Mailing List Message #92744
From: Roland Hordos <>
Subject: RE: Passwords
Date: Wed, 26 Sep 2007 09:04:59 -0600
To: CommuniGate Pro Discussions (E-mail) <>
X-Mailer: CommuniGate Pro MAPI Connector 1.2.9/1.2.9
Another PAM module that works well is the pam_smb (Samba) module, which
took minutes to setup and has run flawlessly for us for 100 user-years
(like kilowatt hours ;).  A Linux box that is a domain member will
transparently authenticate to Active Directory via external auth -> pam
-> winbind, and password changes are noticed immediately.  Like the
other external auth methods, and as Graeme mentioned, SASL doesn't work
because it needs a copy of the password.  However we can still run CG
with the "Secure Only" authentication option, as there's an encrypted
_connection_ mechanism for every protocol.


-----Original Message-----
From: Graeme Fowler []
Sent: Tuesday, September 25, 2007 10:35 AM
Subject: Re: Passwords

On Tue, 2007-09-25 at 16:44 +0100, Martin.Hepworth wrote:
> and other things in archive about handling AD/Kerberos authentication

Bearing in mind that Darren has been chewing his own legs off in the
past over the local inability (not his, but local nonetheless) to get
full client/server Kerberos to work, might I suggest that:

1. If you (Darren) are running CGP on Linux, then you can use the PAM
module pam_krb5 to authenticate against your Active Directory for you
via an external authenticator. This is what we do for Webmail.

2. If you (Darren) are running CGP on Windows, then run it on a domain
controller or promote your CGP server to be a domain controller and then
authenticate against the local system.

Alternatively, use the method John Rudd just posted.

Our external authenticator does something similar to that simply so we
have a copy of up-to-date passwords kept within CGP itself - this way we
can make use of challenge/response or SASL methods such as those used by
SIP, XIMSS et al.


Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster