Removing realm from usernames authenticated by GSSAPI (and two more unrelated questions)

Jukka Salmi j+asg at 2004.salmi.ch
Tue Jan 11 18:02:10 EST 2005


Aleksandar Milivojevic --> info-cyrus (2005-01-11 16:24:14 -0600):
> I've got authentication using GSSAPI working.  However, when I use 
> GSSAPI, imapd treats my login name as virtual domain.

What is virtdomains set to in your imapd.conf?


> While I'm at GSSAPI.  There's configuration option "srvtab".  I tought 
> that it is used to provide path to Kerberos keytab file to be used. 

Hmm, sounds like Kerberos IV...


> However, it seems it either isn't used for that, or that it doesn't 
> work.  I had to provide KRB5_KTNAME environment variable to get imapd to 
> use correct keytab file.

You could set 'sasl_keytab: /path/to/keytab' in imapd.conf instead.


> One more question, just out of curiosity (I don't intend to implement 
> it).  I've noticed that if GSSAPI is configured, than plain and login 
> can be used only over TLS (I'm not really sure about this, maybe I 
> noticed wrong ;-).  If it is not configured, plain and login are allowed 
> in plaintext.  Is there a configuration variable to controll this?  Like 
> force TLS even if GSSAPI is not configured, or allow plaintext in case 
> GSSAPI is configured?  allowplaintext option doesn't seem to work!?

Set 'allowplaintext: 0' in imapd.conf.


HTH, Jukka

-- 
bashian roulette:
$ ((RANDOM%6)) || rm -rf ~
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list