Hi,
Thanks for this product, which seems to be the one we need.
I have 2 questions :
1) We use CAS for Single Sign On : http://www.ja-sig.org/products/cas/ Is there any way to have cas support in Scalix ?
2) We use another mail server, I've seen feature request about support for external imap server in the webmail, any information about that ?
If not, is there an easy way to suppress the "mail" view, to only have the calendar view ?
Thanks in advance, and thanks again for this product.
Scalix and SSO / imap
Moderators: ScalixSupport, admin
-
Valerion
- Scalix Star
- Posts: 2730
- Joined: Thu Feb 26, 2004 7:40 am
- Location: Johannesburg, South Africa
- Contact:
SWA has no way to implement SSO, as the browser does not pass a Kerberos ticket properly. However, if you configured authentication correctly it will use the external authentication source. In addition you will need a PAM module capable of authenticating against this on your server.
SWA uses proprietary extensions to the IMAP protocol to get calendaring and contact information. As such it cannot work against a non-Scalix IMAP server as the capabilities it needs are simply not present.
No, you cannot suppress the Mail view as virtually all those using Scalix and SWA needs it, so I doubt there's a large demand for this.
SWA uses proprietary extensions to the IMAP protocol to get calendaring and contact information. As such it cannot work against a non-Scalix IMAP server as the capabilities it needs are simply not present.
No, you cannot suppress the Mail view as virtually all those using Scalix and SWA needs it, so I doubt there's a large demand for this.
-
noritaka
Thanks for your reply.
If I understand correctly, I can use an external Ldap source, but I can't use cas sso. Do you have an idea how much would it cost to implement CAS ? and who would do that ?
About imap, it's bad news, because we can't rely on a single product like scalix to manage our mail, it's too important for us, and we can't rely only on a proprietary product.
Maybe it should be possible to use proprietary extensions and server to manage calendaring information, and standard capabilities for the mail ?
Thanks again.
If I understand correctly, I can use an external Ldap source, but I can't use cas sso. Do you have an idea how much would it cost to implement CAS ? and who would do that ?
About imap, it's bad news, because we can't rely on a single product like scalix to manage our mail, it's too important for us, and we can't rely only on a proprietary product.
Maybe it should be possible to use proprietary extensions and server to manage calendaring information, and standard capabilities for the mail ?
Thanks again.
-
Valerion
- Scalix Star
- Posts: 2730
- Joined: Thu Feb 26, 2004 7:40 am
- Location: Johannesburg, South Africa
- Contact:
For Outlook (and likely a standalone IMAP client) SSO is implemented for Kerberos. If CAS conforms to the Kerberos v5 standard, you should be able to get it to work there. If it uses something else, you can still try to find a Linux PAM module for it. If you can, then Scalix can authenticate fine and SSO becomes the responsibility of the PAM module and the workstation. In that scenario you should be able to solve the issue, but CAS will have to assist you there. It will depend on what they use more than anything else.
Scalix can authenticate against any PAM module, it's not limited to LDAP.
Unfortunately the Scalix web client is intended to be used only on a licensed Scalix server (whether CE or commercial). As such you need a Scalix license to run the client, and the easiest way is to only make it work against a Scalix server. Also, if you use Scalix for calendaring, moving over to Scalix completely is worth the effort. At the end of the day you will end up with a single logical IMAP server doing your email, no matter what you do, or you end up with a synchronization mess between servers, something that is going to be EXTREMELY hard to maintain.
Just as a sidenote, Scalix uses IMAP for SWA, and IMAP does allow additional commands to be implemented (which Scalix has done). So it can easily be argued that Scalix uses standard IMAP4rev1 according to RFC 3501 (section 6.5).
Scalix can authenticate against any PAM module, it's not limited to LDAP.
Unfortunately the Scalix web client is intended to be used only on a licensed Scalix server (whether CE or commercial). As such you need a Scalix license to run the client, and the easiest way is to only make it work against a Scalix server. Also, if you use Scalix for calendaring, moving over to Scalix completely is worth the effort. At the end of the day you will end up with a single logical IMAP server doing your email, no matter what you do, or you end up with a synchronization mess between servers, something that is going to be EXTREMELY hard to maintain.
Just as a sidenote, Scalix uses IMAP for SWA, and IMAP does allow additional commands to be implemented (which Scalix has done). So it can easily be argued that Scalix uses standard IMAP4rev1 according to RFC 3501 (section 6.5).
-
noritaka
Thanks for the reply.
We use CAS SSO for web sso, I think that to achieve this goal, the webmail of scalix must send a Ticket, in place of the password, like in horde imp :
[quote]
Next, the behavior of the webmail was modified to take into account the versatility of this new kind of password. Indeed, PTs are manipulated in the same way that passwords are, although their validity is limited. In other words, the webmail can use a PT several times thanks to the IMAP cache, but a PT stored in the IMAP cache can be erased (because of the garbage collector of the IMAP cache), supplanted in the cache by another PT (if another webmail instance is running for the same user), or simply replaced by the user’s password if the user concurrently accesses a traditional mail client. In all of these situations, the next connection with the PT would be refused by the IMAP server. To get around this problem, the webmail was modified to allow a new PT to be acquired from the CAS server, in order to make a second attempt at an IMAP connection.
Obviously, using CAS client libraries are not as simple as was implied in 5.1.1 (“Writing a PHP CAS clientâ€
We use CAS SSO for web sso, I think that to achieve this goal, the webmail of scalix must send a Ticket, in place of the password, like in horde imp :
[quote]
Next, the behavior of the webmail was modified to take into account the versatility of this new kind of password. Indeed, PTs are manipulated in the same way that passwords are, although their validity is limited. In other words, the webmail can use a PT several times thanks to the IMAP cache, but a PT stored in the IMAP cache can be erased (because of the garbage collector of the IMAP cache), supplanted in the cache by another PT (if another webmail instance is running for the same user), or simply replaced by the user’s password if the user concurrently accesses a traditional mail client. In all of these situations, the next connection with the PT would be refused by the IMAP server. To get around this problem, the webmail was modified to allow a new PT to be acquired from the CAS server, in order to make a second attempt at an IMAP connection.
Obviously, using CAS client libraries are not as simple as was implied in 5.1.1 (“Writing a PHP CAS clientâ€
-
Valerion
- Scalix Star
- Posts: 2730
- Joined: Thu Feb 26, 2004 7:40 am
- Location: Johannesburg, South Africa
- Contact:
Who is online
Users browsing this forum: No registered users and 0 guests