Mailing List CGatePro@mail.stalker.com Message #92736
From: Bret Miller <bret.miller@wcg.org>
Subject: RE: Passwords
Date: Tue, 25 Sep 2007 15:39:29 -0700
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pro MAPI Connector 1.2.12/1.2.12(local)
> On Tue, 2007-09-25 at 16:44 +0100, Martin.Hepworth wrote:
> > http://lists.communigate.com/Lists/CGatePro/Message/91168.html
> > and other things in archive about handling AD/Kerberos
> authentication well.
>
> Bearing in mind that Darren has been chewing his own legs off in the
> past over the local inability (not his, but local nonetheless) to get
> full client/server Kerberos to work, might I suggest that:
>
> 1. If you (Darren) are running CGP on Linux, then you can use the PAM
> module pam_krb5 to authenticate against your Active Directory for you
> via an external authenticator. This is what we do for Webmail.
>
> 2. If you (Darren) are running CGP on Windows, then run it on a domain
> controller or promote your CGP server to be a domain
> controller and then authenticate against the local system.

OS Password authentication (built in to CGPro) works even if the server is simply a member server in the domain. We set the account in the domain account defaults to *%addomain (ours is *%hq.wcg.org) and the authentication just works (as long as users don't try SASL methods).

Users still have to change the password stored in their Outlook account every time they change their windows password. Kerberos would solve that, but I haven't had the time to get back to that. The big reason it failed to begin with is that my CGPro server address resolves to a public address and kerberos requires it to resolve to the private (behind firewall) address. I'm fairly sure the rest can be worked out now that I've solved the basic block on it, and perhaps this will help Darren too.

>
> Alternatively, use the method John Rudd just posted.
>
> Our external authenticator does something similar to that simply so we
> have a copy of up-to-date passwords kept within CGP itself -
> this way we
> can make use of challenge/response or SASL methods such as
> those used by
> SIP, XIMSS et al.


Bret



Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster