|
|
This will likely require some development work in SOGo for this to work correctly. |
|
|
|
Could you try this :
<Location /SOGo>
Bla...
Blaa...
SetEnv proxy-nokeepalive 1
RewriteEngine On
RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}]
</Location>
And :
RequestHeader set "x-webobjects-remote-user" "%{SOGO_REMOTE_USER}e"
Can you post your <Location /SOGo> configuration part ? |
|
|
|
I can confirm too that this doesn't seem to work. The user seems to be passing correctly to SOGo, but I only ever get a 403 Unauthorized. I never get beyond /SOGo. The manual seems to imply that Kerberos is supported so I thought I was doing something incorrect until I saw this bug report. Like amaramrahul I have confirmed that Kerberos auth is working just fine. SOGo just doesn't seem to know what to do after the user is authenticated.
BTW, since the full Kerberos principal seemed to be passed to SOGo, I used a newer version of mod_auth_kerb that contains the feature KrbLocalUserMapping to strip the realm just in case it was causing a problem. |
|
|
|
Sorry for the late response. I have tried modifying <Location /SOGo> as suggested by MrJacK but it does not seem to work. These are the settings I am currently using which make proxy authentication work:
<Location /SOGo>
AuthType Kerberos
Require valid-user
SetEnv proxy-nokeepalive 1
Allow from all
KrbAuthRealms EXAMPLE.COM
KrbServiceName HTTP/scs.example.com@EXAMPLE.COM
Krb5Keytab /home/sogo/GNUstep/Defaults/sasl2/HTTP.keytab
</Location>
<Proxy http://127.0.0.1:20000/SOGo>
RewriteEngine On
RewriteCond %{REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER %{RU}e
RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e env=REMOTE_HOST
AddDefaultCharset UTF-8
Order allow,deny
Allow from all
</Proxy>
GSSAPI authentication though fails with the error I had given above. Any suggestions on what else could be wrong?
Also I got a couple of queries.
-
Should the Rewrite lines be in <Location /SOGo>...</Location> or in <Proxy http://127.0.0.1:20000/SOGo>...</Proxy> as it is currently or does it not really matter?
-
This is more of an observation. Changing 'RequestHeader set REMOTE_USER %{RU}e' to 'RequestHeader set "x-webobjects-remote-user" %{RU}e' in the above rewrite rules was not working.
|
|
|
|
I have make some tests yesterday, this configuration works for me :
<Location /SOGo>
Order allow,deny
Allow from all
AuthName "Whatever..."
AuthType Kerberos
Krb5Keytab /etc/apache2/krb5.keytab
KrbAuthRealms MYDOMAIN.TLD
KrbMethodNegotiate On
KrbServiceName HTTP/server.mydomain.tld@MYDOMAIN.TLD
KrbMethodK5Passwd On
KrbSaveCredentials on
KrbAuthoritative On
KrbLocalUserMapping On
require valid-user
SetEnv proxy-nokeepalive 1
RewriteEngine On
RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}]
</Location>
ProxyRequests Off
SetEnv proxy-nokeepalive 1
ProxyPreserveHost On
ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0
<Proxy http://127.0.0.1:20000/SOGo>
RequestHeader set "x-webobjects-server-port" "80"
RequestHeader set "x-webobjects-server-name" "server.mydomain.tld"
RequestHeader set "x-webobjects-server-url" "http://server.mydomain.tld"
RequestHeader set "x-webobjects-remote-user" "%{SOGO_REMOTE_USER}e"
RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e env=REMOTE_HOST
AddDefaultCharset UTF-8
Order allow,deny
Allow from all
</Proxy>
You need mod_auth_kerb 5.4 for this (Option KrbLocalUserMapping)
Keytab generated with :
msktutil -c -b "CN=COMPUTERS" -s HTTP/server.mydomain.tld -h server.mydomain.tld -k /etc/apache2/krb5.keytab --computer-name server --upn HTTP/server.mydomain.tld --server dc.mydomain.tld --verbose --enctypes 28
Ubuntu server 10.04, TB 3.1.7, 2008 R2 DCs and of course SOGo 1.3.5a |
|
|
|
MrJack-
This config works on CentOS too! I was already using the KrbLocalUserMapping, but I think the key was your rewrite rule: RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}] and the remote-user line in the request header.
I'm getting a strange SOGoCache error now in the logs, but I think that might be due to something else I'm doing and it doesn't seem to prevent this from working.
Thanks so much for the help. |
|
|
|
Yipee! As suggested by steve, setting "KrbLocalUserMapping On", and writing the rewrite rules and request header as suggested by MrJacK has solved the issue. Here is my configuration of /etc/apache2/conf.d/SOGo.conf which is working (this works with both kerberos password and GSSAPI authentication).
...
...
...
<Location /SOGo>
AuthType Kerberos
Require valid-user
SetEnv proxy-nokeepalive 1
Allow from all
KrbAuthRealms EXAMPLE.COM
KrbServiceName HTTP/scs.example.com@EXAMPLE.COM
Krb5Keytab /home/sogo/GNUstep/Defaults/sasl2/HTTP.keytab
KrbLocalUserMapping On
RewriteEngine On
RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}]
</Location>
...
...
...
<Proxy http://127.0.0.1:20000/SOGo>
adjust the following to your configuration
#RequestHeader set "x-webobjects-server-port" "443"
#RequestHeader set "x-webobjects-server-name" "yourhostname"
#RequestHeader set "x-webobjects-server-url" "https://yourhostname"
RequestHeader set "x-webobjects-remote-user" "%{SOGO_REMOTE_USER}e"
RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e env=REMOTE_HOST
AddDefaultCharset UTF-8
Order allow,deny
Allow from all
</Proxy>
...
...
... |
|
|
|
So why is the bug still marked "new"? It sounds like the above procedure is a solution rather than a workaround. |
|
|
|
Anyone care to write concise documentation so we can include it in our official doc? A pull request on GitHub would be preferred. |
|
|
|
I've got proxy authentication working fine to access the sogo interface, but it doesn't seem to be able to pass through the creds to dovecot to access the mailbox itself. Can anyone elaborate on how they got this to work?
I have direct access to dovecot working with Kerberos |
|
|
|
The configuration provided above do not work with apache 2.4 and sogo 3.2.6 native to debian stretch. Is there an update you can share? |
|
|
|
for the reference, this is how it works for me on debian 10 with apache 2.4, dovecot 2.3.4 and sogo 4.1.1.20191113-1:
in /etc/apache2/conf.d/SOGo.conf:
<Location /SOGo>
AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
GssapiCredStore keytab:/etc/apache2/http.keytab
GssapiAcceptorName HTTP@auth.realm.com
require valid-user
GssapiLocalName on
</Location>
RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}s"
note the "s", when you use https. in all example "e" is used which seems only available when apache is used via http.
/etc/sogo/sogo.conf:
SOGoTrustProxyAuthentication = YES;
SOGoIMAPServer = "imap://localhost:143/";
/etc/dovecot/conf.d/auth-ldap.conf.ext:
passdb {
driver = static
args = allow_nets=127.0.0.1/32 nopassword
}
the example is not complete, but the most important parts should be there. |
|
|
|
After upgrading my server to Debian 10, I wanted to give this a one more chance.
I am using apache2, postgresql, postfix and dovecot versions native to debian 10.
I tested sogo both with native version 4.0.7 and nightly version 5.0.1, still couldn't make it work.
Here is my working sql user database solution configuration files, I can access my e-mails if I use the same kerberos password for my sql user:
/database/
SOGoProfileURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_user_profile";
OCSFolderInfoURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_folder_info";
OCSSessionsFolderURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_sessions_folder";
/authentication /
SOGoPasswordChangeEnabled = YES;
SOGoUserSources = (
{
type = ldap;
CNFieldName = cn;
UIDFieldName = uid;
IDFieldName = uid;
bindFields = (uid);
baseDN = "ou=users,dc=example,dc=com";
bindDN = "";
bindPassword = "";
canAuthenticate = NO;
displayName = "SOGo Users";
hostname = "ldap://ldap.example.com";
port = 389;
id = ldap_users;
isAddressBook = YES;
},
{
type = sql;
id = sql_users;
viewURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_users";
canAuthenticate = YES;
isAddressBook = NO;
userPasswordAlgorithm = md5;
}
);
/web/
SOGoMailAuxiliaryUserAccountsEnabled = YES;
SOGoTrustProxyAuthentication = YES;
/general/
SOGoLanguage = TurkishTurkey;
SOGoTimeZone = Europe/Istanbul;
SOGoFirstDayOfWeek = 1;
WOWorkersCount = 5;
/debug/
SOGoDebugRequests = YES;
SoDebugBaseURL = YES;
LDAPDebugEnabled = YES;
SOGoUIxDebugEnabled = YES;
WODontZipResponse = YES;
}
<VirtualHost 10.10.10.10:80>
ServerName sogo.example.com
ServerAdmin info@example.com
Redirect / https://sogo.example.com/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost 10.10.10.10:443>
ServerName sogo.example.com
ServerAdmin info@example.com
DocumentRoot /usr/lib/GNUstep/SOGo/WebServerResources/
SSLEngine on
SSLCertificateChainFile /etc/ssl/certs/ca.cert.pem
SSLCertificateKeyFile /etc/ssl/private/sogo.key.pem
SSLCertificateFile /etc/ssl/certs/sogo.cert.pem
LogLevel debug ssl:debug
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/$
RewriteRule (.*) /SOGo/ [R=301]
Alias /SOGo.woa/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
Alias /SOGo/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
<Directory /usr/lib/GNUstep/SOGo/>
AllowOverride None
Require all granted
<IfModule expires_module>
ExpiresActive On
ExpiresDefault "access plus 1 year"
</IfModule>
</Directory>
ProxyRequests Off
SetEnv proxy-nokeepalive 1
ProxyPreserveHost On
ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0
<Proxy http://127.0.0.1:20000/SOGo>
<IfModule headers_module>
RequestHeader unset "x-webobjects-remote-user"
RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
</IfModule>
AddDefaultCharset UTF-8
Require all granted
</Proxy>
<IfModule rewrite_module>
RewriteEngine On
RewriteRule ^/.well-known/caldav/?$ /SOGo/dav [R=301]
RewriteRule ^/.well-known/carddav/?$ /SOGo/dav [R=301]
</IfModule>
</VirtualHost>
</IfModule>
Here is my not working gssapi solution:
{
/database/
SOGoProfileURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_user_profile";
OCSFolderInfoURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_folder_info";
OCSSessionsFolderURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_sessions_folder";
/authentication /
SOGoPasswordChangeEnabled = NO;
SOGoUserSources = (
{
type = ldap;
CNFieldName = cn;
UIDFieldName = uid;
IDFieldName = uid;
bindFields = (uid);
baseDN = "ou=users,dc=example,dc=com";
bindDN = "";
bindPassword = "";
canAuthenticate = YES;
displayName = "SOGo Users";
hostname = "ldap://ldap.example.com";
port = 389;
id = ldap_users;
isAddressBook = YES;
}
);
/web/
SOGoMailAuxiliaryUserAccountsEnabled = YES;
SOGoTrustProxyAuthentication = YES;
/general/
SOGoLanguage = TurkishTurkey;
SOGoTimeZone = Europe/Istanbul;
SOGoFirstDayOfWeek = 1;
WOWorkersCount = 5;
/debug/
SOGoDebugRequests = YES;
SoDebugBaseURL = YES;
LDAPDebugEnabled = YES;
SOGoUIxDebugEnabled = YES;
WODontZipResponse = YES;
}
<VirtualHost 10.10.10.10:80>
ServerName sogo.example.com
ServerAdmin info@example.com
Redirect / https://sogo.example.com/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost 10.10.10.10:443>
ServerName sogo.example.com
ServerAdmin info@example.com
DocumentRoot /usr/lib/GNUstep/SOGo/WebServerResources/
SSLEngine on
SSLCertificateChainFile /etc/ssl/certs/ca.cert.pem
SSLCertificateKeyFile /etc/ssl/private/sogo.key.pem
SSLCertificateFile /etc/ssl/certs/sogo.cert.pem
LogLevel debug ssl:debug
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/$
RewriteRule (.) /SOGo/ [R=301]
Alias /SOGo.woa/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
Alias /SOGo/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
<Directory /usr/lib/GNUstep/SOGo/>
AllowOverride None
Require all granted
<IfModule expires_module>
ExpiresActive On
ExpiresDefault "access plus 1 year"
</IfModule>
</Directory>
<Location /SOGo>
AuthType gssapi
AuthName "Kerberos Parola"
GssapiBasicAuth on
GssapiLocalName on
GssapiAllowedMech krb5
GssapiCredStore keytab:/etc/apache2/apache2.keytab
GssapiSSLonly on
Require valid-user
SetEnv proxy-nokeepalive 1
Require all granted
RewriteEngine on
RewriteRule . - [E=SOGO_REMOTE_USER:%{REMOTE_USER}]
</Location>
ProxyRequests Off
SetEnv proxy-nokeepalive 1
ProxyPreserveHost On
ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0
<Proxy http://127.0.0.1:20000/SOGo>
<IfModule headers_module>
RequestHeader set "x-webobjects-remote-user" "%{SOGO_REMOTE_USER}e"
RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e env=REMOTE_HOST
</IfModule>
AddDefaultCharset UTF-8
Require all granted
</Proxy>
<IfModule rewrite_module>
RewriteEngine On
RewriteRule ^/.well-known/caldav/?$ /SOGo/dav [R=301]
RewriteRule ^/.well-known/carddav/?$ /SOGo/dav [R=301]
</IfModule>
</VirtualHost>
</IfModule>
I receive "Unhandled error response" response from the web login page and
Jan 03 09:04:56 sogod [20639]: |SOGo| starting method 'POST' on uri '/SOGo/connect'
2021-01-03 09:04:56.802 sogod[20639:20639] EXCEPTION: <NSException: 0x558b484b34b0> NAME:NSInvalidArgumentException REASON:SOGoProxyAuthenticator(instance) does not recognize checkLogin:password:domain:perr:expire:grace:useCache: INFO:(null)
from sogo log.
Any help, appreciated. |
|
|
|
as https is used in your example it seems:
RequestHeader set "x-webobjects-remote-user" "%{SOGO_REMOTE_USER}s"
vs
RequestHeader set "x-webobjects-remote-user" "%{SOGO_REMOTE_USER}e" |
|
related to
child of
duplicate of
