[SOGo] SOGo + Dovecot + Keycloak + Apache + libapache2-mod-auth-openidc -> working setup
Hi,
after trying to the SAML working with dovecot without success for
several days I tried a different approach today. Instead off using
SAML I switched to use the libapache2-mod-auth-openidc module. I
changed the apache sogo.conf to support the OIDC module with the
settings below. Please note that you need to add some checks about
valid claims, take a look at
https://github.com/OpenIDC/mod_auth_openidc/wiki -> "Require claim
sub:".
--- /etc/apache2/sites-available/sogo.conf ---
OIDCCryptoPassphrase"verylongsecret"
OIDCProviderMetadataURL
https://auth.example.com/realms/master/.well-known/openid-configuration
OIDCRedirectURI http://sogo.example.com/redirect_uri
OIDCClientIDSOGo
OIDCClientSecretrandom_client_secret
OIDCRemoteUserClaim email
OIDCScope "email openid"
OIDCAuthNHeader x-webobjects-remote-user
OIDCXForwardedHeaders X-Forwarded-Proto X-Forwarded-Port
X-Forwarded-Host
OIDCRemoteUserClaim email
OIDCPassClaimsAsboth
AuthType openid-connect
Require valid-user
http://127.0.0.1:2/SOGo>
# Add Basic Authorization
RequestHeader set "x-webobjects-auth-type" "Basic"
# Combine Username and Password wth a colon ':' only when a
valid access_token is available
RequestHeader set Authorization
"%{OIDC_CLAIM_email}e:%{OIDC_access_token}e" env=OIDC_access_token
# Add the plain Text 'Basi ' and the base64 encode
Username:access_token to the Authorization header
RequestHeader set Authorization "expr=Basic
%{base64:%{HTTP:Authorization}}"
--- /etc/apache2/sites-available/sogo.conf ---
I removed every SOGoSAML2* config setting from /etc/sogo/sogo.conf and
changed these settings:
SOGoTrustProxyAuthentication= YES;
NGImap4AuthMechanism= PLAIN;
SOGoForceExternalLoginWithEmail = YES;
You need to adjust dovecot to support the login via PLAIN. The
access_token is stored as the password in the PLAIN authentication. To
support this make these changes:
--- /etc/dovecot/conf.d/auth-oauth2.conf.ext ---
auth_mechanisms = $auth_mechanisms plain
passdb {
driver = oauth2
mechanisms = plain
args = /etc/dovecot/dovecot-oauth2.plain.conf.ext
}
---
Please note that I use local introspection_mode, you need to copy the
keys required to validate the access_token to the directory
/etc/dovecot/keys/. The required keys are logged when you enable full
debug logs.
--- /etc/dovecot/dovecot-oauth2.plain.conf.ext ---
openid_configuration_url =
https://auth.example.com/realms/master/.well-known/openid-configuration
introspection_mode = local
issuers = https://auth.example.com/realms/master
local_validation_key_dict = fs:posix:prefix=/etc/dovecot/keys/
client_id = dovecot
client_secret = random_client_secret
scope = email
username_attribute = email
username_format = %Ln
---
Since the access_token from keycloak will expire within a minute (the
default) you should change the expire time to a higher values. This is
required since I didn't know how to pass the refresh_token to dovecot
to enable dovecot to renew the access_token from time to time... I
someone has an idea I really like to know.
And one very important information. You need to configure a
SOGoUserSources to enable a successful "c_uid" lookup. So create a
table a SOGo required and just put the email from the OIDC_CLAIM_email
into the colum "c_uid". I think this table isn't really needed, maybe
I will make a patch to avoid creating such a table.
Hope this helps some!
Re: [SOGo] httpd already installed
Le Jeudi, Juin 29, 2023 10:47 CEST, "Marco Moock" (marco.mo...@urz.uni-heidelberg.de) a écrit: Hello everyone The version installed under RPM is a compiled version and not a package version? Is there a solution to note the install file of the package? MichelAm 29.06.2023 schrieb "supp...@foxnet.be" (supp...@foxnet.be) : > Under Debian/Ubuntu , the installation goes correctly. > On the other hand, under Centos/RockyLinux/Redhat, when you install > directadmin and then SOGo, it asks you to install httpd, because it > can't find the install package. httpd might me apache, nginx or any other webserver. Install only one of them manually with dnf/apt.
