On Wed, Dec 1, 2010 at 11:56 AM, Tod Pike <tgp@cs.cmu.edu> wrote:

Gary:
I've already got an ugly hack ready - we did something similar to
use squirrelmail against our GSSAPI IMAP server. We use the imtest
helper program to open the GSSAPI-authenticated session (passing in
the Kerberos credential file that we got from the pubcookie module).
We passed that file descriptor back into squirrelmail, bypassing the
normal connection open.

I'd love to see how that code works since the only gssapi implementations I can find seem to be in C using the C-Client library.

I'd like to something similar in roundcube, but it's pretty difficult
using only plugins. I can certainly set up my own imap_connect hook that
would open the proper connection, but I don't see any way to put the
resulting file descriptor into the imap object, since all that stuff is
private to the rcube_imap_generic module.

That's what I meant, you need to modify the core code. At a minimum, you need to modify rcube_imap_generic to include a case for using GSSAPI. Personally, once you start editing that, I'd say move the whole if/then structure to a switch/case structure as there are then 4 different mechanisms.

If you want to be really really nice, extend the auth_sasl code http://pear.php.net/package/Auth_SASL/

The module doesn't currently have a maintainer, so you could update it there to support GSSAPI and then bring it downstream to Roundcube.

I'm stuck at the moment in conceptualizing how to do GSSAPI authentication from within PHP[in theory, I know it's just a matter of passing the challenge token into the function over and over till you get to a success]