<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> On 01/30/2012 02:50 PM, Dale Macartney wrote: > <blockquote type="cite">Hey Erinn, funny you mention that actually, I was adding service principles when i was first troubleshooting that. SSO is definitely on the planned cards for me to be honest. I'll send through the details to the list one I have a reproducible configuration :-) </blockquote> And to the page, please <blockquote type="cite"> thanks for the positive feedback. Dale On 01/30/2012 07:41 PM, Erinn Looney-Triggs wrote: > On 01/30/2012 10:20 AM, Dale Macartney wrote: >> >> Hi Erinn >> >> I originally asked the question as I was thinking my auth attempts were >> failing when using ipa, however this was not the case. >> >> On closer inspection, i found that the authentication was successful yet >> dovecot was failing to read a "missing" mailbox. >> >> I found that dovecot was simply missing the mailbox_location directive, >> detailed below. >> >> mail_location = mbox:~/mail:INBOX=/var/mail/%u >> >> Once I restarted dovecot with this extra line, the authentication was >> again validated. I was then prompted to accept the self-signed >> certificate from dovecot and I was able to retrieve the mail as intended. >> >> Does this help clear things up? >> >> >> Dale >>> So I am a bit confused here, is this working for you or not? It looked >>> like you were asking a question to begin with, but then at then end you >>> are saying it is 100% working? >> >>> Just trying to figure out whether you need help, >>> -Erinn >> > Hey sounds good to me, just glad it is working for you :). The only > other question/suggestion I have is that it looks like you aren't > leveraging kerberos in your configuration for SSO, You might want to > think about doing this as it can be a pretty nice configuration. > Essentially you would just need to add service principles for the host > in the form of imap and or pop, and change the auth line in your dovecot > config to allow for gssapi auth, like so: > sed -i -r "s&(\smechanisms =).*&\1 gssapi plain&" > Then assuming your user has a ticket, and their client is properly > configured, they no longer need to do anything upon logging into their > system, kerb will auth the rest. > If you are on a multihomed system, you will need two additional changes, > service principles for the other host name, and the following modification: > sed -i -r 's&#auth_gssapi_hostname.*&auth_gssapi_hostname = $ALL&' > I got a little caught up when you referenced the /etc/krb5.keytab file > as possibly part of the problem so I thought this was more a kerb issue. > -Erinn </blockquote> _______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </body> </html>