Re: [SOGo] Restrict Web Access at SOGo from specific User - Domain
Hi Matthias, Many thanks again for your advice - feedback on this Best regards From: users-requ...@sogo.nu on behalf of Matthias Kneer Sent: Monday, March 1, 2021 9:09 PM To: users@sogo.nu Subject: Re: [SOGo] Restrict Web Access at SOGo from specific User - Domain Hi, > We have found the solution at the below path: > > /usr/lib64/GNUstep/SOGo/WebServerResources/js/Main.js While this might work for now, I don't think that this is a good long term solution. You will / might run into trouble once you update SOGo since this file might be overwritten. Another issue: This won't work dynamically if you need to allow multiple domains in the future. I would suggest to create / modify a table view which only returns users from the domain that should be able to login. Your view should return following columns (documented in section "5.10. Authentication using SQL" of the installation guide): c_uid: will be used for authentication - it’s a username or usern...@domain.tld c_name: will be used to uniquely identify entries - which can be identical to c_uid c_password: password of the user, plain text, crypt, md5 or sha encoded c_cn: the user’s common name mail: the user’s email address I don't know how your current sogo user database table looks like, so here's just an rough example on how to create such a "filtered" view, the view is called "sogo_view" and the souce table is called "mail_users", this has to be adjusted to match your environment: CREATE VIEW sogo_view AS SELECT username AS c_uid, password AS c_password, username AS c_name, fullname AS c_cn FROM mail_users WHERE username LIKE '%@test2.com'; After you've created that view, and granted privileges to the sogo postgres user, you can reference it in you SOGoUserSources hash like this: viewURL = "postgresql://sogo:sogo@127.0.0.1:5432/sogo/sogo_view"; I hope this helps. - Matthias -- users@sogo.nu https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Restrict Web Access at SOGo from specific User - Domain
Hi, We have found the solution at the below path: /usr/lib64/GNUstep/SOGo/WebServerResources/js/Main.js While this might work for now, I don't think that this is a good long term solution. You will / might run into trouble once you update SOGo since this file might be overwritten. Another issue: This won't work dynamically if you need to allow multiple domains in the future. I would suggest to create / modify a table view which only returns users from the domain that should be able to login. Your view should return following columns (documented in section "5.10. Authentication using SQL" of the installation guide): c_uid: will be used for authentication - it’s a username or usern...@domain.tld c_name: will be used to uniquely identify entries - which can be identical to c_uid c_password: password of the user, plain text, crypt, md5 or sha encoded c_cn: the user’s common name mail: the user’s email address I don't know how your current sogo user database table looks like, so here's just an rough example on how to create such a "filtered" view, the view is called "sogo_view" and the souce table is called "mail_users", this has to be adjusted to match your environment: CREATE VIEW sogo_view AS SELECT username AS c_uid, password AS c_password, username AS c_name, fullname AS c_cn FROM mail_users WHERE username LIKE '%@test2.com'; After you've created that view, and granted privileges to the sogo postgres user, you can reference it in you SOGoUserSources hash like this: viewURL = "postgresql://sogo:sogo@127.0.0.1:5432/sogo/sogo_view"; I hope this helps. - Matthias -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Restrict Web Access at SOGo from specific User - Domain
Dear Matthias, Good day again, We have found the solution at the below path: /usr/lib64/GNUstep/SOGo/WebServerResources/js/Main.js Change the code as per below: this.login = function() { var checkStr = "test2.com"; if (r.creds.username.includes(checkStr)){ return r.loginState = "authenticating", a.login(r.creds).then(function(o) { o.gamissingkey ? r.loginState = "googleauthenticatorcode" : (r.loginState = "logged", r.cn = o.cn, t(function() { n.location.href === o.url ? n.location.reload(!0) : n.location.href = o.url }, 1e3)) }, function(o) { r.loginState = "error", r.errorMessage = o.error }), !1 } else { return r.loginState = "error", r.errorMessage = o.error; } } Thanks for your time! Best regards, From: users-requ...@sogo.nu on behalf of Pou Pas Kale Sent: Monday, March 1, 2021 8:56 AM To: users@sogo.nu Subject: Re: [SOGo] Restrict Web Access at SOGo from specific User - Domain Dear Mathias, Good day, Many thanks for our feedback. The authantication we are using is under Postgress SQL . Could you please send me an example from your below suggestions about "authView" & "add a dedicated column"? Many thanks again for your feedback. Best regards, From: users-requ...@sogo.nu on behalf of Matthias Kneer Sent: Monday, March 1, 2021 1:16 AM To: users@sogo.nu Subject: Re: [SOGo] Restrict Web Access at SOGo from specific User - Domain Hi, > If we tried to login to > an email account with the other domain (t...@b.com), then the system > should not proceed. Your assistance is highly appreciated. What kind of authentication / user backend are you using? If you are using SQL, you just have to modify your authView to only return users of domain a.com. You could also add a dedicated column to your mail users table like "sogoLogin" and only return users in your view where "sogoLogin" is true / 1. If you are using LDAP, there's an specific example in the installation guide (https://www.sogo.nu/files/docs/SOGoInstallationGuide.html) under "5.4. Authentication using LDAP". > the following filter to return only entries belonging to the > organization Inverse with a mail address and not inactive: > filter = "(o='Inverse' AND mail='*' AND status <> 'inactive')"; This can of course be specifically altered to your requirements. - Matthias -- users@sogo.nu https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Restrict Web Access at SOGo from specific User - Domain
Dear Mathias, Good day, Many thanks for our feedback. The authantication we are using is under Postgress SQL . Could you please send me an example from your below suggestions about "authView" & "add a dedicated column"? Many thanks again for your feedback. Best regards, From: users-requ...@sogo.nu on behalf of Matthias Kneer Sent: Monday, March 1, 2021 1:16 AM To: users@sogo.nu Subject: Re: [SOGo] Restrict Web Access at SOGo from specific User - Domain Hi, > If we tried to login to > an email account with the other domain (t...@b.com), then the system > should not proceed. Your assistance is highly appreciated. What kind of authentication / user backend are you using? If you are using SQL, you just have to modify your authView to only return users of domain a.com. You could also add a dedicated column to your mail users table like "sogoLogin" and only return users in your view where "sogoLogin" is true / 1. If you are using LDAP, there's an specific example in the installation guide (https://www.sogo.nu/files/docs/SOGoInstallationGuide.html) under "5.4. Authentication using LDAP". > the following filter to return only entries belonging to the > organization Inverse with a mail address and not inactive: > filter = "(o='Inverse' AND mail='*' AND status <> 'inactive')"; This can of course be specifically altered to your requirements. - Matthias -- users@sogo.nu https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Restrict Web Access at SOGo from specific User - Domain
Hi, If we tried to login to an email account with the other domain (t...@b.com), then the system should not proceed. Your assistance is highly appreciated. What kind of authentication / user backend are you using? If you are using SQL, you just have to modify your authView to only return users of domain a.com. You could also add a dedicated column to your mail users table like "sogoLogin" and only return users in your view where "sogoLogin" is true / 1. If you are using LDAP, there's an specific example in the installation guide (https://www.sogo.nu/files/docs/SOGoInstallationGuide.html) under "5.4. Authentication using LDAP". the following filter to return only entries belonging to the organization Inverse with a mail address and not inactive: filter = "(o='Inverse' AND mail='*' AND status <> 'inactive')"; This can of course be specifically altered to your requirements. - Matthias -- users@sogo.nu https://inverse.ca/sogo/lists
[SOGo] Restrict Web Access at SOGo from specific User - Domain
Hi, i am trying to setup the sogo.conf file on a CentOs 8 Server, in order to restrict the Web access from specific users - domains. For example, we have created 2 Domains ( a.com & b.com). We need to login at SOGo platform only from t...@a.com domain. If we tried to login to an email account with the other domain (t...@b.com), then the system should not proceed. Your assistance is highly appreciated. -- users@sogo.nu https://inverse.ca/sogo/lists