Discussion:
[Kolab-devel] Kolab and FreeIPA article
kvaps
2018-10-04 11:00:04 UTC
Permalink
OK, here is my article about Kolab and FreeIPA integration:

https://medium.com/@kvapss/install-kolab-and-integrate-it-with-freeipa-c80c3b34b7b7

- kvaps
Login Failed
The external account ("GitHub") you just authenticated with is not
configured to allow registration on this Phabricator install. An
administrator may have recently disabled it.
NP, I'll write it to Medium then, and share it here.
Yeah I guess the most important part is to write it down somewhere :)
When you have something to share, please do, we'll give feedback!
Thanks,
-- Pasi
- kvaps
Hi, I have success story about integrating Kolab with FreeIPA
I want to write howto article into docs.kolab.org about it.
How can I get access to the https://git.kolab.org for make possible send PR
to you?
On that page click on the top right "Log In". In the next page you can
either create a local account or log in with github, facebook, google,
or twitter.
I'm also running both Kolab and FreeIPA - you could also post your
article here.
Yep, please share your notes about Kolab + FreeIPA!
Thanks,
-- Pasi
Jochen
_______________________________________________
devel mailing list
https://lists.kolab.org/mailman/listinfo/devel
_______________________________________________
devel mailing list
https://lists.kolab.org/mailman/listinfo/devel
_______________________________________________
devel mailing list
https://lists.kolab.org/mailman/listinfo/devel
Jochen Hein
2018-10-05 20:31:07 UTC
Permalink
I'll just add the parts where I use FreeIPA. Let's start with TLS for
IMAP:

# My kolab/IMAP server is available under three names:
# - physical hostname jupiter.example.org
# - logical hostname kolab3.example.org (when moving from kolab2 to kolab3 :-)
# - DNS alias imap.example.org
#
# I'd like to have SSO working for imap.example.org,
# thunderbird detects that automatically. (That's subject of another config)
#
# We use kerberos principal aliases here (since FreeIPA 4.4.0).
#
# ipa service-add imap/jupiter.example.org
# ipa service-add-principal imap/jupiter.example.org imap/kolab3.example.org
# ipa service-add-principal imap/jupiter.example.org imap/imap.example.org
#
# Now we can get the certificate...
ipa-getcert request -f /etc/ssl/certs/imap.example.org.crt -k /etc/ssl/private/imap.example.org.key \
-N "CN=jupiter.example.org" \
-D imap.example.org \
-D kolab3.example.org \
-K imap/jupiter.example.org \
-U 1.3.6.1.5.5.7.3.1 -C "/root/refresh_postfix_certificate.sh"

# Fix permissions
chown cyrus /etc/ssl/private/imap.example.org.key
chmod 644 /etc/ssl/certs/imap.example.org.crt

# The following lines in /etc/imap.conf are needed to use the certificate:
# tls_ciphers: TLSv1+HIGH:!aNULL:@STRENGTH
# tls_server_cert: /etc/ssl/certs/imap.example.org.crt
# tls_server_key: /etc/ssl/private/imap.example.org.key
# tls_client_ca_file: /etc/ipa/ca.crt

# Restart cyrus
systemctl restart cyrus-imapd.service
--
This space is intentionally left blank.
Jochen Hein
2018-10-05 20:52:19 UTC
Permalink
Here's what is needed to activate SSO with IMAP. Thunderbird works
fine. Feedback and comments are welcome - sasl config has been tricky.

# IMAP
ipa-getkeytab -p imap/***@EXAMPLE.ORG -k /etc/cyrus.keytab
# keytab is only accessible for cyrus
chmod 600 /etc/cyrus.keytab
chown cyrus:root /etc/cyrus.keytab

# sieve
ipa-getkeytab -p sieve/***@EXAMPLE.ORG -k /etc/sieve.keytab
# keytab is only accessible for cyrus
chmod 600 /etc/sieve.keytab
chown cyrus:root /etc/sieve.keytab

# That's what is needed in /etc/imapd.conf:
# sasl_mech_list: PLAIN LOGIN GSSAPI
# sasl_keytab: /etc/cyrus.keytab
# sasl_saslauthd_path: /var/run/saslauthd/mux
# sieve_sasl_keytab: /etc/sieve.keytab
# loginrealms: EXAMPLE.ORG
--
This space is intentionally left blank.
Loading...