mat at matws.net
Sat Jun 14 23:20:39 GMT 2008
>> Do you mean just adding to the record for the dn:
>> servicePrincipalName=DNS/test.tst,CN=Principals (where test.tst is my realm) adding an attribute krb5Keytab with
>> krb5.keytab as value ?
>> And then I suppose that I have to copy the dns.keytab file to krb5.keytab.
> I meant creating a new entry in the directory similar to cn=DNS, and a
> new entry in the secrets.ldb similar (but again, not for DNS but for the
> target service), using krb5keytab.
Still not clear for me, I guess I need to concentrate really on it and do some try and fail cycles.
>> It works very well. But I would like to be able to map a principal to another mailbox (in cyrus) ie. m12345 at test.tst map
>> to mailbox matthieu.patou.
>> In order that we have login composed of letters and numbers (like most medium and big sized company have) but email in
>> the form first_name.last_name at domain.
> Sounds like a reasonable goal, but don't you want to do the Kerberos
> authentication directly from the kerberised client to the kerberised
> IMAP server?
Although I am not an cyrus expert, it seems that you have only two solutions with cyrus: saslauthd or auxprop both seems
quite equivalent to me I could either gssapi module and auxprop to kerberise cyrus or saslauthd + mech krb5 to achieve
>Using saslauthd allows useful manipulations, but places
> the cleartext password on the wire...
I am not sure that information go cleartext, at least with clients that support secured authentification (cram-md5,
> You might also consider having saslauthd use LDAP.
In fact I am trying to make cyrus use kerberos very directly because it seems (at least it's what I understand) that you
can do the kind of mapping exposed in my previous mail when cyrus is using kerberos authentification.
More information about the samba-technical