GSSAPI for various murder component setups

Stephen Ingram sbingram at gmail.com
Sat Jun 23 17:11:12 EDT 2012


On Thu, Jun 14, 2012 at 9:14 PM, Dan White <dwhite at olp.net> wrote:

...snip...

> You can control whether clients will get referrals via the
> proxyd_disable_mailbox_referrals option.
>
> When proxying, you would configure the 'cyrus-<hostname>' user within
> the proxyservers option on the backend. When the frontend authenticates to
> the backend, it will send an authorization identity of the previously
> authenticated frontend user. Like:
>
> authcid: none (derived from your kerberos identity)
> authzid: jsmith
>
> Then, from the backend's perspective, jsmith performed the authentication,
> and gets all the proper ACL permissions applied. The frontend *might* have
> all the appropriate service principals in place to support client gssapi
> authentication, however that's not necessary. The client authentication to
> the frontend, and the frontend's proxy authentication to the backend are
> distinct authentications. The frontend *will* need to have a non-service
> principal ticket initialized when performing gssapi authentication to the
> backend.

If I'm reading this correctly, you are saying that you really don't
need any of the services (imap,sieve,nntp,pop) in the keytab on the
frontend, but only the backend. The frontend authenticates to the
backend using it's own credentials (in my case the credential cache
from imap/imap.example.com) and proxies the user ticket to the backend
services (even with proxyd_disable_mailbox_referrals turned on). It
looks like Dave is authenticating on the frontend instead. Is this
just a different way of doing things or does each come with
advantages/disadvantages? I would think that you *would* need to make
the authcid to authzid determination on the backend, so I wonder how
this is working for him?

Steve


More information about the Info-cyrus mailing list