SSO with kolab components

Jochen Hein jochen at jochen.org
Tue Oct 20 07:46:27 CEST 2015


Hello,

in
http://planet.kolab.org/blog/seigo/2015/10/19/kolab-sso-and-second-factors
is a discussion about Single-Sign-On and Second Factors. I'm also
researching options to use these in my network.  I do use Kolab 3.4 and
FreeIPA 4.2 right now. LDAP is currently synchronized manually (works
for 5 users...). I've seen some older messages concerning integration of
both, but nothing that could be implemented in the short term. Has
anybody interest to work on some documentation how to integrate Kolab
and IPA?

I've added my Kolab server to the IPA-domain with ipa-client-install.

I've added GSSAPI support to both cyrus-imapd and postfix, so my users
can access their mail with thunderbird and SSO.  Here are the details
what I needed to do.

Add GSSAPI to IMAP

First wie need to add a service in IPA:
http://www.freeipa.org/page/%28DRAFT%29_HA_mail_services_with_FreeIPA,_postfix,_dovecot,_amavisd-new,_clamd_and_PLAIN/GSSAPI_SSO

,----
| # ipa service-add imap/kolabhost.example.org
`----

On the kolab server we need to create a keytab:

,----
| # ipa-getkeytab -s freeipa.jochen.org -p imap/jupiter.jochen.org -k /etc/cyrus.keytab
| # chmod 600 /etc/cyrus.keytab
| # chown cyrus:root /etc/cyrus.keytab
`----

Now we add the keytab into the cyrus configuration:

--- a/imapd.conf
+++ b/imapd.conf
@@ -4,7 +4,9 @@ admins: cyrus-admin
 sievedir: /var/lib/imap/sieve
 sendmail: /usr/sbin/sendmail
 sasl_pwcheck_method: auxprop saslauthd
-sasl_mech_list: PLAIN LOGIN
+sasl_mech_list: PLAIN LOGIN GSSAPI
+sasl_keytab: /etc/cyrus.keytab
 allowplaintext: no
 tls_server_cert:          /etc/ssl/private/imap.jochen.org.crt
 tls_server_key:           /etc/ssl/private/imap.jochen.org.key

That's it for IMAP. With sieve a tried something similar, but didn's
succeed. But my users mostly don't use sieve, so this is not a priority.

Adding GSSAPI to postfix

Again, we first create the service in IPA:
https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/

,----
| # ipa service-add smtp/jupiter.jochen.org
`----

Create a keytab in the kolab server (it might be better to put it in /etc/postfix):

,----
| # ipa-getkeytab -s freeipa.jochen.org -p smtp/jupiter.jochen.org -k /etc/smtp.keytab
| # chown postfix:postfix /etc/smtp.keytab
| # chmod 440 /etc/smtp.keytab
`----

Here are now manually edited diffs in the config - I'm not completly
sure, what the minimal changes would be - but SSO works for me now:

--- a/postfix/main.cf
+++ b/postfix/main.cf
@@ -65,6 +65,8 @@ smtp_tls_security_level = may
 submission_data_restrictions = check_policy_service unix:private/submission_policy
 smtpd_tls_security_level = may
 smtpd_sasl_auth_enable = yes
+broken_sasl_auth_clients = yes
+smtpd_sasl_path = smtpd
 smtpd_sender_restrictions = permit_mynetworks, check_policy_service unix:private/sender_policy_incoming

 smtp_sasl_auth_enable = yes
 smtp_sasl_security_options = noanonymous
+smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
@@ -89,4 +91,4 @@ smtp_tls_protocols = !SSLv2 !SSLv3
 smtpd_tls_protocols = !SSLv2 !SSLv3


-smtpd_relay_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_rbl_client zen.spamhaus.org, reject_non_fqdn_recipient, rej
+smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_rbl_client zen.spamhaus.org, rej
--- a/postfix/sasl/smtpd.conf
+++ b/postfix/sasl/smtpd.conf
@@ -1,2 +1,5 @@
-pwcheck_method: saslauthd
+pwcheck_method: auxprop saslauthd
-mech_list: plain login
+mech_list: plain login gssapi
+log_level: 0
+keytab: /etc/smtp.keytab

Now thunderbird detects my imap server with STARTTLS and GSSAPI. For
SMTP it uses STARTTLS and login, but I can switch it to GSSAPI manually
and can send and receive mails.

Jochen

-- 
The only problem with troubleshooting is that the trouble shoots back.



More information about the users mailing list