On 01/30/2012 02:50 PM, Dale Macartney wrote: > > Hey Erinn, funny you mention that actually, I was adding service > principles when i was first troubleshooting that. > > SSO is definitely on the planned cards for me to be honest. I'll send > through the details to the list one I have a reproducible > configuration :-) And to the page, please
> > thanks for the positive feedback. > > Dale > > > > On 01/30/2012 07:41 PM, Erinn Looney-Triggs wrote: > > On 01/30/2012 10:20 AM, Dale Macartney wrote: > >> > >> Hi Erinn > >> > >> I originally asked the question as I was thinking my auth attempts were > >> failing when using ipa, however this was not the case. > >> > >> On closer inspection, i found that the authentication was > successful yet > >> dovecot was failing to read a "missing" mailbox. > >> > >> I found that dovecot was simply missing the mailbox_location directive, > >> detailed below. > >> > >> mail_location = mbox:~/mail:INBOX=/var/mail/%u > >> > >> Once I restarted dovecot with this extra line, the authentication was > >> again validated. I was then prompted to accept the self-signed > >> certificate from dovecot and I was able to retrieve the mail as > intended. > >> > >> Does this help clear things up? > >> > >> > >> Dale > > >>> So I am a bit confused here, is this working for you or not? It looked > >>> like you were asking a question to begin with, but then at then > end you > >>> are saying it is 100% working? > >> > >>> Just trying to figure out whether you need help, > >>> -Erinn > >> > > > Hey sounds good to me, just glad it is working for you :). The only > > other question/suggestion I have is that it looks like you aren't > > leveraging kerberos in your configuration for SSO, You might want to > > think about doing this as it can be a pretty nice configuration. > > > Essentially you would just need to add service principles for the host > > in the form of imap and or pop, and change the auth line in your dovecot > > config to allow for gssapi auth, like so: > > > sed -i -r "s&(\smechanisms =).*&\1 gssapi plain&" > > > Then assuming your user has a ticket, and their client is properly > > configured, they no longer need to do anything upon logging into their > > system, kerb will auth the rest. > > > If you are on a multihomed system, you will need two additional changes, > > service principles for the other host name, and the following > modification: > > sed -i -r 's&#auth_gssapi_hostname.*&auth_gssapi_hostname = $ALL&' > > > I got a little caught up when you referenced the /etc/krb5.keytab file > > as possibly part of the problem so I thought this was more a kerb issue. > > > -Erinn > > > > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users