Scalix Forums


http://www.scalix.com/forums/

Utilizing Existing Kerberos Realm

http://www.scalix.com/forums/viewtopic.php?f=2&t=1998

Page 1 of 1

Utilizing Existing Kerberos Realm

Posted: Wed Apr 05, 2006 5:17 pm
by dresdn
Hello.

We're currently evaluating Scalix 10 and so far, so good! However, one of the things that I'm unable to figure out is how to get Scalix to utilize our existing Kerberos realm for authentication. I've searched the knowledge base, but it just seems to be the same information from the Administation Guide (under Non-SSO Kerberos Authentication).

From what I can tell, using the Non-SSO steps and ormkrbinstall, it actually creates a *new* realm. I don't want that as we don't need a realm specific to just Scalix. I have a box already setup as the main KDC and admin, and another box setup as my secondary KDC.

So my question is, does Scalix support this, and if so, what command should I be looking at in order to get it to utilize my current realm?

Thanks!

-Mike

Posted: Wed Apr 05, 2006 6:22 pm
by dresdn
Looking at it again, I complete skipped the Single Sign-on steps (since I don't have AD or use IE), but in looking at it, the principles are the same. I just mimicked what omaddprincs does and used the ommergekeys from the generated keytab file.

Then using the rest of the SSO steps, I was able to map my users authid's to the appropriate Kerberos principle.

On a side now, can anyone point me to some documentation regarding password expiration/changing using Kerberos?

Thanks!

-Mike

Posted: Thu Apr 06, 2006 7:58 am
by ScalixSupport
Hi,

you mean password expiration on Scalix? With Kerberos, there are no passwords to expire. It depends on where your KDC is and how it is configured on that side - maybe I am misunderstanding, though.

Cheers,

Sascha.

Posted: Thu Apr 06, 2006 1:33 pm
by dresdn
I think this is my fault for not really explaining myself well. We're going to be using Kerberos authentication if (more like when) we start using Scalix. Right now we don't have a very good policy in place on the KDC for all our accounts.

Does Scalix support changing Kerberos passwords (if they expire, if the user wants a new one, etc.), or do I have to come up with an alternate way for people to do this?

We're going to be accessing Scalix mainly through the web interface, so that is why I am asking the question here.

-Mike

Posted: Thu Apr 06, 2006 3:05 pm
by ScalixSupport
Kerberos password changing is provided through the om_krb5 pam module. So, if you've set up external authentication with Kerberos, you're going to be fine.

Cheers

Dave
All times are UTC-04:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/