I'm trying to come up with a configuration of Horde/IMP and Cyrus 2.2.x
that will be easy to use and easy to manage :-) (I've got a number of
these systems to set up).
So far, I have been successful using client certificates to identify
users to Apache 2.0.x, and using a custom Horde auth module I can pass
that identity information into Horde (and all its apps except IMP)
without trouble. This is nice, it keeps the users from having to "log
in" to Horde, as long as they are using a browser where they have
installed the certificate that I supply them they are all set.
However, IMP needs to be able to log in to Cyrus IMAP, and that's where
things break down. Even though Cyrus IMAP supports IMAP-over-TLS, which
uses a certificate to identify the server, it does not appear that it
knows anything about client certificates (to say nothing of the fact
that I'd have to hack c-client to allow it to send the client
certificate to Cyrus, but I can do that). Ideally I'd like to be able to
connect to the IMAP port, issue STARTTLS, supply a client certificate
and have it validated the same way that Apache does, and once that is
done I have both a TLS encrypted session _and_ I'm already logged into
IMAP with the email address embedded in my certificate being my
authenticated/authorized name.
I will also need to support password-based authentication for cases
where the user is not using a browser with their custom certificate
installed, but since they will be doing so 99% of the time I'd like to
avoid them having to enter a username/password to get into Horde/IMP.
Any thoughts on how difficult it would be to get Cyrus IMAP to accept a
client certificate, validate it and automatically "log in" the user once
that is done? I'll happily contribute the code back to CMU if I get it
working, but I though I'd ask the gurus for their opinions before I
tried to tackle it :-)
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
- Re: Horde/IMP authentication to Cyrus via client certific... Kevin P. Fleming
- Re: Horde/IMP authentication to Cyrus via client cer... Edward Rudd
- Re: Horde/IMP authentication to Cyrus via client... Kevin P. Fleming
- Re: Horde/IMP authentication to Cyrus via cl... pascal
- Re: Horde/IMP authentication to Cyrus vi... Kevin P. Fleming
- Re: Horde/IMP authentication to Cyrus via client... Igor Brezac
- Re: Horde/IMP authentication to Cyrus via cl... Kevin P. Fleming
- Re: Horde/IMP authentication to Cyrus vi... Igor Brezac
- Re: Horde/IMP authentication to Cyr... Kevin P. Fleming
