[Freeipa-users] Dovecot imap authentication with IPA/Kerberos
Dale Macartney
dale at themacartneyclan.com
Mon Jan 30 20:16:52 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
;-) will do mate. I'm writing a list of items to cover at the moment
actually.
On 01/30/2012 08:02 PM, Dmitri Pal wrote:
> On 01/30/2012 02:50 PM, Dale Macartney wrote:
> >
>> Hey Erinn, funny you mention that actually, I was adding service
>> principles when i was first troubleshooting that.
>>
>> SSO is definitely on the planned cards for me to be honest. I'll send
>> through the details to the list one I have a reproducible
configuration :-)
> And to the page, please
>
>>
>> thanks for the positive feedback.
>>
>> Dale
>>
>>
>>
>> On 01/30/2012 07:41 PM, Erinn Looney-Triggs wrote:
>> > On 01/30/2012 10:20 AM, Dale Macartney wrote:
>> >>
>> >> Hi Erinn
>> >>
>> >> I originally asked the question as I was thinking my auth attempts were
>> >> failing when using ipa, however this was not the case.
>> >>
>> >> On closer inspection, i found that the authentication was
successful yet
>> >> dovecot was failing to read a "missing" mailbox.
>> >>
>> >> I found that dovecot was simply missing the mailbox_location directive,
>> >> detailed below.
>> >>
>> >> mail_location = mbox:~/mail:INBOX=/var/mail/%u
>> >>
>> >> Once I restarted dovecot with this extra line, the authentication was
>> >> again validated. I was then prompted to accept the self-signed
>> >> certificate from dovecot and I was able to retrieve the mail as
intended.
>> >>
>> >> Does this help clear things up?
>> >>
>> >>
>> >> Dale
>>
>> >>> So I am a bit confused here, is this working for you or not? It looked
>> >>> like you were asking a question to begin with, but then at then
end you
>> >>> are saying it is 100% working?
>> >>
>> >>> Just trying to figure out whether you need help,
>> >>> -Erinn
>> >>
>>
>> > Hey sounds good to me, just glad it is working for you :). The only
>> > other question/suggestion I have is that it looks like you aren't
>> > leveraging kerberos in your configuration for SSO, You might want to
>> > think about doing this as it can be a pretty nice configuration.
>>
>> > Essentially you would just need to add service principles for the host
>> > in the form of imap and or pop, and change the auth line in your dovecot
>> > config to allow for gssapi auth, like so:
>>
>> > sed -i -r "s&(\smechanisms =).*&\1 gssapi plain&"
>>
>> > Then assuming your user has a ticket, and their client is properly
>> > configured, they no longer need to do anything upon logging into their
>> > system, kerb will auth the rest.
>>
>> > If you are on a multihomed system, you will need two additional changes,
>> > service principles for the other host name, and the following
modification:
>> > sed -i -r 's&#auth_gssapi_hostname.*&auth_gssapi_hostname = $ALL&'
>>
>> > I got a little caught up when you referenced the /etc/krb5.keytab file
>> > as possibly part of the problem so I thought this was more a kerb issue.
>>
>> > -Erinn
>>
>>
>>
>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJPJvqrAAoJEAJsWS61tB+qnecP/3JhcdNm/OQU+meGtP2TxjG2
Zjbhy12WF+Yxo1fW74W2cp21GdHbpvmCfQCCDRMtlCQso3kxpoEyPsU0Y+7+3kQ+
cL34l2f8jATvY6EqljxsGaeqstvfVSMtAUbWHbCJ3YOO4s2pYI3sfvENPL+bjOFV
LzzgQ8CKnpspzyMoDapPnLFkfwNzGIjvnX7BMgy3pdJRk9oAHP8IRaa6U7H15Plu
7joC1ElbH09VyOhrjPwf7Jy9+3ayHeB/WLPJ4U0DR0rYsDjErFkDXA7R95Kw6MYQ
N3DPsFELgIvxGxt5h8sXcbg9/MBpuPLtcpLaANoscNO76OLhy9qLSZjDgykbq6Kp
zXOxNLWLwTHBWq8cv2Ul3H+WzM8mjYaE46VE9pksDAz0H+PljY5f0cHjUx/1sqqR
cD/txgR32xZxGYJjfnODGwVrysNVpvqjsBysV7exdk4byldTXB4CbfhznyII+Ewk
fIWh7h0gjx8U3uRAUcXZXNIcmmcyc9Z232J6hmlKN4Tc71GX/MLp7YfvGtVSbhzu
rrlH16u7CAsi3DqMcwsb5zUW03CcJAp6qjmBoTHbSbhE4XmO6Gs+thlAkTKo1tzo
ixdvApq3k8HcAlCvR9Uzwg90huWBmn9BcWAJY/DL5Sb6U5YbUwDzFX/gh9jgY1cr
8zYKbYb9LR9W8UqfwwpP
=PkH/
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120130/dce01f98/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc
Type: application/pgp-keys
Size: 5790 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120130/dce01f98/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120130/dce01f98/attachment.sig>
More information about the Freeipa-users
mailing list