	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cosign and cyrus imap and IMP

To: Brett Lomas on vxchange <blom001@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Cosign and cyrus imap and IMP
From: Wesley D Craig <wes@xxxxxxxxx>
Date: Sat, 6 Nov 2004 11:35:38 -0500
Cc: "'cosign-discuss@xxxxxxxxx'" <cosign-discuss@xxxxxxxxx>
In-reply-to: <14A270C0E2F4124AB0B7320BDBEA949F05ED49FA@vxchange.vcr.auckland.ac.nz>
References: <14A270C0E2F4124AB0B7320BDBEA949F05ED49FA@vxchange.vcr.auckland.ac.nz>

On 06 Nov 2004, at 06:12, Brett Lomas on vxchange wrote:

Has anyone gotten cosign working Cyrus IMAP through IMP?

This is exactly what we're running at UMich today, tho we're using Cyrus Murder, so maybe it's more complex than you require. We're also using up-imapproxy:

http://www.imapproxy.org/

(which appears to be down just now) to cache IMAP connections, thus reducing load on the IMAP servers. /etc/imapproxy.conf has these lines:

	server_hostname 127.0.0.1
	listen_address 127.0.0.1
	listen_port 8143

to tell it to just talk to the local proxyd and to listen on the loopback on an alternate port.

We also made a small change to proxyd:

http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus- devel&msg=755

which has been accepted into the cyrus imap CVS. Cyrus proxyd is running locally on the IMP machines, with the above -N option. IMP has been modified to authenticate to port 8143 using the REMOTE_USER as provided by Cosign for both ID & password.

I've attached a picture. This set up works much better than our old setup, which used the Cosign provided TGT to make a new connection for each HTTP transaction.

:wes

Attachment: Cyrus IMP.pdf
Description: Adobe PDF document

I have gotten IMAP to work with Kerberos tickets locally and it all seems fine. When I use cosign and mod_apache on an apache 2 server I get the ticket successfully, but because of the address in the ticket, my KDC is refusing to issue the imap service ticket for it.

To get around this (at least temporarily - to test the IMP/imap GSSAPI) I did a kinit on the CC which mod_cosign created for me, then attempted again. It fails then with an error that I am not allowed to proxy (and a klist on the CC reveals a nice imap service ticket). So I added myself to the proxyservers config in imapd.conf, and then it worked. But this isn't good... it appears something (IMP) is authenticating as me and then attempting to proxy as the user apache (which the web server is running as).

References:
- Cosign and cyrus imap and IMP
  - From: Brett Lomas on vxchange

Prev by Date: Re: Cosign and cyrus imap and IMP
Next by Date: RE: Cosign and cyrus imap and IMP
Previous by thread: Re: Cosign and cyrus imap and IMP
Next by thread: Conditional Authentication Question
Index(es):
- Date
- Thread