From owner-freebsd-ports@FreeBSD.ORG  Wed Jan 18 08:28:02 2006
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
X-Original-To: freebsd-ports@FreeBSD.org
Delivered-To: freebsd-ports@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 44A6616A41F
	for <freebsd-ports@FreeBSD.org>; Wed, 18 Jan 2006 08:28:02 +0000 (GMT)
	(envelope-from bsam@ipt.ru)
Received: from mail.ipt.ru (mail.ipt.ru [80.253.10.82])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BEDE743D48
	for <freebsd-ports@FreeBSD.org>; Wed, 18 Jan 2006 08:27:59 +0000 (GMT)
	(envelope-from bsam@ipt.ru)
Received: from stat.sem.ipt.ru ([192.168.12.1] helo=srv.sem.ipt.ru)
	by mail.ipt.ru with esmtp (Exim 4.54 (FreeBSD)) id 1Ez8fe-000MUn-JV
	for freebsd-ports@FreeBSD.org; Wed, 18 Jan 2006 11:27:58 +0300
Received: from bsam by srv.sem.ipt.ru with local (Exim 4.60 (FreeBSD))
	(envelope-from <bsam@ipt.ru>) id 1Ez8fY-000Crb-A1
	for freebsd-ports@FreeBSD.org; Wed, 18 Jan 2006 11:27:52 +0300
To: freebsd-ports@FreeBSD.org
From: Boris Samorodov <bsam@ipt.ru>
Date: Wed, 18 Jan 2006 11:27:52 +0300
Message-ID: <26423335@srv.sem.ipt.ru>
User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: 
Subject: [mozilla apps] seamonkey, firefox, thundebird and kerberos (gssapi)
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jan 2006 08:28:02 -0000

Hi!


FYI this is a result of my experiments on configuring Single-Sign-On
services across our company based on kerberos (gssapi).

Modern mozilla apps -- seamonkey, firefox, thunderbird -- use gssapi
to authenticate users, apps and servers.

An old style of using gssapi was a negotiateauth extension. One of
the main problems to code gssapi-ready programs is the amount of
realizations (MIT, heimdal, GNU, MS and others). At compile time the
code was linked to system kerberos libraries. No problems (almost). 

The new style is based on an auth extension which is linked at compile
time to mozilla's gssapi skeletone but does loading a system libraries
(the library may be set via user config) at runtime.

The problem here is with FreeBSD feature(?) of not writing information
about linked libraries at the system kerberos:

$ ldd /usr/lib/libgssapi.so
/usr/lib/libgssapi.so:

Hence at runtime mozilla apps try to load gssapi library but fails to
use it.

A workaround is to install kerberos from ports (both heimdal and MIT
kerberos were tested) and set the variable
network.negotiate-auth.gsslib (full path).

Mozilla apps work like a charm with the ports kerberos. Though tested
only HTTP(S) and IMAP(S) I assume that other protocols should work as
well.

Now our users are happy with one-password-typing! ;-)
Viva FreeBSD, viva Mozilla!


WBR
-- 
Boris B. Samorodov, Research Engineer
InPharmTech Co,     http://www.ipt.ru
Telephone & Internet Service Provider