[Freeipa-users] Dovecot IMAP with IPA 2.x?
Dale Macartney
dale at themacartneyclan.com
Fri Feb 3 07:31:33 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Craig
I am actually working on this very thing at the moment.
there is a very basic config here
(http://freeipa.org/page/Dovecot_Integration), however this is using pam
for everything
The end goal of course is sso in which I have managed to get gssapi for
authentication working and pam is used for the user lookups..
Here is what I have in a working state on rhel 6.2
#####
yum install -y oddjob-mkhomedir
chkconfig oddjobd on
service oddjobd start
ipa-client-install -U -p admin -w redhat123 --mkhomedir
# configure dovecot
chkconfig dovecot on
sed -i 's/#protocols = imap pop3 lmtp/protocols = imap/g'
/etc/dovecot/dovecot.conf
sed -i "s-#mail_location-mail_location =
mbox:~/mail:INBOX=/var/spool/mail/%u-g" /etc/dovecot/conf.d/10-mail.conf
echo "userdb {" >> /etc/dovecot/conf.d/10-auth.conf
echo " driver = static" >> /etc/dovecot/conf.d/10-auth.conf
echo " args = uid=dovecot gid=dovecot home=/var/spool/mail/%u" >>
/etc/dovecot/conf.d/10-auth.conf
echo "}" >> /etc/dovecot/conf.d/10-auth.conf
sed -i 's/auth_mechanisms = plain/auth_mechanisms = gssapi/g'
/etc/dovecot/conf.d/10-auth.conf
sed -i "s/#auth_gssapi_hostname =/auth_gssapi_hostname = $(hostname)/g"
/etc/dovecot/conf.d/10-auth.conf
sed -i "s-#auth_krb5_keytab =-auth_krb5_keytab =
/etc/dovecot/krb5.keytab-g" /etc/dovecot/conf.d/10-auth.conf
sed -i "s/#auth_realms =/auth_realms = $(hostname --domain)/g"
/etc/dovecot/conf.d/10-auth.conf
sed -i "s/#auth_default_realm =/auth_default_realm = $(hostname
--domain)/g" /etc/dovecot/conf.d/10-auth.conf
kinit admin
ipa service-add imap/$(hostname)
ipa service-add imaps/$(hostname)
ipa-getkeytab -s ds01.example.com -p imap/$(hostname) -k
/etc/dovecot/krb5.keytab
ipa-getkeytab -s ds01.example.com -p imaps/$(hostname) -k
/etc/dovecot/krb5.keytab
chown dovecot:dovecot /etc/dovecot/krb5.keytab
service dovecot restart
####
By having the system tapped into the ipa domain, pam allows dovecot to
pass user lookups successfully. With the gssapi changes to
/etc/dovecot/conf.d/10-auth.conf and using a keytab for the service
principles, users can log in successfully without issue (i have only
tested this with gssapi only at the moment)
successful authentication appears in /var/log/maillog as follows
Feb 2 22:50:45 mail04 dovecot: imap-login: Login:
user=<user1 at example.com>, method=GSSAPI, rip=192.168.122.61,
lip=192.168.122.44, mpid=2216, TLS
the only issue I am presently facing is with the mail_location directive
in dovecot..
unless the users homedir actually exists you will get errors like this.
Feb 2 21:52:34 mail04 dovecot: imap(user1): Error: user user1:
Initialization failed: Initializing mail storage from mail_location
setting failed: mkdir(/home/user1/mail) failed: Permission denied
(euid=1201600003(user1) egid=1201600003(user1) missing +w perm: /home,
euid is not dir owner)
I have been experimenting with how best to address this, however I am
constantly being pushed back to the only way of having a userdir that
actually exists would be a homdir which would be created when a user
first logs in.
Yes, if you ssh to the dovecot server as the user (with oddjobd running
in the background) it will create the homedir with no problems and the
issue is resolved, however users should not *have to* interactively log
into a server just to allow them to access mail.
my only thinking here is shared homedirs (nfs?) between clients and
servers, however my thoughts on this are "if dovecot is redirecting a
users mail to their homedir, then why do we need dovecot to access it
via imap when the mail will already appear in their homedir?"
does anyone have any thoughts on this?
Dale
On 02/03/2012 04:33 AM, Craig T wrote:
> hi,
>
> Has anyone setup Dovecot IMAP to work with IPA 2.x yet?
> I'm thinking the best config would be to use;
> * IMAPS between the mail clients and Dovecot server
> * LDAPS with "Passdb LDAP with authentication binds" to connect to IPA?
> ref: http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds
>
> cya
>
> Craig
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJPK408AAoJEAJsWS61tB+qjy4P/A5+y69wZg7hxg6xgohA6256
pTPEaSAi77zZZ1X3CgEbgGcRjlN8iRECbzb+2QDZ501uP4v+IrKSrE9VPwQuGIek
baLbHExVBhusUGxQ8l51aZrM0FZMtNnidCtGPVl7pp2EHcGGnquNdNs8T4FuNSfz
ngGaekSOWlvENUzYpMFxdxTJJZJ7+7ensV4Jaoe6MgOgGW8ytPuFxECO8kMrcqPq
tOJ1Vb4gaeAfJWLPnKSU1lw9nIMW8ze4ftxaSSbdyiLl8cU9LMC16Sz4Lrkg/B1c
PnT7thLI1yLjNfPwiGXQUtSc8VE/29f3g1D1ky0hnaZz1HYX34lQ85Eqw9hQ14lm
1/YY/M6DhFqiO3uxUSMRsL5iCWG6fP6LIxRrHZYenS20qRhEcjwi90z/DNqs5wH1
j5ERuTQFGFBfnhFX7bPs9EDrh736icQc1GJE8rOFvUnvenEZRCm/3NhxW1XrNmr0
lftzbE0X7U+eEANOsNzOS+37bxo3rfcPbafZFYfgyf7WUorEkMUvbRaUNaiGr6FS
cZyLU6jioJjVIqhDGnst5rP8JZdIcKI+Xfmmh0V3LoAGLzz+9NzncV+MV/Bq71uJ
UyJHArk5RJ4NDxTM34OjIvzlwwsKP9kGNw3RB1IyEv4iDBkcf9hBtwqHMN4F0rd5
cnXJyulO0T4fDU5iFXxb
=tYFH
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc
Type: application/pgp-keys
Size: 5790 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120203/c747b970/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120203/c747b970/attachment.sig>
More information about the Freeipa-users
mailing list