First, please do not top-post again. If you don't know what that means, you need to review the mailing list posting guidelines which you were asked to when you subscribed to this list. >>> I have a plone 4.1.4( CMS) installation, and a squirrel mail web client >>> running on >>> different machines but under the same domain. say >>> intranet.mydomain.com >>> and webmail.mydomain.com >>> >>> I am trying to implement a SSO for this plone intranet site and Squirrel >>> Mail client. ( The plone site is integrated with LDAP server. Both Plone >>> site and Squirrel mail refers the same user credentials in this LDAP >>> server) >>> >>> What configurations/additional work I have to make for the SM instance >>> for SSO to work from plone site, so clicking a link in the plone >>> site >>> to the squirrel mail site should logged in to the squirrel mail client >>> so >>> users can see their emails, without signing again to the squirrel mail >>> login page. >>> >>> Please give your guidance/workarounds how to accomplish this SSO for >>> Squirrel Mail. >> >> You could try to hack something into one or the other of these two >> applications (or both) so that they understand each other's cookies, >> for example (still may present problems authenticating against the >> IMAP server - keep in mind that SquirrelMail passes authentication to >> the IMAP server, so it MUST have a username and password to >> authenticate with, and in that sense, it's far smarter to ask how to >> modify plone to understand when a user has been authenticated via >> SquirrelMail), but the more robust way to handle this is to find a SSO >> authentication implementation that both applications are compatible >> with. Shibboleth is one popular example, but there are others. Do >> your homework. There is a SquirrelMail plugin that is compatible with >> some such authentication systems that will be available soon - but it >> is not trivial to set this kind of system up because you must be able >> to integrate it with your IMAP server too. > > List, Or you could address me, who last replied to you. > I have enabled in the plone site for the cookie sharing for mydomain.com > and shared a secret is there "blah" > > Now in the server machine for apache I enabled mod_auth_tkt ( the > plone version supports mod_auth_tkt compatible systems.) > > The plone site and SM both runs in the same machine under same > apache were mod_tkt is loaded. > > Vhost entry for Squirrel mail > > <VirtualHost *:80> > ServerAdmin webmaster@xxxxxxxxxxxx > DocumentRoot /usr/local/www/SquirrelMail > ServerName webmail.mydomain.com > ServerAlias webmail.mydomain.com > TKTAuthSecret "blah" > <Location /src/login.php> > TKTAuthIgnoreIP on > TKTAuthDebug 2 > TKTAuthDomain .mydomain.com > TKTAuthTimeout 2w > TKTAuthCookieExpires 2w > TKTAuthRequireSSL off > TKTAuthCookieSecure off > </Location> > ErrorLog /var/log/httpd-error.log > CustomLog /var/log/httpd-access.log combined > </VirtualHost> > > There is an existing IMAP account user: kkchn@xxxxxxxxxxxxxxxxxxxx > password: > mypass > > Then I created the same user kkchn@xxxxxxxxxxxxxxxxxxxx in Plone > Site with same password "mypass" > > Restarted apache > > I logged in to the plone site (intranet.mydomain.com) with the > user name "kkchn@xxxxxxxxxxxxxxxxxxxx" with "mypass" and click > the link for webmail.mydomain.com but it prompts me for username > and password. > > Do I miss any configuration other than the above in the Squirrel > Mail virtualhost config ? Or anything additional work required? Did you read my response to you? I said: "There is a SquirrelMail plugin that is compatible with some such authentication systems that will be available soon - but it is not trivial to set this kind of system up because you must be able to integrate it with your IMAP server too." So why do you expect it to work without said plugin? (You can ask me for a test copy offlist.) Moreover, how is it you plan to get the user authenticated against the IMAP server? Last I looked at mod_auth_tkt (IMO not the best SSO implementation), the only way for you to make that work is to have SquirrelMail validate the mod_auth_tkt session and pass a shared secret to the IMAP server using a SASL PLAIN login, where you have configured the IMAP server to allow these kinds of logins (sans the user password, which is unavailable to SquirrelMail from mod_auth_tkt). One example of an IMAP setup that can handle that is a Dovecot master user scenario (in conjunction with the SquirrelMail plugin I referenced). > This is my Virtual host configuration for Plone site. > > <VirtualHost *:80> > ServerAdmin kk@xxxxxxxxxxxxxxxxxxxx > ServerName intranet.mydomain.com > RewriteEngine On > RewriteRule ^/(.*) > http://127.0.0.1:8081/VirtualHostBase/http/intranet.mydomain.com:80/Intranet/VirtualHostRoot/$1 > [L,P] > ErrorLog /var/log/apache/intranet.mydomain.com/error_log > CustomLog /var/log/apache/intranet.mydomain.com/access.log combined > </VirtualHost> > > Please shed some light on this regard. > -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
