Relationship Graph
View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001113 | SOGo | Backend General | public | 2011-02-02 14:18 | 2021-01-26 15:44 |
Reporter | amaramrahul | Assigned To | |||
Priority | normal | Severity | feature | Reproducibility | always |
Status | new | Resolution | open | ||
Product Version | 1.3.5 | ||||
Summary | 0001113: Kerberos GSSAPI authentication with Apache2 Frontend does not work | ||||
Description | I am using SOGO in debian lenny with apache2+mod_auth_kerb acting as a reverse proxy for it. I have configured and set up everything successfully. There are two authentication methods possible with mod_auth_kerb:
Proxy Error The proxy server received an invalid response from an upstream server. Reason: Error reading from remote server And apache2 error.log shows: [Wed Feb 02 19:39:52 2011] [error] [client 192.168.36.103] (20014)Internal error: proxy: error reading status line from remote server 127.0.0.1 And /var/log/sogo.log has this error (this is perhaps most important): Feb 02 18:21:21 sogod [2896]: [ERROR] <0x0x1b30210[WOHttpAdaptor]> http server caught: <NSException: 0x1e1ac90> NAME:NSGenericException REASON:subclass NGHttpCredentials(instance) should override userName INFO:(nil) I could confirm that GSSAPI authentication is working fine. I am not interested in accessing mails using IMAP. I've read a previous thread and know that currently this isn't even possible. I just want to be able to access my calendar. Any suggestions would be greatly appreciated. | ||||
Tags | No tags attached. | ||||
related to | 0001192 | new | Ability to use normal SOGo Authentication with SOGoTrustProxyAuthentication=YES |
This will likely require some development work in SOGo for this to work correctly. |
|
Could you try this : <Location /SOGo> And : RequestHeader set "x-webobjects-remote-user" "%{SOGO_REMOTE_USER}e" Can you post your <Location /SOGo> configuration part ? |
|
I can confirm too that this doesn't seem to work. The user seems to be passing correctly to SOGo, but I only ever get a 403 Unauthorized. I never get beyond /SOGo. The manual seems to imply that Kerberos is supported so I thought I was doing something incorrect until I saw this bug report. Like amaramrahul I have confirmed that Kerberos auth is working just fine. SOGo just doesn't seem to know what to do after the user is authenticated. BTW, since the full Kerberos principal seemed to be passed to SOGo, I used a newer version of mod_auth_kerb that contains the feature KrbLocalUserMapping to strip the realm just in case it was causing a problem. |
|
Sorry for the late response. I have tried modifying <Location /SOGo> as suggested by MrJacK but it does not seem to work. These are the settings I am currently using which make proxy authentication work: <Location /SOGo> KrbAuthRealms EXAMPLE.COM <Proxy http://127.0.0.1:20000/SOGo> RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0" AddDefaultCharset UTF-8 Order allow,deny GSSAPI authentication though fails with the error I had given above. Any suggestions on what else could be wrong? Also I got a couple of queries.
|
|
I have make some tests yesterday, this configuration works for me : <Location /SOGo> ProxyRequests Off <Proxy http://127.0.0.1:20000/SOGo> You need mod_auth_kerb 5.4 for this (Option KrbLocalUserMapping) Keytab generated with : msktutil -c -b "CN=COMPUTERS" -s HTTP/server.mydomain.tld -h server.mydomain.tld -k /etc/apache2/krb5.keytab --computer-name server --upn HTTP/server.mydomain.tld --server dc.mydomain.tld --verbose --enctypes 28 Ubuntu server 10.04, TB 3.1.7, 2008 R2 DCs and of course SOGo 1.3.5a |
|
MrJack- This config works on CentOS too! I was already using the KrbLocalUserMapping, but I think the key was your rewrite rule: RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}] and the remote-user line in the request header. I'm getting a strange SOGoCache error now in the logs, but I think that might be due to something else I'm doing and it doesn't seem to prevent this from working. Thanks so much for the help. |
|
Yipee! As suggested by steve, setting "KrbLocalUserMapping On", and writing the rewrite rules and request header as suggested by MrJacK has solved the issue. Here is my configuration of /etc/apache2/conf.d/SOGo.conf which is working (this works with both kerberos password and GSSAPI authentication). ... KrbAuthRealms EXAMPLE.COM RewriteEngine On adjust the following to your configuration#RequestHeader set "x-webobjects-server-port" "443" RequestHeader set "x-webobjects-remote-user" "%{SOGO_REMOTE_USER}e" RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0" AddDefaultCharset UTF-8 Order allow,deny |
|
So why is the bug still marked "new"? It sounds like the above procedure is a solution rather than a workaround. |
|
Anyone care to write concise documentation so we can include it in our official doc? A pull request on GitHub would be preferred. |
|
I've got proxy authentication working fine to access the sogo interface, but it doesn't seem to be able to pass through the creds to dovecot to access the mailbox itself. Can anyone elaborate on how they got this to work? I have direct access to dovecot working with Kerberos |
|
The configuration provided above do not work with apache 2.4 and sogo 3.2.6 native to debian stretch. Is there an update you can share? |
|
for the reference, this is how it works for me on debian 10 with apache 2.4, dovecot 2.3.4 and sogo 4.1.1.20191113-1: in /etc/apache2/conf.d/SOGo.conf: <Location /SOGo> RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}s" note the "s", when you use https. in all example "e" is used which seems only available when apache is used via http. /etc/sogo/sogo.conf: /etc/dovecot/conf.d/auth-ldap.conf.ext: passdb { the example is not complete, but the most important parts should be there. |
|
After upgrading my server to Debian 10, I wanted to give this a one more chance. Here is my working sql user database solution configuration files, I can access my e-mails if I use the same kerberos password for my sql user: Here is my not working gssapi solution: I receive "Unhandled error response" response from the web login page and Jan 03 09:04:56 sogod [20639]: |SOGo| starting method 'POST' on uri '/SOGo/connect' from sogo log. Any help, appreciated. |
|
as https is used in your example it seems: RequestHeader set "x-webobjects-remote-user" "%{SOGO_REMOTE_USER}s" |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2011-02-02 14:18 | amaramrahul | New Issue | |
2011-02-13 14:54 | ludovic | Note Added: 0002101 | |
2011-02-13 14:54 | ludovic | Severity | minor => feature |
2011-03-04 15:22 | MrJacK | Note Added: 0002192 | |
2011-03-05 08:39 | steve | Note Added: 0002198 | |
2011-03-07 17:53 | amaramrahul | Note Added: 0002208 | |
2011-03-08 08:07 | MrJacK | Note Added: 0002212 | |
2011-03-08 08:32 | steve | Note Added: 0002214 | |
2011-03-08 10:29 | amaramrahul | Note Added: 0002215 | |
2011-03-17 16:50 |
|
Relationship added | related to 0001192 |
2015-10-24 00:27 | Pegasus | Note Added: 0009057 | |
2015-10-24 00:39 | ludovic | Note Added: 0009058 | |
2015-11-11 15:57 | ggiesen | Note Added: 0009087 | |
2015-11-11 16:02 | ggiesen | Note Edited: 0009087 | |
2018-09-28 15:24 | koc | Note Added: 0013069 | |
2019-11-13 10:19 | abma | Note Added: 0013893 | |
2021-01-03 06:29 | koc | Note Added: 0015017 | |
2021-01-26 15:44 | abma | Note Added: 0015061 |