	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cosign and cyrus imap and IMP

To: "Brett Lomas" <b.lomas@xxxxxxxxxxxxxx>
Subject: Re: Cosign and cyrus imap and IMP
From: Wesley D Craig <wes@xxxxxxxxx>
Date: Sat, 6 Nov 2004 17:45:49 -0500
Cc: <cosign-discuss@xxxxxxxxx>
In-reply-to: <20041106210755.03C91349F9@smtpc.itss.auckland.ac.nz>
References: <20041106210755.03C91349F9@smtpc.itss.auckland.ac.nz>

On 06 Nov 2004, at 16:01, Brett Lomas wrote:

But, the problem I am having is mainly with Kerberos, in reality, because the tickets are tied to the cosign server, and thus will not work on the web server with my IMP and IMAP proof of concept (more of a kinda it-can-be-done than POC). I cannot see how you guys get around it, other than perhaps your Kerberos server gives out address-less tickets by default???

Perhaps. We used to put an option in our krb5.conf file to the effect that we wanted an address-less ticket:

noaddresses = true

I don't see that there, now. There's a block of Kerberos options set in cosign/cgi/cgi.c:

	krb5_get_init_creds_opt_set_tkt_life( &kopts, 10*60*60 );
	krb5_get_init_creds_opt_set_renew_life( &kopts, 0 );
	krb5_get_init_creds_opt_set_forwardable( &kopts, 1 );
	krb5_get_init_creds_opt_set_proxiable( &kopts, 0 );

Perhaps we need to add this:

krb5_get_init_creds_opt_set_address_list( &kopts, NULL );

If it works for you, we can certainly add it.

:wes

Follow-Ups:
- RE: Cosign and cyrus imap and IMP
  - From: Brett Lomas

References:
- RE: Cosign and cyrus imap and IMP
  - From: Brett Lomas

Prev by Date: RE: Cosign and cyrus imap and IMP
Next by Date: RE: Cosign and cyrus imap and IMP
Previous by thread: RE: Cosign and cyrus imap and IMP
Next by thread: RE: Cosign and cyrus imap and IMP
Index(es):
- Date
- Thread