<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
;-) will do mate. I'm writing a list of items to cover at the moment
actually.<br>
<br>
<br>
On 01/30/2012 08:02 PM, Dmitri Pal wrote:<br>
<span style="white-space: pre;">> On 01/30/2012 02:50 PM, Dale
Macartney wrote:<br>
> ><br>
>> Hey Erinn, funny you mention that actually, I was adding
service<br>
>> principles when i was first troubleshooting that.<br>
>><br>
>> SSO is definitely on the planned cards for me to be
honest. I'll send<br>
>> through the details to the list one I have a reproducible
configuration :-)<br>
> And to the page, please<br>
><br>
>><br>
>> thanks for the positive feedback.<br>
>><br>
>> Dale<br>
>><br>
>><br>
>><br>
>> On 01/30/2012 07:41 PM, Erinn Looney-Triggs wrote:<br>
>> > On 01/30/2012 10:20 AM, Dale Macartney wrote:<br>
>> >><br>
>> >> Hi Erinn<br>
>> >><br>
>> >> I originally asked the question as I was
thinking my auth attempts were<br>
>> >> failing when using ipa, however this was not the
case.<br>
>> >><br>
>> >> On closer inspection, i found that the
authentication was successful yet<br>
>> >> dovecot was failing to read a "missing" mailbox.<br>
>> >><br>
>> >> I found that dovecot was simply missing the
mailbox_location directive,<br>
>> >> detailed below.<br>
>> >><br>
>> >> mail_location = mbox:~/mail:INBOX=/var/mail/%u<br>
>> >><br>
>> >> Once I restarted dovecot with this extra line,
the authentication was<br>
>> >> again validated. I was then prompted to accept
the self-signed<br>
>> >> certificate from dovecot and I was able to
retrieve the mail as intended.<br>
>> >><br>
>> >> Does this help clear things up?<br>
>> >><br>
>> >><br>
>> >> Dale<br>
>><br>
>> >>> So I am a bit confused here, is this working
for you or not? It looked<br>
>> >>> like you were asking a question to begin
with, but then at then end you<br>
>> >>> are saying it is 100% working?<br>
>> >><br>
>> >>> Just trying to figure out whether you need
help,<br>
>> >>> -Erinn<br>
>> >><br>
>><br>
>> > Hey sounds good to me, just glad it is working for
you :). The only<br>
>> > other question/suggestion I have is that it looks
like you aren't<br>
>> > leveraging kerberos in your configuration for SSO,
You might want to<br>
>> > think about doing this as it can be a pretty nice
configuration.<br>
>><br>
>> > Essentially you would just need to add service
principles for the host<br>
>> > in the form of imap and or pop, and change the auth
line in your dovecot<br>
>> > config to allow for gssapi auth, like so:<br>
>><br>
>> > sed -i -r "s&(\smechanisms =).*&\1 gssapi
plain&"<br>
>><br>
>> > Then assuming your user has a ticket, and their
client is properly<br>
>> > configured, they no longer need to do anything upon
logging into their<br>
>> > system, kerb will auth the rest.<br>
>><br>
>> > If you are on a multihomed system, you will need two
additional changes,<br>
>> > service principles for the other host name, and the
following modification:<br>
>> > sed -i -r
's&#auth_gssapi_hostname.*&auth_gssapi_hostname =
$ALL&'<br>
>><br>
>> > I got a little caught up when you referenced the
/etc/krb5.keytab file<br>
>> > as possibly part of the problem so I thought this
was more a kerb issue.<br>
>><br>
>> > -Erinn<br>
>><br>
>><br>
>><br>
>><br>
><br>
> _______________________________________________<br>
> Freeipa-users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
><br>
><br>
> -- <br>
> Thank you,<br>
> Dmitri Pal<br>
><br>
> Sr. Engineering Manager IPA project,<br>
> Red Hat Inc.<br>
><br>
><br>
> -------------------------------<br>
> Looking to carve out IT costs?<br>
> <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a><br>
><br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Freeipa-users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></span><br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.11 (GNU/Linux)<br>
Comment: Using GnuPG with Mozilla - <a class="moz-txt-link-freetext" href="http://enigmail.mozdev.org/">http://enigmail.mozdev.org/</a><br>
<br>
iQIcBAEBAgAGBQJPJvqrAAoJEAJsWS61tB+qnecP/3JhcdNm/OQU+meGtP2TxjG2<br>
Zjbhy12WF+Yxo1fW74W2cp21GdHbpvmCfQCCDRMtlCQso3kxpoEyPsU0Y+7+3kQ+<br>
cL34l2f8jATvY6EqljxsGaeqstvfVSMtAUbWHbCJ3YOO4s2pYI3sfvENPL+bjOFV<br>
LzzgQ8CKnpspzyMoDapPnLFkfwNzGIjvnX7BMgy3pdJRk9oAHP8IRaa6U7H15Plu<br>
7joC1ElbH09VyOhrjPwf7Jy9+3ayHeB/WLPJ4U0DR0rYsDjErFkDXA7R95Kw6MYQ<br>
N3DPsFELgIvxGxt5h8sXcbg9/MBpuPLtcpLaANoscNO76OLhy9qLSZjDgykbq6Kp<br>
zXOxNLWLwTHBWq8cv2Ul3H+WzM8mjYaE46VE9pksDAz0H+PljY5f0cHjUx/1sqqR<br>
cD/txgR32xZxGYJjfnODGwVrysNVpvqjsBysV7exdk4byldTXB4CbfhznyII+Ewk<br>
fIWh7h0gjx8U3uRAUcXZXNIcmmcyc9Z232J6hmlKN4Tc71GX/MLp7YfvGtVSbhzu<br>
rrlH16u7CAsi3DqMcwsb5zUW03CcJAp6qjmBoTHbSbhE4XmO6Gs+thlAkTKo1tzo<br>
ixdvApq3k8HcAlCvR9Uzwg90huWBmn9BcWAJY/DL5Sb6U5YbUwDzFX/gh9jgY1cr<br>
8zYKbYb9LR9W8UqfwwpP<br>
=PkH/<br>
-----END PGP SIGNATURE-----<br>
<br>
</body>
</html>