[Freeipa-users] Dovecot imap authentication with IPA/Kerberos

Erinn Looney-Triggs erinn.looneytriggs at gmail.com
Mon Jan 30 19:41:47 UTC 2012 

On 01/30/2012 10:20 AM, Dale Macartney wrote:
> 
> Hi Erinn
> 
> I originally asked the question as I was thinking my auth attempts were
> failing when using ipa, however this was not the case.
> 
> On closer inspection, i found that the authentication was successful yet
> dovecot was failing to read a "missing" mailbox.
> 
> I found that dovecot was simply missing the mailbox_location directive,
> detailed below.
> 
> mail_location = mbox:~/mail:INBOX=/var/mail/%u
> 
> Once I restarted dovecot with this extra line, the authentication was
> again validated. I was then prompted to accept the self-signed
> certificate from dovecot and I was able to retrieve the mail as intended.
> 
> Does this help clear things up?
> 
> 
> Dale

>> So I am a bit confused here, is this working for you or not? It looked
>> like you were asking a question to begin with, but then at then end you
>> are saying it is 100% working?
> 
>> Just trying to figure out whether you need help,
>> -Erinn
> 

Hey sounds good to me, just glad it is working for you :). The only
other question/suggestion I have is that it looks like you aren't
leveraging kerberos in your configuration for SSO, You might want to
think about doing this as it can be a pretty nice configuration.

Essentially you would just need to add service principles for the host
in the form of imap and or pop, and change the auth line in your dovecot
config to allow for gssapi auth, like so:

sed -i -r "s&(\smechanisms =).*&\1 gssapi plain&"

Then assuming your user has a ticket, and their client is properly
configured, they no longer need to do anything upon logging into their
system, kerb will auth the rest.

If you are on a multihomed system, you will need two additional changes,
service principles for the other host name, and the following modification:
sed -i -r 's&#auth_gssapi_hostname.*&auth_gssapi_hostname = $ALL&'

I got a little caught up when you referenced the /etc/krb5.keytab file
as possibly part of the problem so I thought this was more a kerb issue.

-Erinn




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120130/9e84339a/attachment.sig>

More information about the Freeipa-users mailing list