Horde/IMP authentication to Cyrus via client certificates?

Kevin P. Fleming kpfleming at starnetworks.us
Wed Feb 16 23:18:07 EST 2005 

I'm trying to come up with a configuration of Horde/IMP and Cyrus 2.2.x 
that will be easy to use and easy to manage :-) (I've got a number of 
these systems to set up).

So far, I have been successful using client certificates to identify 
users to Apache 2.0.x, and using a custom Horde auth module I can pass 
that identity information into Horde (and all its apps except IMP) 
without trouble. This is nice, it keeps the users from having to "log 
in" to Horde, as long as they are using a browser where they have 
installed the certificate that I supply them they are all set.

However, IMP needs to be able to log in to Cyrus IMAP, and that's where 
things break down. Even though Cyrus IMAP supports IMAP-over-TLS, which 
uses a certificate to identify the server, it does not appear that it 
knows anything about client certificates (to say nothing of the fact 
that I'd have to hack c-client to allow it to send the client 
certificate to Cyrus, but I can do that). Ideally I'd like to be able to 
connect to the IMAP port, issue STARTTLS, supply a client certificate 
and have it validated the same way that Apache does, and once that is 
done I have both a TLS encrypted session _and_ I'm already logged into 
IMAP with the email address embedded in my certificate being my 
authenticated/authorized name.

I will also need to support password-based authentication for cases 
where the user is not using a browser with their custom certificate 
installed, but since they will be doing so 99% of the time I'd like to 
avoid them having to enter a username/password to get into Horde/IMP.

Any thoughts on how difficult it would be to get Cyrus IMAP to accept a 
client certificate, validate it and automatically "log in" the user once 
that is done? I'll happily contribute the code back to CMU if I get it 
working, but I though I'd ask the gurus for their opinions before I 
tried to tackle it :-)
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list