[imp] Horde/IMP with kerberos5

[Liam Hoekenga]

The kerberos 5 PHP extension doesn't actually do anything with  
credentials.  It just knows how to check your kerberos realm for a  
valid account / password combination.

If you're trying to do what I think you're trying to do, you're going  
to need a login mechanism that actually obtains credentials.  If UW  
c-client is compiled with GSSAPI support, PHP IMAP extension will  
support GSSAPI.

You'll probably want to look at something like mod_auth_kerb, which  
presents a basic-auth style login box, validates accounts against your  
kerberos realm, and can obtain credentials, which can then be used  
with PHP IMAP / c-client.  You'd then need a Horde authenticator that  
used $_SERVER['REMOTE_USER'] as the source of the user name.

mod_auth_kerb is probably the easiest thing to do, in that it's stand  
alone.  You need to get a keytab for your server, but otherwise,  
there's no real infrastructure work that needs to be done.

It's also pretty easy to integrate your Horde installation with a  
WebISO (Institutional Sign-on) / SSO (Single Sign-on).  We're using  
CoSign (written here at UMich), and it can obtain kerberos credentials  
on behalf of the user.  I have not used competing WebISOs (PubCookie,  
WebAuth, CAS) but believe that all of them should have the ability to  
obtain kerberos credentials and that Horde could be similarly  
integrated with those technologies.

Liam


Quoting Martin Podworny <podworny at ub.uni-koeln.de>:

> Hi,
>
> since a couple of days i tried to integrate Horde3/IMP4 in our
> Kerberos5-infrastructure. The webmailer should connect to a Cyrus imapd
> (all installed on a Debian 4.0/Etch), which authenticate imapuser with
> help of saslauthd. Sasl in turn use GSSAPI/Kerberos as authentication
> mechanism. With this setup, it is possible to login (thunderbird or
> imtest).
>
> In Horde i configured the following:
>
> Administration->Authentication->What backend should we use for
> authenticating users to Horde->Kerberos authentication
>
> After setting this and install php-extension for krb5, it is possible
> to logon with a valid credential. But how can i switch with this
> credential, which is validated from hordeauth, to IMP? I tried it with
> the following in /etc/horde3/imp4/server.php
>
> $servers['cyrus'] = array(
>     'name' => 'IMAP Server',
>     'server' => 'host.domain.de',
>     'hordeauth' => true,
>     'protocol' => 'imap/notls',
>     'port' => 143,
>     'maildomain' => 'domain.de',
>     'smtphost' => 'smtphost.domain.de',
>     'smtpport' => 25,
>     'realm' => '',
>     'preferred'
> ...
> }
>
> Login to horde succeeded, but if i click on "Mail" it appear "Login
> failed". The logfile horde.log says this:
>
> Jul 15 14:56:16 HORDE [notice] [horde] Login success for imapuser
> [NNN.NN.NN.NN] to Horde [on line 90 of "/usr/share/horde3/login.php"]
> Jul 15 14:56:19 HORDE [error] [imp] FAILED LOGIN NNN.NN.NN.NN to
> host.domain.de:143[imap/notls] as imapuser [on line 258 of
> "/usr/share/horde3/imp/lib/Auth/imp.php"]
>
> Have anyone a hint? Thank you very much,
>
> Martin
> --
> Universität zu Köln :: Universitäts- und Stadtbibliothek
> IT-Dienste
> Universitätsstr. 33 :: D-50931 Köln
> Tel.: +49 221 470-3330 :: Fax: +49 221 470-5166
> podworny at ub.uni-koeln.de :: www.ub.uni-koeln.de
> --
> IMP mailing list - Join the hunt: http://horde.org/bounties/#imp
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe at lists.horde.org
>
> !DSPAM:487ca169126231262912241!
>
>
>
>