CoSign: Collaborative Single Sign-On  

cosign-discuss at
general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cosign and cyrus imap and IMP

On 06 Nov 2004, at 16:01, Brett Lomas wrote:
But, the problem I am having is mainly with Kerberos, in reality, because
the tickets are tied to the cosign server, and thus will not work on the web
server with my IMP and IMAP proof of concept (more of a kinda it-can-be-done
than POC). I cannot see how you guys get around it, other than perhaps your
Kerberos server gives out address-less tickets by default???

Perhaps. We used to put an option in our krb5.conf file to the effect that we wanted an address-less ticket:

noaddresses = true

I don't see that there, now. There's a block of Kerberos options set in cosign/cgi/cgi.c:

	krb5_get_init_creds_opt_set_tkt_life( &kopts, 10*60*60 );
	krb5_get_init_creds_opt_set_renew_life( &kopts, 0 );
	krb5_get_init_creds_opt_set_forwardable( &kopts, 1 );
	krb5_get_init_creds_opt_set_proxiable( &kopts, 0 );

Perhaps we need to add this:

krb5_get_init_creds_opt_set_address_list( &kopts, NULL );

If it works for you, we can certainly add it.


Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010