/3yck8INAZ2COMGTKGCm8SFdN1ihnAU7QQ1EDC+kKq/pKUfxyq4LKH2 2KDkCnR02zRfjr+bzaL5tWZkNIAxifsFr6ycuT0GrX03y1KErjPAbre4BPjTq3lG b5xHkZBGVCfFp6bxdfQSs2d4BLcNOwCA1vW0KXAUy4ps1dS220ceeutO+9WbM6Y/ f0g1Iupsa/mIHIIAr6SBi0RGqSEUVkYaRzSxqRSEckfYAK+hPlnl5r46O1UxOFaw jaiizMTgkK3Q2skEtsaVSmPGleNoK0sefvf+Tkuea+1qdSdPUQaqiLwteLGo/QxR KsNPcO8+SN/YtXMynSw2bCY/uejn+NWNJVAW39vWsTlUV4+dtm0SIIcp8s57CLb0 3fZ2XLsfAajF83EucYv0BJE/flnZBQkLFEK6WdM0d/6jcEwn3RE17gOm/ufzvyVQ c3fpRinNSoO+nxwg/wzyljSkd2vsZFIB0oPSeapg+OTccQooXg/QKxGD2ViDIJeq y0pqV6wl3YreKTrdNFG4Eurz99EBG3vZcXFDq7JNd3NMo5nxrrExHDYU9brrTsyN E8BCvhI6AIwHW/5rwOlN =QFxQ -----END PGP SIGNATURE-----
Description: PGP signature
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users