Removing realm from usernames authenticated by GSSAPI (and two more unrelated questions)
j+asg at 2004.salmi.ch
Tue Jan 11 18:02:10 EST 2005
Aleksandar Milivojevic --> info-cyrus (2005-01-11 16:24:14 -0600):
> I've got authentication using GSSAPI working. However, when I use
> GSSAPI, imapd treats my login name as virtual domain.
What is virtdomains set to in your imapd.conf?
> While I'm at GSSAPI. There's configuration option "srvtab". I tought
> that it is used to provide path to Kerberos keytab file to be used.
Hmm, sounds like Kerberos IV...
> However, it seems it either isn't used for that, or that it doesn't
> work. I had to provide KRB5_KTNAME environment variable to get imapd to
> use correct keytab file.
You could set 'sasl_keytab: /path/to/keytab' in imapd.conf instead.
> One more question, just out of curiosity (I don't intend to implement
> it). I've noticed that if GSSAPI is configured, than plain and login
> can be used only over TLS (I'm not really sure about this, maybe I
> noticed wrong ;-). If it is not configured, plain and login are allowed
> in plaintext. Is there a configuration variable to controll this? Like
> force TLS even if GSSAPI is not configured, or allow plaintext in case
> GSSAPI is configured? allowplaintext option doesn't seem to work!?
Set 'allowplaintext: 0' in imapd.conf.
$ ((RANDOM%6)) || rm -rf ~
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus