GSSAPI for various murder component setups
Stephen Ingram
sbingram at gmail.com
Fri Jun 22 14:31:46 EDT 2012
On Wed, Jun 20, 2012 at 6:29 AM, Dan White <dwhite at olp.net> wrote:
> On 06/19/12 19:04 -0700, Stephen Ingram wrote:
>>
>> Thank you for your continued help with this. I really appreciate it
>> and am determined to get to the end of this.
>>
>> I think I'm getting closer. I have successfully authenticated using
>> mupdatetest from one of the backends to the mupdate server. I'm using
>> service principals on both ends. I've even specified the
>> imap/imap1.example.com part of the principal in the admins: section of
>> the configuration and after solving several configuration issues on my
>> end, it seems to work! I came across a post from you some time ago
>> talking about /etc/krb.equiv. Would this be an easier way to do this?
>> I tried placing that file on the mupdate server and loaded it with
>> imap/imap1.example.com imap1 and then placed admins: imap1 in my
>> imapd.conf file, but I'm not sure if it works. Do I have to tell cyrus
>> about that file somewhere?
>
>
> I have not used /etc/krb.equiv before, but the last time I dug into the
> code trying to understand it, I came away with the impression that it's
> used for kerberosv4 only. Apparently it would be a way to map
> 'imap/imap1.example.com' to 'imap1'. It might work just as well to just
> place 'imap/imap1.example.com' or 'imap/imap1.example.com at EXAMPLE.COM' into
> your proxyservers/*_admins entries.
>
> I know that this format works, because it's what I currently have in my
> config:
>
> cyrus-mail1.example.net at EXAMPLE.NET
Yes, I was able to get this to work too with mupdatetest, even without
the @EXAMPLE.COM piece. I'm guessing if you don't include the realm,
it just adds the default one. The krb.equiv does seem to work too,
although since you can just specify the entire principal, I'm not sure
that it is really that useful in this instance.
One other question though, how often do you refresh your credential
cache? From the few examples I've seen, most people seem to refresh
very frequently (anywhere from 6 minutes to 1 hour). Given that most
tickets can last up to 10 or 12 hours, I'm guessing the shorter life
is for security or some other reason?
Steve
More information about the Info-cyrus
mailing list