[Freeipa-users] Dovecot imap authentication with IPA/Kerberos

Ondrej Valousek ondrejv at s3group.cz
Tue Jan 31 09:22:50 UTC 2012 

>> Hey sounds good to me, just glad it is working for you :). The only
>> other question/suggestion I have is that it looks like you aren't
>> leveraging kerberos in your configuration for SSO, You might want to
>> think about doing this as it can be a pretty nice configuration.
>>
>> Essentially you would just need to add service principles for the host
>> in the form of imap and or pop, and change the auth line in your dovecot
>> config to allow for gssapi auth, like so:
>>
>> sed -i -r "s&(\smechanisms =).*&\1 gssapi plain&"
>>
>> Then assuming your user has a ticket, and their client is properly
>> configured, they no longer need to do anything upon logging into their
>> system, kerb will auth the rest.
>>
>> If you are on a multihomed system, you will need two additional changes,
>> service principles for the other host name, and the following modification:
>> sed -i -r 's&#auth_gssapi_hostname.*&auth_gssapi_hostname = $ALL&'
>>
>> I got a little caught up when you referenced the /etc/krb5.keytab file
>> as possibly part of the problem so I thought this was more a kerb issue.
>>
Exactly, I was confused by this as well - I would like to see this working, too. But I would say we would need to do something with the 
permissions on /etc/krb5.keytab which is now (by default) only readable by root. We need to address this problem more in general as when 
inegrating Bind DNS server, you hit the same thing.
I would say something like ACL entry would help.

Ondrej


Proud winners of the prestigious Irish Software Exporter Award 2011 from Irish Exporters Association (IEA).  Please, refer to our web site for more details regarding the award.
--------
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s).
Please direct any additional queries to: communications at s3group.com.
Thank You.
Silicon and Software Systems Limited. Registered in Ireland no. 378073.
Registered Office: South County Business Park, Leopardstown, Dublin 18
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120131/eb2ba938/attachment.htm>

More information about the Freeipa-users mailing list