565
szerkesztés
Módosítások
→Webmail szoftverek illesztése Shibboleth-hez
= Shibboleth, Webmail szoftverek illesztése , IMAP Proof-of-concept = = In English ===Requirements==* The webmail software must not see or use users' LDAP password, the IdP must not release even the hashed form of the password.* IMAP must authenticate with username and password.* If one has access to the webmail server, she must not have access to the IMAP on behalf of all users (she can however access to active users session). ==Solution concepts==* The IdP and the IMAP server share an authentication database.* With every webmail SP request the IdP generates a new password for that particular user and writes it to the database.* The webmail SP receives this password with the attribute set and uses the username (e-mail address) and password to access the IMAP server.* The IMAP server tries to authenticate against the database.* In order to secure access, this password entry should contain an expiration time, which invalidates the password after the IdP session ends, so IMAP accepts only those users who has recently initiated active session at the IdP side. ==ShibbolethIdP plugin==* We have developed an IdP plugin -attribute resolver- which can generate this short-lifetime password for the user and write it to the database.* Shibboleth IdP attribute resolver configuration is independent from the actual SP, so the plugin must check whether the current request came from an SP for which it needs to generate the password.* The password is sent in plain-text, so the Shibboleth attribute statement must be encrypted either by using artifact resolution over SSL/TLS or by using XML encryption with HTTP-Post. ==IMAP configuration==* As we don't want to force the use of webmail, IMAP needs to use LDAP authentication as well.* Most IMAP servers can be configured to use PAM, which can be configured to use arbitrary SQL tables for authentication and it also supports authentication chaining. ==Webmail softwares==* For our proof-of-concept we have tried squirrelmail with its HTTP-authentication plugin. If the SP is releasing the username and password as PHP_AUTH_USER and PHP_AUTH_PW, this authentication module works out-of-the-hez box. = Magyarul =
== Koncepció ==
A webmail és a levelezőszerver (IMAP/POP3) együttes működését szeretnénk Shibbolizálni. A fő probléma abból áll, hogy a webmail az IMAP szerver felé felhasználónévvel és jelszóval autentikál. Az címtárban tárolt jelszót azonban nem adhatjuk ki az alkalmazásoknak, ráadásul legtöbb esetben ez egy hashelt jelszó.
