Dependency Graph
View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001192 | SOGo | Backend General | public | 2011-03-17 06:24 | 2014-03-06 09:45 |
Reporter | amaramrahul | Assigned To | |||
Priority | normal | Severity | tweak | Reproducibility | always |
Status | new | Resolution | open | ||
Product Version | 1.3.5 | ||||
Summary | 0001192: Ability to use normal SOGo Authentication with SOGoTrustProxyAuthentication=YES | ||||
Description | When I set SOGoTrustProxyAuthentication=YES in /home/sogo/GNUstep/Defaults/.GNUstepDefaults and enable proxy authentication in apache2, it works fine. But if I disable proxy authentication in apache2 leaving SOGoTrustPRoxyAuthentication=YES as it is, I get the message, "Unauthorized" whenever I access SOGo URL. The reason I need SOGo to work even with apache2 proxy authentication disabled is because I have two apache2 frontend servers running. One is used for connecting via thunderbird and uses GSSAPI authentication (which currently is only possible using Apache2 authentication). The other apache2 frontend is used for the regular SOGo webclient. And for the webclient, popping up browser based prompts for username and password is not clean. Therefore I would like to know if the following is possible i.e. setting SOGoTrustProxyAuthentication=YES and still using the normal SOGo authentication in webclient. | ||||
Tags | No tags attached. | ||||
related to | 0001113 | new | Kerberos GSSAPI authentication with Apache2 Frontend does not work |
The cleanest solution would probably be to implement kerberos authentication in SOGo with a fallback on weblogin. Would you like to sponsor this? |
|
We have recently started giving SOGo to our customers as they were looking for a web calendar. Frankly speaking, we'd be pretty happy to sponsor any needed feature except for the fact that we are going through a really tight financial situation currently. Anyways, if you could give me a rough estimate as to how much you think would be reasonable amount for sponsorship for this feature, I think I can take it up with the higher authorities. Cheers, |
|
One quick work-around which I could think of is to run two separate instances of sogo with two different configuration files - one has SOGoTrustProxyAuthentication=YES and the other SOGoTrustProxyAuthentication=NO. But I was wondering if it possible to change the default configuration file (.GNUstepDefaults) for the second instance of SOGo or whether the only way to achieve this is by creating a new user altogether? |
|
2011-03-21 14:31
|
proxy-authentication.patch (484 bytes)
--- a/Main/SOGo.m 2011-01-27 23:42:30.000000000 +0530 +++ b/Main/SOGo.m 2011-03-21 18:43:43.000000000 +0530 @@ -273,8 +273,10 @@ - (id) authenticatorInContext: (WOContext *) context { id authenticator; + NSString *remoteUser; - if (trustProxyAuthentication) + remoteUser = [[context request] headerForKey: @"x-webobjects-remote-user"]; + if (trustProxyAuthentication && remoteUser) authenticator = [SOGoProxyAuthenticator sharedSOGoProxyAuthenticator]; else { |
I believe I have found a reasonably decent solution to my problem. The attached patch checks if "x-webobjects-remote-user" is set. If this is set and SOGoTrustProxyAuthentication=YES, then only SOGo uses the SOGoProxyAutheticator. This way the Proxy (apache2 in our case) tells SOGo whether it is performing authentication or not. Kindly note that for proxy authentication to work with this patch, you have to ensure that "x-webobjects-remote-user" is passed properly. The proper settings for this can be found in the Issue#0001113. Perhaps the developers might consider integrating this patch into the main code. Also it might be a good idea to use an additional header such as "x-webobjects-proxy-auth-enabled" instead of "x-webobjects-remote-user", which when set to "yes" implies proxy is performing authentication on behalf of SOGo. Cheers, |
|
I see this ticket is almost three years old. Is there any particular reason that the patch suggested has not been incorporated into the main code? |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2011-03-17 06:24 | amaramrahul | New Issue | |
2011-03-17 16:48 |
|
Note Added: 0002268 | |
2011-03-17 16:50 |
|
Relationship added | related to 0001113 |
2011-03-17 17:46 | amaramrahul | Note Added: 0002269 | |
2011-03-18 16:18 | amaramrahul | Note Added: 0002277 | |
2011-03-21 14:31 | amaramrahul | File Added: proxy-authentication.patch | |
2011-03-21 14:41 | amaramrahul | Note Added: 0002279 | |
2014-03-06 09:44 | jtg | Note Added: 0006649 |