GSSAPI for various murder component setups

Dan White dwhite at olp.net
Wed Jun 13 16:23:57 EDT 2012


On 06/13/12 12:57 -0700, Stephen Ingram wrote:
>There seems to be quite a bit of information on the Website about
>setting up a murder configuration. Most of the documentation, however,
>seems to be centered on basic authentication. Is there a good resource
>somewhere to using Kerberos to setup the communication between the
>mupdate, frontend and backend servers for mupdate, imap and
>replication processes? I see some configs in the distribution conf
>directory from CMU setups, but they are only partially complete and
>based on Kerberos 4.

There are two differences that come to mind:

When configuring authentication, you can simply leave the authname and
password out of your configuration, such as:

mupdate_server: mupdate.example.net
# mupdate_port
# mupdate_username:
# mupdate_authname
# mupdate_realm
# mupdate_password
# mupdate_retry_delay
mupdate_config: standard

The other issue is that where your systems are acting as clients (such as
when a frontend server is connecting to an mupdate server), your client
will need to initialize a kerberos ticket cache, and in my experience
cannot use the kerberos credentials used to accept connections. Or in other
words, your frontends might have an imap/mail.example.net service ticket
for accepting client imap connections, but then may need a separate ticket,
such as cyrus/mail.example.net, for backend/mupdate connections. I use
cronjobs, running as the cyrus user, to initialize those crendential
caches.

-- 
Dan White


More information about the Info-cyrus mailing list