[Dovecot] gssapi, kerberos and webmail

Denis Cardon denis.cardon at tranquil-it-systems.fr
Fri Sep 14 11:02:39 EEST 2007


Hi every one,

first thanks for the great job, I switched successfully from courier 
imap a few months ago and both the migration and maintenance went 
smoothly from then on.

The reason I switched was gssapi support (and the easier debug) and now 
I have thunderbird on Linux connecting in an SSO fashion through 
kerberos/GSSAPI (works great).

Users should be able to access their mail throught a webmail too (eg. 
eGroupware). I have already checked for kerberos authentication on 
Apache, however there seems to be no way to have ticket forwarding 
throught PHP. AFIAK there is thus no way to use kerberos for php-imap 
--> dovecot authentication. The only information available seems to be 
the username.

So here is my question :

how do people on this mailing list handle kerberos authentication with 
webmail? Do you use other kind of authentication on privileged port (ie 
with access only from apache) and just do a login/nopassword 
authentication (like an uid base authentication through ldapi:/// on an 
ldap directory for example) ?

Here is what we have with thunderbird :

Thunderbird -------kerberos-------> dovecot on standard port

Here is what I would guess for webmail auth :

Firefox ------kerberos----> Apache ----gssapi-auth-just-using-login----> 
dovecot on privileges port

Cheers,

Denis

-- 
Denis Cardon
Tranquil IT Systems
44 bvd des pas enchantés
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.62.67
http://www.tranquil-it-systems.fr




More information about the dovecot mailing list