-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ;-) will do mate. I'm writing a list of items to cover at the moment actually.
On 01/30/2012 08:02 PM, Dmitri Pal wrote: > On 01/30/2012 02:50 PM, Dale Macartney wrote: > > >> Hey Erinn, funny you mention that actually, I was adding service >> principles when i was first troubleshooting that. >> >> SSO is definitely on the planned cards for me to be honest. I'll send >> through the details to the list one I have a reproducible configuration :-) > And to the page, please > >> >> thanks for the positive feedback. >> >> Dale >> >> >> >> On 01/30/2012 07:41 PM, Erinn Looney-Triggs wrote: >> > On 01/30/2012 10:20 AM, Dale Macartney wrote: >> >> >> >> Hi Erinn >> >> >> >> I originally asked the question as I was thinking my auth attempts were >> >> failing when using ipa, however this was not the case. >> >> >> >> On closer inspection, i found that the authentication was successful yet >> >> dovecot was failing to read a "missing" mailbox. >> >> >> >> I found that dovecot was simply missing the mailbox_location directive, >> >> detailed below. >> >> >> >> mail_location = mbox:~/mail:INBOX=/var/mail/%u >> >> >> >> Once I restarted dovecot with this extra line, the authentication was >> >> again validated. I was then prompted to accept the self-signed >> >> certificate from dovecot and I was able to retrieve the mail as intended. >> >> >> >> Does this help clear things up? >> >> >> >> >> >> Dale >> >> >>> So I am a bit confused here, is this working for you or not? It looked >> >>> like you were asking a question to begin with, but then at then end you >> >>> are saying it is 100% working? >> >> >> >>> Just trying to figure out whether you need help, >> >>> -Erinn >> >> >> >> > Hey sounds good to me, just glad it is working for you :). The only >> > other question/suggestion I have is that it looks like you aren't >> > leveraging kerberos in your configuration for SSO, You might want to >> > think about doing this as it can be a pretty nice configuration. >> >> > Essentially you would just need to add service principles for the host >> > in the form of imap and or pop, and change the auth line in your dovecot >> > config to allow for gssapi auth, like so: >> >> > sed -i -r "s&(\smechanisms =).*&\1 gssapi plain&" >> >> > Then assuming your user has a ticket, and their client is properly >> > configured, they no longer need to do anything upon logging into their >> > system, kerb will auth the rest. >> >> > If you are on a multihomed system, you will need two additional changes, >> > service principles for the other host name, and the following modification: >> > sed -i -r 's&#auth_gssapi_hostname.*&auth_gssapi_hostname = $ALL&' >> >> > I got a little caught up when you referenced the /etc/krb5.keytab file >> > as possibly part of the problem so I thought this was more a kerb issue. >> >> > -Erinn >> >> >> >> > > _______________________________________________ > Freeipa-users mailing list > Freeipaemail@example.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipafirstname.lastname@example.org > https://www.redhat.com/mailman/listinfo/freeipa-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPJvqrAAoJEAJsWS61tB+qnecP/3JhcdNm/OQU+meGtP2TxjG2 Zjbhy12WF+Yxo1fW74W2cp21GdHbpvmCfQCCDRMtlCQso3kxpoEyPsU0Y+7+3kQ+ cL34l2f8jATvY6EqljxsGaeqstvfVSMtAUbWHbCJ3YOO4s2pYI3sfvENPL+bjOFV LzzgQ8CKnpspzyMoDapPnLFkfwNzGIjvnX7BMgy3pdJRk9oAHP8IRaa6U7H15Plu 7joC1ElbH09VyOhrjPwf7Jy9+3ayHeB/WLPJ4U0DR0rYsDjErFkDXA7R95Kw6MYQ N3DPsFELgIvxGxt5h8sXcbg9/MBpuPLtcpLaANoscNO76OLhy9qLSZjDgykbq6Kp zXOxNLWLwTHBWq8cv2Ul3H+WzM8mjYaE46VE9pksDAz0H+PljY5f0cHjUx/1sqqR cD/txgR32xZxGYJjfnODGwVrysNVpvqjsBysV7exdk4byldTXB4CbfhznyII+Ewk fIWh7h0gjx8U3uRAUcXZXNIcmmcyc9Z232J6hmlKN4Tc71GX/MLp7YfvGtVSbhzu rrlH16u7CAsi3DqMcwsb5zUW03CcJAp6qjmBoTHbSbhE4XmO6Gs+thlAkTKo1tzo ixdvApq3k8HcAlCvR9Uzwg90huWBmn9BcWAJY/DL5Sb6U5YbUwDzFX/gh9jgY1cr 8zYKbYb9LR9W8UqfwwpP =PkH/ -----END PGP SIGNATURE-----
Description: PGP signature
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users