[Freeipa-users] Dovecot imap authentication with IPA/Kerberos

Dmitri Pal dpal at redhat.com
Mon Jan 30 20:02:53 UTC 2012 

On 01/30/2012 02:50 PM, Dale Macartney wrote:
>
> Hey Erinn, funny you mention that actually, I was adding service
> principles when i was first troubleshooting that.
>
> SSO is definitely on the planned cards for me to be honest. I'll send
> through the details to the list one I have a reproducible
> configuration :-)
And to the page, please

>
> thanks for the positive feedback.
>
> Dale
>
>
>
> On 01/30/2012 07:41 PM, Erinn Looney-Triggs wrote:
> > On 01/30/2012 10:20 AM, Dale Macartney wrote:
> >>
> >> Hi Erinn
> >>
> >> I originally asked the question as I was thinking my auth attempts were
> >> failing when using ipa, however this was not the case.
> >>
> >> On closer inspection, i found that the authentication was
> successful yet
> >> dovecot was failing to read a "missing" mailbox.
> >>
> >> I found that dovecot was simply missing the mailbox_location directive,
> >> detailed below.
> >>
> >> mail_location = mbox:~/mail:INBOX=/var/mail/%u
> >>
> >> Once I restarted dovecot with this extra line, the authentication was
> >> again validated. I was then prompted to accept the self-signed
> >> certificate from dovecot and I was able to retrieve the mail as
> intended.
> >>
> >> Does this help clear things up?
> >>
> >>
> >> Dale
>
> >>> So I am a bit confused here, is this working for you or not? It looked
> >>> like you were asking a question to begin with, but then at then
> end you
> >>> are saying it is 100% working?
> >>
> >>> Just trying to figure out whether you need help,
> >>> -Erinn
> >>
>
> > Hey sounds good to me, just glad it is working for you :). The only
> > other question/suggestion I have is that it looks like you aren't
> > leveraging kerberos in your configuration for SSO, You might want to
> > think about doing this as it can be a pretty nice configuration.
>
> > Essentially you would just need to add service principles for the host
> > in the form of imap and or pop, and change the auth line in your dovecot
> > config to allow for gssapi auth, like so:
>
> > sed -i -r "s&(\smechanisms =).*&\1 gssapi plain&"
>
> > Then assuming your user has a ticket, and their client is properly
> > configured, they no longer need to do anything upon logging into their
> > system, kerb will auth the rest.
>
> > If you are on a multihomed system, you will need two additional changes,
> > service principles for the other host name, and the following
> modification:
> > sed -i -r 's&#auth_gssapi_hostname.*&auth_gssapi_hostname = $ALL&'
>
> > I got a little caught up when you referenced the /etc/krb5.keytab file
> > as possibly part of the problem so I thought this was more a kerb issue.
>
> > -Erinn
>
>
>
>

_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120130/4b5f66b5/attachment.htm>

More information about the Freeipa-users mailing list