Authenticate Cyrus off active directory
rjs3 at andrew.cmu.edu
Thu Dec 4 11:40:04 EST 2003
On Thu, 4 Dec 2003, Etienne Goyer wrote:
> Because our 60K+ users base use a hodgepodge of IMAP client over which
> we have no control. I am not quit sure our webmail (IMP) could be made to
> authenticate via Kerberos either.
Our webmail (squirrelmail) is doing kerberos authentication. We gutted
the authentication part of squirrelmail and instead launch a persistant
imtest process, which squirrelmail connects to instead (this was
relatively easy to do, actually -- most of the changes that were
required were in imtest). This also has the benefit of caching
authentications (like a proxy), since successive page hits just re-use
the same imtest process.
The trick is that you need to get the user's kerberos ticket to the web
server, which we accomplish via a system known as pubcookie, which has
been developed by a few universities. Its sort of like
kerberos-via-cookies, though the kerberos ticket passing bit is somewhat
disconnected from the main system.
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper
More information about the Info-cyrus