[imp] custom_login.php / auto-login to imp w/ Horde 3.0 / IMP 4.0 beta

Liam Hoekenga liamr at umich.edu
Thu Nov 4 12:19:10 PST 2004 

Our Horde / IMP install is behind our web SSO, CoSign (www.weblogin.org). 
With Horde 2.x / IMP 3.x, once users have logged into the SSO, our webmail 
servers are able to obtain kerberos credentials for the users, and using a 
hacked version of imp/redirect.php, they're able to get into IMP w/o 
having to sign in a second time.

We'd like to replicate this behavior w/ Horde 3.0 / IMP 4.0.  I've tried 
altering a copy of redirect.php, and it works for Apple's Safari browser, 
but all other browsers get caught in a "you have exceeded the number of 
redirects..." error message.  (The entries in the apache weblog seems to 
show one request w/ a bunch of unique horde session identifiers).

I've thought about using imp/scripts/custom_login.php.  I'm just starting 
by trying to get it to work at all (I've edited the HORDE_BASE, and put it 
a level up w/ a new name), but I'm having some problems.  I'd expect that 
were I to go to /horde/imp/custom_login.php that I'd get presented that 
form, but that's not the case.
- with safari, i get the IMP login screen, and after I log in, I get
   presented the custom login form described in custom_login.php
- with all other browsers, I get the IMP login screen, and after login I
   get put into IMP

I've also thought about using the hordeauth setting in IMP's 
config/servers.php, but I've not get that working either.  CoSign sets 
$_SERVER[ 'REMOTE_USER' ].  So, I've tried using the Horde "auto" 
mechanism, with an entry like this in conf.php.

     $conf['auth']['params']['username'] = $_SERVER[ 'REMOTE_USER' ];

This lets me in to horde as the right person, but IMP gets stuck in an 
endless login loop.

I've modified a copy of the Horde "http" auth mechanism, replacing 
PHP_AUTH_USER and PHP_AUTH_PASS w/ REMOTE_USER (since we don't need a 
real password).  None of the tatics have worked.

Anyone have suggestions?  Basically, I just want to trust the user has 
already authenticated, and let them into IMP w/o presenting a second login 
screen, providing the real username and some bogus password if either / 
both are needed.

Liam

More information about the imp mailing list