<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 01/30/2012 02:50 PM, Dale Macartney wrote:<br>
<span style="white-space: pre;">></span><br>
<blockquote type="cite">Hey Erinn, funny you mention that actually,
I was adding service<br>
principles when i was first troubleshooting that.<br>
<br>
SSO is definitely on the planned cards for me to be honest. I'll
send<br>
through the details to the list one I have a reproducible
configuration :-)<br>
</blockquote>
And to the page, please<br>
<br>
<blockquote type="cite"><br>
thanks for the positive feedback.<br>
<br>
Dale<br>
<br>
<br>
<br>
On 01/30/2012 07:41 PM, Erinn Looney-Triggs wrote:<br>
> On 01/30/2012 10:20 AM, Dale Macartney wrote:<br>
>><br>
>> Hi Erinn<br>
>><br>
>> I originally asked the question as I was thinking my auth
attempts were<br>
>> failing when using ipa, however this was not the case.<br>
>><br>
>> On closer inspection, i found that the authentication was
successful yet<br>
>> dovecot was failing to read a "missing" mailbox.<br>
>><br>
>> I found that dovecot was simply missing the
mailbox_location directive,<br>
>> detailed below.<br>
>><br>
>> mail_location = mbox:~/mail:INBOX=/var/mail/%u<br>
>><br>
>> Once I restarted dovecot with this extra line, the
authentication was<br>
>> again validated. I was then prompted to accept the
self-signed<br>
>> certificate from dovecot and I was able to retrieve the
mail as intended.<br>
>><br>
>> Does this help clear things up?<br>
>><br>
>><br>
>> Dale<br>
<br>
>>> So I am a bit confused here, is this working for you
or not? It looked<br>
>>> like you were asking a question to begin with, but
then at then end you<br>
>>> are saying it is 100% working?<br>
>><br>
>>> Just trying to figure out whether you need help,<br>
>>> -Erinn<br>
>><br>
<br>
> Hey sounds good to me, just glad it is working for you :).
The only<br>
> other question/suggestion I have is that it looks like you
aren't<br>
> leveraging kerberos in your configuration for SSO, You might
want to<br>
> think about doing this as it can be a pretty nice
configuration.<br>
<br>
> Essentially you would just need to add service principles for
the host<br>
> in the form of imap and or pop, and change the auth line in
your dovecot<br>
> config to allow for gssapi auth, like so:<br>
<br>
> sed -i -r "s&(\smechanisms =).*&\1 gssapi plain&"<br>
<br>
> Then assuming your user has a ticket, and their client is
properly<br>
> configured, they no longer need to do anything upon logging
into their<br>
> system, kerb will auth the rest.<br>
<br>
> If you are on a multihomed system, you will need two
additional changes,<br>
> service principles for the other host name, and the following
modification:<br>
> sed -i -r
's&#auth_gssapi_hostname.*&auth_gssapi_hostname =
$ALL&'<br>
<br>
> I got a little caught up when you referenced the
/etc/krb5.keytab file<br>
> as possibly part of the problem so I thought this was more a
kerb issue.<br>
<br>
> -Erinn<br>
<br>
<br>
<br>
<br>
</blockquote>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
<br>
-- <br>
Thank you,<br>
Dmitri Pal<br>
<br>
Sr. Engineering Manager IPA project,<br>
Red Hat Inc.<br>
<br>
<br>
-------------------------------<br>
Looking to carve out IT costs?<br>
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a><br>
<br>
<br>
<br>
</body>
</html>