Igor Brezac wrote:
SASL/EXTERNAL is what you want although I have to not tried it. OpenLDAP works great. In theory, the CN part of the client certitificate subject needs to be a valid mailbox. You can test this with imtest -t client_cert_file -m EXTERNAL .... I assume that you have SSL/TLS working.
Yes, I do have that working. I'll test with SASL/EXTERNAL, it sounds like exactly what I need. I don't really want the CN to be the mailbox name, though, I'd rather have SASL/EXTERNAL work off the email address embedded in the certificate.
Your bigger issue is to find a client that supports SASL/EXTERNAL. I do not believe c-client library (this is what drives IMP/Horde via PHP) supports SASL/EXTERNAL, so this is what you need to start hacking.
That's been my plan; c-client is very simple, and I've already hacked Horde to get the PEM-encoded client cert from Apache and store it in a session variable, so I can extract it out in IMP and pass it to c-client. If I get it working I'll post the results :-)
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
