Re: [Freeipa-users] Dovecot IMAP with IPA 2.x?
On 02/03/2012 03:01 AM, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Craig I am actually working on this very thing at the moment. there is a very basic config here (http://freeipa.org/page/Dovecot_Integration), however this is using pam for everything The end goal of course is sso in which I have managed to get gssapi for authentication working and pam is used for the user lookups.. Here is what I have in a working state on rhel 6.2 # In order to use GSSAPI authentication from dovecot directly, I only need to set this: auth_gssapi_hostname = hostname.example.com auth_krb5_keytab = /etc/imap.keytab auth_mechanisms = gssapi login ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot IMAP with IPA 2.x?
On 02/03/2012 03:43 AM, Natxo Asenjo wrote:
further you do not need to have the Maildirs on the users' homedirs:
http://wiki.dovecot.org/Authentication/Kerberos
quote
If you only want to use Kerberos ticket-based authentication:
auth default {
mechanisms = gssapi
userdb static {
args = uid=vmail gid=vmail home=/var/vmail/%u
}
}
/quote
I have not tested it, but then you could have all the Maildirs in the
imap server.
In order to have mail outside the user HOME, I use this
mail_location =
maildir:/var/vmail/%u:INDEX=/var/vmail/index/%u:CONTROL=/var/vmail/control/%u
INDEX and CONTROL are not needed, I add those because we have filesystem
quotas enabled, in this case INDEX and CONTROL files must be located
outside the quota enabled filesystem to avoid problems like the user
being unable to login to dovecot in order to free space
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot IMAP with IPA 2.x?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/03/2012 08:02 AM, Natxo Asenjo wrote: On Fri, Feb 3, 2012 at 8:31 AM, Dale Macartney d...@themacartneyclan.com wrote: I have been experimenting with how best to address this, however I am constantly being pushed back to the only way of having a userdir that actually exists would be a homdir which would be created when a user first logs in. Yes, if you ssh to the dovecot server as the user (with oddjobd running in the background) it will create the homedir with no problems and the issue is resolved, however users should not *have to* interactively log into a server just to allow them to access mail. my only thinking here is shared homedirs (nfs?) between clients and servers, however my thoughts on this are if dovecot is redirecting a users mail to their homedir, then why do we need dovecot to access it via imap when the mail will already appear in their homedir? does anyone have any thoughts on this? If you have an imap server instead of local mail, people do not have to login a desktop/text session to check their e-mail. They can access it from any imap client, even webmail. agreed, however the issue at hand, is that dovecot is failing to store the mail anyway in order to make it accessible in the first place. does anyone have any thoughts on how to have the homedirs auto created (with the correct perms and selinux contexts) by a process/service that is not initiated by the login process? oddjob and pam_mkhomedir do not get involved here as it is not an interactive login. (i could be wrong however this is what I am seeing). Dale -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPK5YVAAoJEAJsWS61tB+qdyYP/1oTLFXYFminTNhV/kOmFaCe j3w6tn5VyIqrBm4Qis8tZ3FCh7LxkoLyY+8Z4F0z0wh6yIjDGFdIMahiQw+0OhuQ dR5RxQMAAF5Zv0DfNH+rKHgy1pSlZN8X/nJKggQQGr9b4ehjUQqC039zRKqO5gh+ IF5ZIbwpoiimyFyppLsEdbaEYbH5Fsxifub2efY+thc3z72o5QZ+qaFsMXxoeCnr F+LXuckCyHN2SlU4B0ChwpaUd8uO3XS4tKqZOnJhFQqK2fBYDL7OXjSo94dpY8+2 KSYx2nOXwIX0QtnoEfr5NbVkKAh7eWfDJAcZjywciP2xwkhwHQXAVRPFSF3T9f0/ nmHGdxchfjIgO7Nr60fjLQSdmVnhFWOIAPSPIiGyE6xCsukzonExiTjRUOVqiGRN Fvcup3oF794IHwfhzIUC6cOlTKxq+YwChMBuiMrV+1raKM0dVYRSCFp3HxpGXZwZ GEJXmrRNZ0KDFT/Jye73wQQdepmrKb/kqakrtwxpvp7AxCkrgdUHLEaZ5sUH0ldr 6BF/TJ0NPBaRa9eBK+D7Lv4gy7OcsPiTbU5q3H9rkOm4Q8AY/9kSBYGAwcSbLML4 sQSgbRc2opZwndQ3gdxRPwRFH/olPiFtwDcl8Ha7hubDdjQ13dxGicQLkYuSt/sB ygTO8TlH2z+nAjcebWFH =oLBa -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot IMAP with IPA 2.x?
On Fri, Feb 3, 2012 at 9:02 AM, Natxo Asenjo natxo.ase...@gmail.com wrote:
On Fri, Feb 3, 2012 at 8:31 AM, Dale Macartney
d...@themacartneyclan.com wrote:
I have been experimenting with how best to address this, however I am
constantly being pushed back to the only way of having a userdir that
actually exists would be a homdir which would be created when a user
first logs in.
Yes, if you ssh to the dovecot server as the user (with oddjobd running
in the background) it will create the homedir with no problems and the
issue is resolved, however users should not *have to* interactively log
into a server just to allow them to access mail.
my only thinking here is shared homedirs (nfs?) between clients and
servers, however my thoughts on this are if dovecot is redirecting a
users mail to their homedir, then why do we need dovecot to access it
via imap when the mail will already appear in their homedir?
does anyone have any thoughts on this?
further you do not need to have the Maildirs on the users' homedirs:
http://wiki.dovecot.org/Authentication/Kerberos
quote
If you only want to use Kerberos ticket-based authentication:
auth default {
mechanisms = gssapi
userdb static {
args = uid=vmail gid=vmail home=/var/vmail/%u
}
}
/quote
I have not tested it, but then you could have all the Maildirs in the
imap server.
--
natxo
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot IMAP with IPA 2.x?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 02/03/2012 08:13 AM, Natxo Asenjo wrote:
On Fri, Feb 3, 2012 at 9:02 AM, Natxo Asenjo natxo.ase...@gmail.com
wrote:
On Fri, Feb 3, 2012 at 8:31 AM, Dale Macartney
d...@themacartneyclan.com wrote:
I have been experimenting with how best to address this, however I am
constantly being pushed back to the only way of having a userdir that
actually exists would be a homdir which would be created when a user
first logs in.
Yes, if you ssh to the dovecot server as the user (with oddjobd running
in the background) it will create the homedir with no problems and the
issue is resolved, however users should not *have to* interactively log
into a server just to allow them to access mail.
my only thinking here is shared homedirs (nfs?) between clients and
servers, however my thoughts on this are if dovecot is redirecting a
users mail to their homedir, then why do we need dovecot to access it
via imap when the mail will already appear in their homedir?
does anyone have any thoughts on this?
further you do not need to have the Maildirs on the users' homedirs:
http://wiki.dovecot.org/Authentication/Kerberos
quote
If you only want to use Kerberos ticket-based authentication:
auth default {
mechanisms = gssapi
userdb static {
args = uid=vmail gid=vmail home=/var/vmail/%u
}
}
/quote
I have not tested it, but then you could have all the Maildirs in the
imap server.
just to clarify, I have just re-tested to verify... without the
mail_location the below message is present in maillog
Feb 3 08:32:37 mail04 dovecot: imap(user1): Error: user user1:
Initialization failed: mail_location not set and autodetection failed:
Mail storage autodetection failed with home=/home/user1
Feb 3 08:32:37 mail04 dovecot: imap(user1): Error: Invalid user
settings. Refer to server log for more information.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJPK5w9AAoJEAJsWS61tB+qS2sP/1Mq+UdjJAWLwCLWpXLX8ZL9
NUGKzEdspObOzRNDQxrgIxmSLhDpnXGW0fIu+3FU2QVyAa+bilROlHJhcGasSRwG
E72dsRaxwCk1B/9beTs6LdeMuZ6pgSzRgfpJNEZNF1TZI7c8mSZsrEiH5r6eCzzK
RSWbsT2FasCGsKPN05fJPNOv8qh7ByP17wymlxgSHx1FpekvtM8UlrzjKvT66KWq
oibJS3U8wD8NyRoz5GIPg4kWYSicv859OGV9FyhNwg0mTb+rinjGoYWYb8WHVGVl
QWfb/jUQJucJB5i+l5sYyTaiIoURiusvW8XW/vlutqzzjqMFV6yV5IzISDagjoLX
Dm3ONl32wSBlCkuIrmvkA7zaIA5SvQG5fuE7jlrGqmZc3dLArbsShFGjjB+JYCFh
EAcecx59jI5WYjcLT357uO1k1OU8bXWtr+6eiSYbME41/me8hmE9DjGpD1j9L3nI
SoIATjGkNoHVaO8N7h8ENzJvDqaKoHn/nT7gCtodziIV1dN3BSbARnFrW0452JVP
fiTdnXhNXHDYiN+FGTOYFGRrO3DGr9bKBAG4yRl5qVRzH7XFC1IkE43OU+PdSz9R
UzKqfT28fcAEA1vgC3XlhEtWd5nN2YF1OH0oLZBR+/Kx5OEB5GVIFwlzHGkm+fhG
W6RifcyCbFExaRG1k5xr
=wnil
-END PGP SIGNATURE-
0xB5B41FAA.asc
Description: application/pgp-keys
0xB5B41FAA.asc.sig
Description: PGP signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Dovecot IMAP with IPA 2.x?
hi, Has anyone setup Dovecot IMAP to work with IPA 2.x yet? I'm thinking the best config would be to use; * IMAPS between the mail clients and Dovecot server * LDAPS with Passdb LDAP with authentication binds to connect to IPA? ref: http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds cya Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dovecot IMAP with IPA 2.x?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Craig
I am actually working on this very thing at the moment.
there is a very basic config here
(http://freeipa.org/page/Dovecot_Integration), however this is using pam
for everything
The end goal of course is sso in which I have managed to get gssapi for
authentication working and pam is used for the user lookups..
Here is what I have in a working state on rhel 6.2
#
yum install -y oddjob-mkhomedir
chkconfig oddjobd on
service oddjobd start
ipa-client-install -U -p admin -w redhat123 --mkhomedir
# configure dovecot
chkconfig dovecot on
sed -i 's/#protocols = imap pop3 lmtp/protocols = imap/g'
/etc/dovecot/dovecot.conf
sed -i s-#mail_location-mail_location =
mbox:~/mail:INBOX=/var/spool/mail/%u-g /etc/dovecot/conf.d/10-mail.conf
echo userdb { /etc/dovecot/conf.d/10-auth.conf
echo driver = static /etc/dovecot/conf.d/10-auth.conf
echo args = uid=dovecot gid=dovecot home=/var/spool/mail/%u
/etc/dovecot/conf.d/10-auth.conf
echo } /etc/dovecot/conf.d/10-auth.conf
sed -i 's/auth_mechanisms = plain/auth_mechanisms = gssapi/g'
/etc/dovecot/conf.d/10-auth.conf
sed -i s/#auth_gssapi_hostname =/auth_gssapi_hostname = $(hostname)/g
/etc/dovecot/conf.d/10-auth.conf
sed -i s-#auth_krb5_keytab =-auth_krb5_keytab =
/etc/dovecot/krb5.keytab-g /etc/dovecot/conf.d/10-auth.conf
sed -i s/#auth_realms =/auth_realms = $(hostname --domain)/g
/etc/dovecot/conf.d/10-auth.conf
sed -i s/#auth_default_realm =/auth_default_realm = $(hostname
--domain)/g /etc/dovecot/conf.d/10-auth.conf
kinit admin
ipa service-add imap/$(hostname)
ipa service-add imaps/$(hostname)
ipa-getkeytab -s ds01.example.com -p imap/$(hostname) -k
/etc/dovecot/krb5.keytab
ipa-getkeytab -s ds01.example.com -p imaps/$(hostname) -k
/etc/dovecot/krb5.keytab
chown dovecot:dovecot /etc/dovecot/krb5.keytab
service dovecot restart
By having the system tapped into the ipa domain, pam allows dovecot to
pass user lookups successfully. With the gssapi changes to
/etc/dovecot/conf.d/10-auth.conf and using a keytab for the service
principles, users can log in successfully without issue (i have only
tested this with gssapi only at the moment)
successful authentication appears in /var/log/maillog as follows
Feb 2 22:50:45 mail04 dovecot: imap-login: Login:
user=us...@example.com, method=GSSAPI, rip=192.168.122.61,
lip=192.168.122.44, mpid=2216, TLS
the only issue I am presently facing is with the mail_location directive
in dovecot..
unless the users homedir actually exists you will get errors like this.
Feb 2 21:52:34 mail04 dovecot: imap(user1): Error: user user1:
Initialization failed: Initializing mail storage from mail_location
setting failed: mkdir(/home/user1/mail) failed: Permission denied
(euid=120163(user1) egid=120163(user1) missing +w perm: /home,
euid is not dir owner)
I have been experimenting with how best to address this, however I am
constantly being pushed back to the only way of having a userdir that
actually exists would be a homdir which would be created when a user
first logs in.
Yes, if you ssh to the dovecot server as the user (with oddjobd running
in the background) it will create the homedir with no problems and the
issue is resolved, however users should not *have to* interactively log
into a server just to allow them to access mail.
my only thinking here is shared homedirs (nfs?) between clients and
servers, however my thoughts on this are if dovecot is redirecting a
users mail to their homedir, then why do we need dovecot to access it
via imap when the mail will already appear in their homedir?
does anyone have any thoughts on this?
Dale
On 02/03/2012 04:33 AM, Craig T wrote:
hi,
Has anyone setup Dovecot IMAP to work with IPA 2.x yet?
I'm thinking the best config would be to use;
* IMAPS between the mail clients and Dovecot server
* LDAPS with Passdb LDAP with authentication binds to connect to IPA?
ref: http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds
cya
Craig
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJPK408AAoJEAJsWS61tB+qjy4P/A5+y69wZg7hxg6xgohA6256
pTPEaSAi77zZZ1X3CgEbgGcRjlN8iRECbzb+2QDZ501uP4v+IrKSrE9VPwQuGIek
baLbHExVBhusUGxQ8l51aZrM0FZMtNnidCtGPVl7pp2EHcGGnquNdNs8T4FuNSfz
ngGaekSOWlvENUzYpMFxdxTJJZJ7+7ensV4Jaoe6MgOgGW8ytPuFxECO8kMrcqPq
tOJ1Vb4gaeAfJWLPnKSU1lw9nIMW8ze4ftxaSSbdyiLl8cU9LMC16Sz4Lrkg/B1c
PnT7thLI1yLjNfPwiGXQUtSc8VE/29f3g1D1ky0hnaZz1HYX34lQ85Eqw9hQ14lm
1/YY/M6DhFqiO3uxUSMRsL5iCWG6fP6LIxRrHZYenS20qRhEcjwi90z/DNqs5wH1
j5ERuTQFGFBfnhFX7bPs9EDrh736icQc1GJE8rOFvUnvenEZRCm/3NhxW1XrNmr0
lftzbE0X7U+eEANOsNzOS+37bxo3rfcPbafZFYfgyf7WUorEkMUvbRaUNaiGr6FS
cZyLU6jioJjVIqhDGnst5rP8JZdIcKI+Xfmmh0V3LoAGLzz+9NzncV+MV/Bq71uJ
