View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0005987SOGoBackend Generalpublic2024-06-28 07:262024-06-28 07:26
Reportersogouser123 Assigned To 
PriorityhighSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version5.10.0 
Summary0005987: SoGo incomplete password validation with ProxyAuth
Description

When using SoGo with "SOGoTrustProxyAuthentication = YES" and allowing local passwordless logins via Dovecot, the login password on ActiveSync (and possibly DAV) is not checked against LDAP, only against IMAP.
Since using ProxyAuth causes the SoGo WebUI not having the users password, the IMAP server needs to be configured to allow all local connections without a password.

Now when a user tries to log on for ex. via ActiveSync, the password is checked against IMAP first:
dovecot[1918]: auth: ldap(user@example.com,::1,<XXXX>): Password mismatch (for LDAP bind) (given password: WRONGPW) - trying the next passdb

Since the IMAP server has to allow local logins to access the mailbox without a password, the request is granted:
dovecot[1918]: imap-login: Login: user=<user@example.com>, method=PLAIN, rip=::1, lip=::1, mpid=2212740, secured, session=<XXXX>

The credentials are never checked against the configured LDAP server, which was configured with "canAuthenticate = YES".
This effectively allows all passwords for a given username to be accepted.

I would expect SoGo to validate the credentials with the LDAP server before attempting any connections to the IMAP server.

Steps To Reproduce
  • Allow proxy auth in SoGo.conf: "SOGoTrustProxyAuthentication = YES"
  • Make sure no proxy auth user header is present for the DAV (Location /SOGo/dav) and Active Sync (Location /SOGo/Microsoft-Server-ActiveSync & Microsoft-Server-ActiveSync) endpoints: "RequestHeader unset "x-webobjects-remote-user""
  • Configure a LDAP backend with: "canAuthenticate = YES"
  • Configure dovecot to allow local passwordless logins:
    passdb {
    driver = static
    args = nopassword=y
    override_fields = allow_nets=127.0.0.1/8,::1/128
    }
  • Now for a given valid user, every password will be accepted via ActiveSync. Cal/CardDav should be the same, but I have not tested it specifically.
TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2024-06-28 07:26 sogouser123 New Issue