SSO with kolab components
Jochen Hein
jochen at jochen.org
Tue Oct 20 07:46:27 CEST 2015
Hello,
in
http://planet.kolab.org/blog/seigo/2015/10/19/kolab-sso-and-second-factors
is a discussion about Single-Sign-On and Second Factors. I'm also
researching options to use these in my network. I do use Kolab 3.4 and
FreeIPA 4.2 right now. LDAP is currently synchronized manually (works
for 5 users...). I've seen some older messages concerning integration of
both, but nothing that could be implemented in the short term. Has
anybody interest to work on some documentation how to integrate Kolab
and IPA?
I've added my Kolab server to the IPA-domain with ipa-client-install.
I've added GSSAPI support to both cyrus-imapd and postfix, so my users
can access their mail with thunderbird and SSO. Here are the details
what I needed to do.
Add GSSAPI to IMAP
First wie need to add a service in IPA:
http://www.freeipa.org/page/%28DRAFT%29_HA_mail_services_with_FreeIPA,_postfix,_dovecot,_amavisd-new,_clamd_and_PLAIN/GSSAPI_SSO
,----
| # ipa service-add imap/kolabhost.example.org
`----
On the kolab server we need to create a keytab:
,----
| # ipa-getkeytab -s freeipa.jochen.org -p imap/jupiter.jochen.org -k /etc/cyrus.keytab
| # chmod 600 /etc/cyrus.keytab
| # chown cyrus:root /etc/cyrus.keytab
`----
Now we add the keytab into the cyrus configuration:
--- a/imapd.conf
+++ b/imapd.conf
@@ -4,7 +4,9 @@ admins: cyrus-admin
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
sasl_pwcheck_method: auxprop saslauthd
-sasl_mech_list: PLAIN LOGIN
+sasl_mech_list: PLAIN LOGIN GSSAPI
+sasl_keytab: /etc/cyrus.keytab
allowplaintext: no
tls_server_cert: /etc/ssl/private/imap.jochen.org.crt
tls_server_key: /etc/ssl/private/imap.jochen.org.key
That's it for IMAP. With sieve a tried something similar, but didn's
succeed. But my users mostly don't use sieve, so this is not a priority.
Adding GSSAPI to postfix
Again, we first create the service in IPA:
https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/
,----
| # ipa service-add smtp/jupiter.jochen.org
`----
Create a keytab in the kolab server (it might be better to put it in /etc/postfix):
,----
| # ipa-getkeytab -s freeipa.jochen.org -p smtp/jupiter.jochen.org -k /etc/smtp.keytab
| # chown postfix:postfix /etc/smtp.keytab
| # chmod 440 /etc/smtp.keytab
`----
Here are now manually edited diffs in the config - I'm not completly
sure, what the minimal changes would be - but SSO works for me now:
--- a/postfix/main.cf
+++ b/postfix/main.cf
@@ -65,6 +65,8 @@ smtp_tls_security_level = may
submission_data_restrictions = check_policy_service unix:private/submission_policy
smtpd_tls_security_level = may
smtpd_sasl_auth_enable = yes
+broken_sasl_auth_clients = yes
+smtpd_sasl_path = smtpd
smtpd_sender_restrictions = permit_mynetworks, check_policy_service unix:private/sender_policy_incoming
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
+smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
@@ -89,4 +91,4 @@ smtp_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
-smtpd_relay_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_rbl_client zen.spamhaus.org, reject_non_fqdn_recipient, rej
+smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_rbl_client zen.spamhaus.org, rej
--- a/postfix/sasl/smtpd.conf
+++ b/postfix/sasl/smtpd.conf
@@ -1,2 +1,5 @@
-pwcheck_method: saslauthd
+pwcheck_method: auxprop saslauthd
-mech_list: plain login
+mech_list: plain login gssapi
+log_level: 0
+keytab: /etc/smtp.keytab
Now thunderbird detects my imap server with STARTTLS and GSSAPI. For
SMTP it uses STARTTLS and login, but I can switch it to GSSAPI manually
and can send and receive mails.
Jochen
--
The only problem with troubleshooting is that the trouble shoots back.
More information about the users
mailing list