[mozilla apps] seamonkey, firefox, thundebird and kerberos (gssapi)

[Boris Samorodov]

Hi!


FYI this is a result of my experiments on configuring Single-Sign-On
services across our company based on kerberos (gssapi).

Modern mozilla apps -- seamonkey, firefox, thunderbird -- use gssapi
to authenticate users, apps and servers.

An old style of using gssapi was a negotiateauth extension. One of
the main problems to code gssapi-ready programs is the amount of
realizations (MIT, heimdal, GNU, MS and others). At compile time the
code was linked to system kerberos libraries. No problems (almost). 

The new style is based on an auth extension which is linked at compile
time to mozilla's gssapi skeletone but does loading a system libraries
(the library may be set via user config) at runtime.

The problem here is with FreeBSD feature(?) of not writing information
about linked libraries at the system kerberos:

$ ldd /usr/lib/libgssapi.so
/usr/lib/libgssapi.so:

Hence at runtime mozilla apps try to load gssapi library but fails to
use it.

A workaround is to install kerberos from ports (both heimdal and MIT
kerberos were tested) and set the variable
network.negotiate-auth.gsslib (full path).

Mozilla apps work like a charm with the ports kerberos. Though tested
only HTTP(S) and IMAP(S) I assume that other protocols should work as
well.

Now our users are happy with one-password-typing! ;-)
Viva FreeBSD, viva Mozilla!


WBR
-- 
Boris B. Samorodov, Research Engineer
InPharmTech Co,     http://www.ipt.ru
Telephone & Internet Service Provider