Horde/IMP authentication to Cyrus via client certificates?
Igor Brezac
igor at ipass.net
Thu Feb 17 23:26:41 EST 2005
On Thu, 17 Feb 2005, Kevin P. Fleming wrote:
> Igor Brezac wrote:
>
>> SASL/EXTERNAL is what you want although I have to not tried it. OpenLDAP
>> works great. In theory, the CN part of the client certitificate subject
>> needs to be a valid mailbox. You can test this with imtest -t
>> client_cert_file -m EXTERNAL .... I assume that you have SSL/TLS working.
>
> Yes, I do have that working. I'll test with SASL/EXTERNAL, it sounds like
> exactly what I need. I don't really want the CN to be the mailbox name,
> though, I'd rather have SASL/EXTERNAL work off the email address embedded in
> the certificate.
Actually, this is what you want to do. I should have said a valid
cyrus userid rather than mailbox name.
>
>> Your bigger issue is to find a client that supports SASL/EXTERNAL. I do
>> not believe c-client library (this is what drives IMP/Horde via PHP)
>> supports SASL/EXTERNAL, so this is what you need to start hacking.
>
> That's been my plan; c-client is very simple, and I've already hacked Horde
> to get the PEM-encoded client cert from Apache and store it in a session
> variable, so I can extract it out in IMP and pass it to c-client. If I get it
> working I'll post the results :-)
--
Igor
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list