[imp] IMP and External Single Sign On systems

[Eric Rostetter]

Quoting Duane Currie <Duane.Currie@acadiau.ca>:

> Does anyone have any experience with integrating IMP with any external
> authentication systems?

The University of Texas at Austin does that.  From what I hear, it is
a major code change in Horde/IMP, and a real mess.  So I can try to
get you in contact with the folks doing it if you want, but I don't
recommend it.  Instead, see below.

> Since we upgrade IMP fairly often, I'd also prefer to avoid much in the way
> of changes to the IMP
> software in order to make this function.

This is, as I understand it, the problem UT/A has with their implementation.
Changes are slow, because code changes are so significant.
  
>     2.  Create a PAM module for the IMAP server to use which accepts and
> validates a forwarded
>          authentication ticket from the SSO service.  So, the trick would be

This is how I would do it. I would leave the Horde/IMP code alone.  There are
probably sufficient hocks already in IMP to play with the username/password
without code changes.  Then the pam module on the IMAP server will take care
of the rest.

You might have to change the login page to redirect to your single signin
page or something, but that kind of change should be minor.

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin

"TAD (Technology Attachment Disorder) is an unshakable, impractical devotion
to a brand, platform, product line, or programming language. It's relatively
harmless among the rank and file, but when management is afflicted the damage
can be measured in dollars. It's also contagious -- someone with sufficient
political clout can infect an entire organization."

--"Enterprise Strategies" columnist Tom Yager.