Authenticate Cyrus off active directory

Rob Siemborski rjs3 at andrew.cmu.edu
Thu Dec 4 11:40:04 EST 2003


On Thu, 4 Dec 2003, Etienne Goyer wrote:

> Because our 60K+ users base use a hodgepodge of IMAP client over which
> we have no control.  I am not quit sure our webmail (IMP) could be made to
> authenticate via Kerberos either.

Our webmail (squirrelmail) is doing kerberos authentication.  We gutted
the authentication part of squirrelmail and instead launch a persistant
imtest process, which squirrelmail connects to instead (this was
relatively easy to do, actually -- most of the changes that were
required were in imtest).  This also has the benefit of caching
authentications (like a proxy), since successive page hits just re-use
the same imtest process.

The trick is that you need to get the user's kerberos ticket to the web
server, which we accomplish via a system known as pubcookie, which has
been developed by a few universities.  Its sort of like
kerberos-via-cookies, though the kerberos ticket passing bit is somewhat
disconnected from the main system.

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper





More information about the Info-cyrus mailing list