[SOGo] BTS activities for Monday, July 20 2020
Title: BTS activities for Monday, July 20 2020 BTS Activities Home page: https://sogo.nu/bugs Project: SOGo For the period covering: Monday, July 20 2020 idlast updatestatus (resolution)categorysummary 5083 2020-07-20 14:49:56 updated (open) Web Mail Signature not replaced/removed in Send Dialog 5031 2020-07-20 10:16:58 updated (open) with SOGo MZLA Thunderbird 78+ Breaks SOGo Connector (68+) -- users@sogo.nuhttps://inverse.ca/sogo/lists
Re: [SOGo] Sogo - Lemonldap - Saml
Hi Mj, I was sure to have seen that problem in an old post, and indeed I found it, and it was from you :) (https://www.mail-archive.com/users@sogo.nu/msg27428.html) Was the solution given in the answer not good? Thanks, Kenny On 19/07/20 16:51, mj (li...@merit.unu.edu) wrote: > Hi Kenny, > > In the past, we also setup a PoC with SOGo / keycloak / SAML2. For > IMAP authentication, we used: > https://github.com/ck-ws/pam-script-saml > > But because of the SAML2 sessions timeing out, we went back to regular > LDAP auth. We would like to move to SAML2, so we're following the > recent SAML2 list threads with interest. > > MJ > > On 7/19/20 2:02 PM, Jeroen van Os (jeroen.va...@nevel.io) wrote: >> Hi Kenny, >> >> I have been trying to get SAML to work with SOGo as well. In Keycloak >> the following configuration works: >> >> Client scopes: none >> Mappers: fill in "email" and "username" with information from your >> credentials provider >> Set scope to "full scope allowed" >> >> In the SOGo config file we have this line, the rest is similar to >> what you provided: >> SOGoSAML2LoginAttribute = username; >> >> Don't forget to take into account that even if you get SAML to work, >> the connection to your IMAP and SMTP server may not work. Because >> SOGo has no knowledge of the user's password, it cannot authenticate >> against regular IMAP and SMTP servers that expect user credentials >> for authorization. So you will need to find a way to authenticate >> without knowing the user's password. >> >> Kind regards, >> Jeroen >> >> >> Op 18/07/2020 om 22:19 schreef "la.jolie@paquerette" >> (la.jo...@paquerette.org): >>> Going on with my attemps to connect Sogo to LemonLdap, I tried also >>> with >>> the SAML protocol. >>> Few weeks ago, I first tried with Keycloak >>> (https://www.mail-archive.com/users@sogo.nu/msg29805.html), but I >>> didn't >>> find a solution. >>> >>> Unfortunately, with LemonLdap, I have the same error: >>> >>> |SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post' >>> |SOGo| traverse(acquire): SOGo => saml2-signon-post >>> |SOGo| do traverse name: 'SOGo' >>> |SOGo| do traverse name: 'saml2-signon-post' >>> |SOGo| set clientObject: >>> sogod[8630:8630] EXCEPTION: >>> NAME:NSInvalidArgumentException REASON:Tried to add nil value for key >>> 'login' to dictionary INFO:{} >>> |SOGo| request took 0.013806 seconds to execute >>> <0x0x563823b8f410[WOResponse]> Zipping of response disabled >>> 127.0.0.1 "POST /SOGo/saml2-signon-post HTTP/1.1" 501 0/7289 0.019 - >>> - 692K >>> >>> >>> I'm back to the post https://sogo.nu/bugs/view.php?id=4441 >>> Alas, no clue what Sogo is waiting. >>> >>> I attached a saml token example LemonLdap send back to Sogo. >>> For the attribute with my mail (for the login), I tried the name mail, >>> email & login, but same error. >>> >>> What is the attribute name Sogo wants for the key 'login'? >>> Is something wrong with the Saml token Sogo is receiving from >>> LemonLdap? >>> >>> Thanks, >>> Kenny >>> >>> >>> My Sogo config: >>> >>> SOGoProfileURL = >>> "mysql://yyy:x@127.0.0.1:3306/sogo/sogo_user_profile"; >>> OCSFolderInfoURL = >>> "mysql://yyy:x@127.0.0.1:3306/sogo/sogo_folder_info"; >>> OCSSessionsFolderURL = >>> "mysql://yyy:x@127.0.0.1:3306/sogo/sogo_sessions_folder"; >>> OCSEMailAlarmsFolderURL = >>> "mysql://yyy:x@127.0.0.1:3306/sogo/sogo_alarms_folder"; >>> SOGoLanguage = English; >>> SOGoAppointmentSendEMailNotifications = YES; >>> SOGoMailingMechanism = smtp; >>> SOGoSMTPServer = 127.0.0.1; >>> SOGoTimeZone = UTC; >>> SOGoSentFolderName = Sent; >>> SOGoTrashFolderName = Trash; >>> SOGoDraftsFolderName = Drafts; >>> SOGoIMAPServer = "imap://localhost:143/"; >>> SOGoSieveServer = "sieve://localhost:4190/"; >>> SOGoIMAPAclConformsToIMAPExt = YES; >>> SOGoVacationEnabled = NO; >>> SOGoForwardEnabled = NO; >>> SOGoSieveScriptsEnabled = NO; >>> SOGoFirstDayOfWeek = 0; >>> SOGoMailMessageCheck = manually; >>> SOGoMailAuxiliaryUserAccountsEnabled = NO; >>> SOGoMemcachedHost = 127.0.0.1; >>> >>> SOGoCacheCleanupInterval = 3600; >>> SOGoAuthenticationType = saml2; >>> NGImap4AuthMechanism = PLAIN; # tried without the option too >>> SOGoSAML2PrivateKeyLocation = "/etc/sogo/saml.pem"; >>> SOGoSAML2CertificateLocation = "/etc/sogo/saml.crt"; >>> SOGoSAML2IdpMetadataLocation = "/etc/sogo/idp-metadata.xml"; >>> SOGoSAML2IdpPublicKeyLocation = "/etc/sogo/idp-public.key"; >>> SOGoSAML2IdpCertificateLocation = "/etc/sogo/idp-public.key"; >>> SOGoSAML2LoginAttribute = mail; >>> SOGoSAML2LogoutEnabled = YES; >>> SOGoSAML2LogoutURL = "https://";; >>> >>> WOWorkersCount = 10; >>> >>> SOGoEASDebugEnabled = YES; >>> GCSFolderDebugEnabled = YES; >>> GCSFolderStoreDebugEnabled = YES; >>> LDAPDebugEnabled = YES; >>> MySQL4DebugEnabled = YES; >>> NGImap4DisableIMAP4Pooling = YES; >
Re: [SOGo] Sogo - Lemonldap - Saml
Hi Jeroen, Thanks for your help. I put back my keycloak test server on and tried your ideas, but no luck. The Saml2 assertion includes both email & username fields with the correct value. But I still got the same exact error. I see in sogo logs, when first accessing Sogo, before the redirection to keycloak, this line: Jul 20 14:41:59 sogod [8340]: [ERROR] <0x0x55f3d21a8ad0[SOGoUserManager]> No authentication sources defined - nobody will be able to login. Check your defaults. This error comes from the fact I didn't define a: -- SOGoUserSources = ( { type = sql or ldap; ... -- Do I presume correctly that it's a normal error as I'm using saml2 and not sql or ldap as userSource? Can I ask you to compare your Sogo client configin Keycloak with mine to see if there is a difference? I attached the metadata of my Sogo client to the mail. I noticed one strange thing. I must have the option "Client Signature Required: OFF" in my keycloak sogo client. If I set to ON, I have a "invalid query param" in keycloak logs (does that mean Sogo can't sign the request?). Also, I'm wondering if I'm right to compose the file for the option SOGoSAML2IdpPublicKeyLocation & SOGoSAML2IdpCertificateLocation in sogo conf with the attribute "saml.signing.certificate" from the metadata file (enclosed by "-BEGIN CERTIFICATE-" and "-END CERTIFICATE-"). I put that in the file /etc/sogo/idp-public.key. Or I'm wrong to do it like that? I know about the next step where you can't send a saml assertion to dovecot for credentials as it is. You need pam-script-saml or libpam-script + lasso (patched or not, not sure as the info about it is so old). I already test pam-script-saml but need the first step to work (connection to sogo) to be see if it works. Thanks, Kenny On 19/07/20 14:02, Jeroen van Os (jeroen.va...@nevel.io) wrote: > Hi Kenny, > > I have been trying to get SAML to work with SOGo as well. In Keycloak > the following configuration works: > > Client scopes: none > Mappers: fill in "email" and "username" with information from your > credentials provider > Set scope to "full scope allowed" > > In the SOGo config file we have this line, the rest is similar to what > you provided: > SOGoSAML2LoginAttribute = username; > > Don't forget to take into account that even if you get SAML to work, > the connection to your IMAP and SMTP server may not work. Because SOGo > has no knowledge of the user's password, it cannot authenticate > against regular IMAP and SMTP servers that expect user credentials for > authorization. So you will need to find a way to authenticate without > knowing the user's password. > > Kind regards, > Jeroen > > > Op 18/07/2020 om 22:19 schreef "la.jolie@paquerette" > (la.jo...@paquerette.org): >> Going on with my attemps to connect Sogo to LemonLdap, I tried also with >> the SAML protocol. >> Few weeks ago, I first tried with Keycloak >> (https://www.mail-archive.com/users@sogo.nu/msg29805.html), but I didn't >> find a solution. >> >> Unfortunately, with LemonLdap, I have the same error: >> >> |SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post' >> |SOGo| traverse(acquire): SOGo => saml2-signon-post >> |SOGo| do traverse name: 'SOGo' >> |SOGo| do traverse name: 'saml2-signon-post' >> |SOGo| set clientObject: >> sogod[8630:8630] EXCEPTION: >> NAME:NSInvalidArgumentException REASON:Tried to add nil value for key >> 'login' to dictionary INFO:{} >> |SOGo| request took 0.013806 seconds to execute >> <0x0x563823b8f410[WOResponse]> Zipping of response disabled >> 127.0.0.1 "POST /SOGo/saml2-signon-post HTTP/1.1" 501 0/7289 0.019 - >> - 692K >> >> >> I'm back to the post https://sogo.nu/bugs/view.php?id=4441 >> Alas, no clue what Sogo is waiting. >> >> I attached a saml token example LemonLdap send back to Sogo. >> For the attribute with my mail (for the login), I tried the name mail, >> email & login, but same error. >> >> What is the attribute name Sogo wants for the key 'login'? >> Is something wrong with the Saml token Sogo is receiving from LemonLdap? >> >> Thanks, >> Kenny >> >> >> My Sogo config: >> >> SOGoProfileURL = >> "mysql://yyy:x@127.0.0.1:3306/sogo/sogo_user_profile"; >> OCSFolderInfoURL = >> "mysql://yyy:x@127.0.0.1:3306/sogo/sogo_folder_info"; >> OCSSessionsFolderURL = >> "mysql://yyy:x@127.0.0.1:3306/sogo/sogo_sessions_folder"; >> OCSEMailAlarmsFolderURL = >> "mysql://yyy:x@127.0.0.1:3306/sogo/sogo_alarms_folder"; >> SOGoLanguage = English; >> SOGoAppointmentSendEMailNotifications = YES; >> SOGoMailingMechanism = smtp; >> SOGoSMTPServer = 127.0.0.1; >> SOGoTimeZone = UTC; >> SOGoSentFolderName = Sent; >> SOGoTrashFolderName = Trash; >> SOGoDraftsFolderName = Drafts; >> SOGoIMAPServer = "imap://localhost:143/"; >> SOGoSieveServer = "sieve://localhost:4190/"; >> SOGoIMAPAclConformsToIMAPExt = YES; >> SOGoVaca
Re: [SOGo] Thunderbird 78
? Valdas Žiūraitis +370 698 12291 2020.07.13 17:20, Christian Naumer (c...@brain-biotech.de) rašė: Hello you all, ist there any time line for supporting TB78 with the SOGo-Plugins? Currently they are not working in the Beta. Has someone else tried this? Regards Christian -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Outlook 2016 FreeBusy lookup
To close the case I can confirm that the Outlook FreeBusy lookup works now in our SOGo environment. The solution was: As our users have to authenticate using their full email address, the URL would has to look this way: https://myserver.mydomain.mytld/SOGo/dav/public/%Name%@mydomain.mytld/freebusy.ifb Thank you again for your assistance @MJ. Your hint made the difference: > We see that outlook replaces the %Name% placeholder at lookup time with > the appropriate localpart of the email address, and thus locates > freebuzy info for all users on that domain. Best regards Armin __ Information from mm-lab IT security __The message was checked by ESET Mail Security. -- users@sogo.nu https://inverse.ca/sogo/lists