webmail and GSSAPI authentication to imapd - Kerberos

This is a discussion on webmail and GSSAPI authentication to imapd - Kerberos ; Basically, let me restate the question about webmail+cyrus-imapd+kerberos: My cyrus-imapd only accepts gssapi authenticated connections.This does work for imap clients supporting sasl.gssapi, like pine or thunderbird.I want this gssapi-imap-client functionality from a webmail interface, maybe through the use of a ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: webmail and GSSAPI authentication to imapd

  1. webmail and GSSAPI authentication to imapd

    Basically, let me restate the question about
    webmail+cyrus-imapd+kerberos:

    My cyrus-imapd only accepts gssapi authenticated connections.This does
    work for imap clients
    supporting sasl.gssapi, like pine or thunderbird.I want this
    gssapi-imap-client functionality from a
    webmail interface, maybe through the use of a web sso like pubcookie or
    cosign, but no opensource webmail system seems to support this.Im
    wondering how people setup their webmail system in a kerberized
    environment! that's why im posting this question in this list.


  2. Re: webmail and GSSAPI authentication to imapd

    ph.softnet@gmail.com wrote:
    > Basically, let me restate the question about
    > webmail+cyrus-imapd+kerberos:
    >
    > My cyrus-imapd only accepts gssapi authenticated connections.This does
    > work for imap clients
    > supporting sasl.gssapi, like pine or thunderbird.I want this
    > gssapi-imap-client functionality from a
    > webmail interface, maybe through the use of a web sso like pubcookie or
    > cosign, but no opensource webmail system seems to support this.Im
    > wondering how people setup their webmail system in a kerberized
    > environment! that's why im posting this question in this list.
    >


    Essentially you install a system such as Pubcookie or Cosign and then
    modify your webmail system of choice to perform SASL-GSS-KRB5
    authentication to the IMAP server. You might want to ask on the
    Pubcookie and Cosign lists what web mail interfaces the deployers of
    those systems utilize and whether or not they would be willing to share
    their customizations.


  3. Re: webmail and GSSAPI authentication to imapd

    So i suppose there is not any well know way to do this.I am willing to
    setup pubcookie or cosign but i first want to make sure there is a way
    to modify a webmail system to use the web sso.This seems to me to be
    the difficult part after all.
    I am feeling a little surprised though that there isnt standard support
    since a lot of people
    seem to be working inside kerberized environments..


  4. Re: webmail and GSSAPI authentication to imapd

    ph.softnet@gmail.com wrote:
    > So i suppose there is not any well know way to do this.I am willing to
    > setup pubcookie or cosign but i first want to make sure there is a way
    > to modify a webmail system to use the web sso.This seems to me to be
    > the difficult part after all.


    You can certainly setup IMP (part of Horde) to use Cosign and/or KX509
    for authentication. You need to do a few code patches in order to do so,
    however. From memory, you need to:
    * Patch your PHP imap plugin so that it will use the GSSAPI mechanism
    * Patch IMP so that it will respect the contents of the REMOTE_USER
    variable, and pass these on to the server

    Together with either the cosign or kct Apache modules you should then be
    able to seemless authentication to the server.

    We've also got patches to intergrate kx509 and Mailman, so that local
    users can use web sso to check and administer mailing lists.

    Let me know (off list) if you're interested in any of this code.

    Cheers,

    Simon
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: webmail and GSSAPI authentication to imapd


    Ο/Η Simon Wilkinson *γραψε:
    > ph.softnet@gmail.com wrote:
    > > So i suppose there is not any well know way to do this.I am willing to
    > > setup pubcookie or cosign but i first want to make sure there is a way
    > > to modify a webmail system to use the web sso.This seems to me to be
    > > the difficult part after all.

    >
    > You can certainly setup IMP (part of Horde) to use Cosign and/or KX509
    > for authentication. You need to do a few code patches in order to do so,
    > however. From memory, you need to:
    > * Patch your PHP imap plugin so that it will use the GSSAPI mechanism

    That's exactly what i want to do, but have not clue how to
    do..Specifically, i need
    to patch the PEAR::Auth_SASL, wich already supports CRAM-MD5, LOGIN,
    etc.. but not GSSAPI (duh!).Are there any patches already available?
    > * Patch IMP so that it will respect the contents of the REMOTE_USER
    > variable, and pass these on to the server
    >
    > Together with either the cosign or kct Apache modules you should then be
    > able to seemless authentication to the server.
    >
    > We've also got patches to intergrate kx509 and Mailman, so that local
    > users can use web sso to check and administer mailing lists.
    >

    Yes off course i am interested!
    > Let me know (off list) if you're interested in any of this code.
    >
    > Cheers,
    >
    > Simon
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos



  6. Re: webmail and GSSAPI authentication to imapd

    PS: The other way around this (for everybody who's interested), is to
    setup Cosign, wich makes apache setup the _SERVER['REMOTE_USER']
    variable to the right username (after successfull authentication).
    Then modify the Auto.php , authentication driver of horde, to set
    $username and $password to $_SERVER['REMOTE_USER'].Then, make IMP to
    perform transparent authentication (usign horde's authentication
    credentials) and contact a local cyrus proxyd (from MURDER) wich is
    run with proxyd -N, so it allows plain logins, and ignores
    passwords.Off course you should only run this locally!This proxyd in
    turn, takes care of the following procedure, wich is essentially to
    authenticate to a cyrus-imapd backend using gssapi and a special
    account.

    simon.


+ Reply to Thread