[SOGo] SOGo + Dovecot + Keycloak + Apache + libapache2-mod-auth-openidc -> working setup
Hi, after trying to the SAML working with dovecot without success for several days I tried a different approach today. Instead off using SAML I switched to use the libapache2-mod-auth-openidc module. I changed the apache sogo.conf to support the OIDC module with the settings below. Please note that you need to add some checks about valid claims, take a look at https://github.com/OpenIDC/mod_auth_openidc/wiki -> "Require claim sub:". --- /etc/apache2/sites-available/sogo.conf --- OIDCCryptoPassphrase"verylongsecret" OIDCProviderMetadataURL https://auth.example.com/realms/master/.well-known/openid-configuration OIDCRedirectURI http://sogo.example.com/redirect_uri OIDCClientIDSOGo OIDCClientSecretrandom_client_secret OIDCRemoteUserClaim email OIDCScope "email openid" OIDCAuthNHeader x-webobjects-remote-user OIDCXForwardedHeaders X-Forwarded-Proto X-Forwarded-Port X-Forwarded-Host OIDCRemoteUserClaim email OIDCPassClaimsAsboth AuthType openid-connect Require valid-user http://127.0.0.1:2/SOGo> # Add Basic Authorization RequestHeader set "x-webobjects-auth-type" "Basic" # Combine Username and Password wth a colon ':' only when a valid access_token is available RequestHeader set Authorization "%{OIDC_CLAIM_email}e:%{OIDC_access_token}e" env=OIDC_access_token # Add the plain Text 'Basi ' and the base64 encode Username:access_token to the Authorization header RequestHeader set Authorization "expr=Basic %{base64:%{HTTP:Authorization}}" --- /etc/apache2/sites-available/sogo.conf --- I removed every SOGoSAML2* config setting from /etc/sogo/sogo.conf and changed these settings: SOGoTrustProxyAuthentication= YES; NGImap4AuthMechanism= PLAIN; SOGoForceExternalLoginWithEmail = YES; You need to adjust dovecot to support the login via PLAIN. The access_token is stored as the password in the PLAIN authentication. To support this make these changes: --- /etc/dovecot/conf.d/auth-oauth2.conf.ext --- auth_mechanisms = $auth_mechanisms plain passdb { driver = oauth2 mechanisms = plain args = /etc/dovecot/dovecot-oauth2.plain.conf.ext } --- Please note that I use local introspection_mode, you need to copy the keys required to validate the access_token to the directory /etc/dovecot/keys/. The required keys are logged when you enable full debug logs. --- /etc/dovecot/dovecot-oauth2.plain.conf.ext --- openid_configuration_url = https://auth.example.com/realms/master/.well-known/openid-configuration introspection_mode = local issuers = https://auth.example.com/realms/master local_validation_key_dict = fs:posix:prefix=/etc/dovecot/keys/ client_id = dovecot client_secret = random_client_secret scope = email username_attribute = email username_format = %Ln --- Since the access_token from keycloak will expire within a minute (the default) you should change the expire time to a higher values. This is required since I didn't know how to pass the refresh_token to dovecot to enable dovecot to renew the access_token from time to time... I someone has an idea I really like to know. And one very important information. You need to configure a SOGoUserSources to enable a successful "c_uid" lookup. So create a table a SOGo required and just put the email from the OIDC_CLAIM_email into the colum "c_uid". I think this table isn't really needed, maybe I will make a patch to avoid creating such a table. Hope this helps some!
Re: [SOGo] httpd already installed
Le Jeudi, Juin 29, 2023 10:47 CEST, "Marco Moock" (marco.mo...@urz.uni-heidelberg.de) a écrit: Hello everyone The version installed under RPM is a compiled version and not a package version? Is there a solution to note the install file of the package? MichelAm 29.06.2023 schrieb "supp...@foxnet.be" (supp...@foxnet.be) : > Under Debian/Ubuntu , the installation goes correctly. > On the other hand, under Centos/RockyLinux/Redhat, when you install > directadmin and then SOGo, it asks you to install httpd, because it > can't find the install package. httpd might me apache, nginx or any other webserver. Install only one of them manually with dnf/apt.