Re: [SOGo] authentication with kerberos

2013-01-11 Thread Heiner Markert
Hello,

this might be bug 1200:
http://www.sogo.nu/bugs/view.php?id=1200

Best regards,
Heiner



Am Thursday 10 January 2013 23:25:05 schrieb cmsch...@rockwellcollins.com:
 Hello - thanks for the response.. As requested.. and a few other things..

 /etc/httpd/conf.d/SOGo.conf

 ***
 Location /SOGo
   AuthType Kerberos
   Require valid-user
   SetEnv proxy-nokeepalive 1
   Allow from all

   KrbAuthRealms EXAMPLE.COM
   KrbServiceName HTTP/host.example@example.com
   Krb5Keytab /etc/httpd/krb5.keytab
   KrbLocalUserMapping On
   RewriteEngine On
   RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}]
 /Location

 ProxyRequests Off
 SetEnv proxy-nokeepalive 1
 ProxyPreserveHost On
 ProxyPass /SOGo http://127.0.0.1:2/SOGo retry=0

 Proxy http://127.0.0.1:2/SOGo [^]
   RequestHeader set x-webobjects-server-port 80
   RequestHeader set x-webobjects-server-name host
   RequestHeader set x-webobjects-server-url http://host;
   RequestHeader set x-webobjects-remote-user %{REMOTE_USER}e
   RequestHeader set x-webobjects-server-protocol HTTP/1.0
   RequestHeader set x-webobjects-remote-host %{REMOTE_HOST}e
 env=REMOTE_HOST
   AddDefaultCharset UTF-8
   Order allow,deny
 /Proxy
 RewriteEngine On
 RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT]
 ***

 And actually - I got this working okay. But the problem still seems to be
 that I have dovecot working with Kerberos - I can telnet into the IMAP
 port using my username and password and it works just fine..

 **
 [root@centos01 httpd]# telnet localhost 143
 Trying 127.0.0.1...
 Connected to localhost.
 Escape character is '^]'.
 * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
 STARTTLS AUTH=PLAIN] Dovecot ready.
 . login username password
 . OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
 SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT
 CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC
 ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in
 ***

 My dovecot config looks like this:

 ***
 [root@centos01 httpd]# dovecot -n
 # 2.0.9: /etc/dovecot/dovecot.conf
 # OS: Linux 2.6.32-279.19.1.el6.x86_64 x86_64 CentOS release 6.3 (Final)
 auth_debug = yes
 auth_debug_passwords = yes
 auth_username_format = %Lu
 auth_verbose = yes
 disable_plaintext_auth = no
 mbox_write_locks = fcntl
 passdb {
   driver = pam
 }
 ssl_cert = /etc/pki/dovecot/certs/dovecot.pem
 ssl_key = /etc/pki/dovecot/private/dovecot.pem
 userdb {
   args = uid=503 gid=503 home=/home/vmail/%u
   driver = static
 }
 ***

 The pam_dovecot looks like this...

 ***
 [root@centos01 httpd]# cat /etc/pam.d/dovecot
 #%PAM-1.0
 authsufficient  pam_krb5.so no_user_check validate
 account sufficient  pam_permit.so
 [root@centos01 httpd]#

 However, when I log into SOGo, then I get the error in my
 /var/log/maillog.

 Jan 10 16:19:45 centos01 dovecot: auth: Debug: pam(user,127.0.0.1): lookup
 service=dovecot

 Any ideas?

 Thanks -

 Chris





 From:   Khapare Joshi khapar...@gmail.com
 To: users@sogo.nu
 Date:   01/10/2013 02:29 PM
 Subject:Re: [SOGo] authentication with kerberos



 can you share how did you configure sogo with kerberos ?

 On Thu, Jan 10, 2013 at 8:03 PM, cmsch...@rockwellcollins.com wrote:
 Is there anyway for SOGO to authenticate with UPPERCASE domain names? I
 was
 having issues with Dovecot with LDAP, so i configured it with Kerberos,
 which
 works great. However, when SOGO passes the authentication piece to
 Dovecot, it
 uses a lowercase domain name..

 i.e.

 u...@example.com

 instead of

 u...@example.com for kerberos to work.

 Any insight?

 Thanks -

 Chris

 CentOS release 6.3 (Final) 2.6.32-279.19.1.el6.x86_64

 sogo-2.0.3a-1.centos6.x86_64
 postfix-2.6.6-2.2.el6_1.x86_64
 dovecot-2.0.9-2.el6_1.1.x86_64
 --
 users@sogo.nu
 https://inverse.ca/sogo/lists


-- 
users@sogo.nu
https://inverse.ca/sogo/lists


Re: [SOGo] authentication with kerberos

2013-01-11 Thread cmschube
Looks like you might be right.. Well.. back to LDAP I guess.. 

Thanks

Chris



From:   Heiner Markert mephi...@gmx.net
To: users@sogo.nu
Cc: cmsch...@rockwellcollins.com
Date:   01/11/2013 08:10 AM
Subject:Re: [SOGo] authentication with kerberos



Hello,

this might be bug 1200:
http://www.sogo.nu/bugs/view.php?id=1200

Best regards,
Heiner



Am Thursday 10 January 2013 23:25:05 schrieb cmsch...@rockwellcollins.com:
 Hello - thanks for the response.. As requested.. and a few other 
things..

 /etc/httpd/conf.d/SOGo.conf

 ***
 Location /SOGo
   AuthType Kerberos
   Require valid-user
   SetEnv proxy-nokeepalive 1
   Allow from all

   KrbAuthRealms EXAMPLE.COM
   KrbServiceName HTTP/host.example@example.com
   Krb5Keytab /etc/httpd/krb5.keytab
   KrbLocalUserMapping On
   RewriteEngine On
   RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}]
 /Location

 ProxyRequests Off
 SetEnv proxy-nokeepalive 1
 ProxyPreserveHost On
 ProxyPass /SOGo http://127.0.0.1:2/SOGo retry=0

 Proxy http://127.0.0.1:2/SOGo [^]
   RequestHeader set x-webobjects-server-port 80
   RequestHeader set x-webobjects-server-name host
   RequestHeader set x-webobjects-server-url http://host;
   RequestHeader set x-webobjects-remote-user %{REMOTE_USER}e
   RequestHeader set x-webobjects-server-protocol HTTP/1.0
   RequestHeader set x-webobjects-remote-host %{REMOTE_HOST}e
 env=REMOTE_HOST
   AddDefaultCharset UTF-8
   Order allow,deny
 /Proxy
 RewriteEngine On
 RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT]
 ***

 And actually - I got this working okay. But the problem still seems to 
be
 that I have dovecot working with Kerberos - I can telnet into the IMAP
 port using my username and password and it works just fine..

 **
 [root@centos01 httpd]# telnet localhost 143
 Trying 127.0.0.1...
 Connected to localhost.
 Escape character is '^]'.
 * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE 
IDLE
 STARTTLS AUTH=PLAIN] Dovecot ready.
 . login username password
 . OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE 
IDLE
 SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT
 CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC
 ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in
 ***

 My dovecot config looks like this:

 ***
 [root@centos01 httpd]# dovecot -n
 # 2.0.9: /etc/dovecot/dovecot.conf
 # OS: Linux 2.6.32-279.19.1.el6.x86_64 x86_64 CentOS release 6.3 (Final)
 auth_debug = yes
 auth_debug_passwords = yes
 auth_username_format = %Lu
 auth_verbose = yes
 disable_plaintext_auth = no
 mbox_write_locks = fcntl
 passdb {
   driver = pam
 }
 ssl_cert = /etc/pki/dovecot/certs/dovecot.pem
 ssl_key = /etc/pki/dovecot/private/dovecot.pem
 userdb {
   args = uid=503 gid=503 home=/home/vmail/%u
   driver = static
 }
 ***

 The pam_dovecot looks like this...

 ***
 [root@centos01 httpd]# cat /etc/pam.d/dovecot
 #%PAM-1.0
 authsufficient  pam_krb5.so no_user_check validate
 account sufficient  pam_permit.so
 [root@centos01 httpd]#

 However, when I log into SOGo, then I get the error in my
 /var/log/maillog.

 Jan 10 16:19:45 centos01 dovecot: auth: Debug: pam(user,127.0.0.1): 
lookup
 service=dovecot

 Any ideas?

 Thanks -

 Chris





 From:   Khapare Joshi khapar...@gmail.com
 To: users@sogo.nu
 Date:   01/10/2013 02:29 PM
 Subject:Re: [SOGo] authentication with kerberos



 can you share how did you configure sogo with kerberos ?

 On Thu, Jan 10, 2013 at 8:03 PM, cmsch...@rockwellcollins.com wrote:
 Is there anyway for SOGO to authenticate with UPPERCASE domain names? I
 was
 having issues with Dovecot with LDAP, so i configured it with Kerberos,
 which
 works great. However, when SOGO passes the authentication piece to
 Dovecot, it
 uses a lowercase domain name..

 i.e.

 u...@example.com

 instead of

 u...@example.com for kerberos to work.

 Any insight?

 Thanks -

 Chris

 CentOS release 6.3 (Final) 2.6.32-279.19.1.el6.x86_64

 sogo-2.0.3a-1.centos6.x86_64
 postfix-2.6.6-2.2.el6_1.x86_64
 dovecot-2.0.9-2.el6_1.1.x86_64
 --
 users@sogo.nu
 https://inverse.ca/sogo/lists


-- 
users@sogo.nu
https://inverse.ca/sogo/lists


-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] authentication with kerberos

2013-01-10 Thread Khapare Joshi
can you share how did you configure sogo with kerberos ?

On Thu, Jan 10, 2013 at 8:03 PM, cmsch...@rockwellcollins.com wrote:

 Is there anyway for SOGO to authenticate with UPPERCASE domain names? I was
 having issues with Dovecot with LDAP, so i configured it with Kerberos,
 which
 works great. However, when SOGO passes the authentication piece to
 Dovecot, it
 uses a lowercase domain name..

 i.e.

 u...@example.com

 instead of

 u...@example.com for kerberos to work.

 Any insight?

 Thanks -

 Chris

 CentOS release 6.3 (Final) 2.6.32-279.19.1.el6.x86_64

 sogo-2.0.3a-1.centos6.x86_64
 postfix-2.6.6-2.2.el6_1.x86_64
 dovecot-2.0.9-2.el6_1.1.x86_64
 --
 users@sogo.nu
 https://inverse.ca/sogo/lists

-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] authentication with kerberos

2013-01-10 Thread cmschube
Sorry.. some more information..

If I log into the IMAP service (port 143 via telnet).. I see this in the 
/var/log/secure

Jan 10 16:31:49 centos01 auth: pam_krb5[15155]: error reading keytab 
'FILE:/etc/krb5.keytab'
Jan 10 16:31:49 centos01 auth: pam_krb5[15155]: TGT verified
Jan 10 16:31:49 centos01 auth: pam_krb5[15155]: authentication succeeds 
for 'user' (u...@example.com)

However, when I log into SOGo, I get this...

Jan 10 16:31:19 centos01 auth: pam_krb5[15155]: authentication fails for 
'u...@example.com' (u...@example.com): Authentication failure (KDC reply 
did not match expectations)





From:   Khapare Joshi khapar...@gmail.com
To: users@sogo.nu
Date:   01/10/2013 02:29 PM
Subject:Re: [SOGo] authentication with kerberos



can you share how did you configure sogo with kerberos ?

On Thu, Jan 10, 2013 at 8:03 PM, cmsch...@rockwellcollins.com wrote:
Is there anyway for SOGO to authenticate with UPPERCASE domain names? I 
was
having issues with Dovecot with LDAP, so i configured it with Kerberos, 
which
works great. However, when SOGO passes the authentication piece to 
Dovecot, it
uses a lowercase domain name..

i.e.

u...@example.com

instead of

u...@example.com for kerberos to work.

Any insight?

Thanks -

Chris

CentOS release 6.3 (Final) 2.6.32-279.19.1.el6.x86_64

sogo-2.0.3a-1.centos6.x86_64
postfix-2.6.6-2.2.el6_1.x86_64
dovecot-2.0.9-2.el6_1.1.x86_64
--
users@sogo.nu
https://inverse.ca/sogo/lists


-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] authentication with kerberos

2013-01-10 Thread cmschube
Hello - thanks for the response.. As requested.. and a few other things..

/etc/httpd/conf.d/SOGo.conf

***
Location /SOGo
  AuthType Kerberos
  Require valid-user
  SetEnv proxy-nokeepalive 1
  Allow from all

  KrbAuthRealms EXAMPLE.COM
  KrbServiceName HTTP/host.example@example.com
  Krb5Keytab /etc/httpd/krb5.keytab
  KrbLocalUserMapping On
  RewriteEngine On
  RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}]
/Location

ProxyRequests Off
SetEnv proxy-nokeepalive 1
ProxyPreserveHost On
ProxyPass /SOGo http://127.0.0.1:2/SOGo retry=0

Proxy http://127.0.0.1:2/SOGo [^]
  RequestHeader set x-webobjects-server-port 80
  RequestHeader set x-webobjects-server-name host
  RequestHeader set x-webobjects-server-url http://host;
  RequestHeader set x-webobjects-remote-user %{REMOTE_USER}e
  RequestHeader set x-webobjects-server-protocol HTTP/1.0
  RequestHeader set x-webobjects-remote-host %{REMOTE_HOST}e 
env=REMOTE_HOST
  AddDefaultCharset UTF-8
  Order allow,deny
/Proxy
RewriteEngine On
RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT]
***

And actually - I got this working okay. But the problem still seems to be 
that I have dovecot working with Kerberos - I can telnet into the IMAP 
port using my username and password and it works just fine..

**
[root@centos01 httpd]# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
STARTTLS AUTH=PLAIN] Dovecot ready.
. login username password
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT 
CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC 
ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in
***

My dovecot config looks like this:

***
[root@centos01 httpd]# dovecot -n
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-279.19.1.el6.x86_64 x86_64 CentOS release 6.3 (Final)
auth_debug = yes
auth_debug_passwords = yes
auth_username_format = %Lu
auth_verbose = yes
disable_plaintext_auth = no
mbox_write_locks = fcntl
passdb {
  driver = pam
}
ssl_cert = /etc/pki/dovecot/certs/dovecot.pem
ssl_key = /etc/pki/dovecot/private/dovecot.pem
userdb {
  args = uid=503 gid=503 home=/home/vmail/%u
  driver = static
}
***

The pam_dovecot looks like this...

***
[root@centos01 httpd]# cat /etc/pam.d/dovecot
#%PAM-1.0
authsufficient  pam_krb5.so no_user_check validate
account sufficient  pam_permit.so
[root@centos01 httpd]#

However, when I log into SOGo, then I get the error in my 
/var/log/maillog.

Jan 10 16:19:45 centos01 dovecot: auth: Debug: pam(user,127.0.0.1): lookup 
service=dovecot

Any ideas?

Thanks - 

Chris





From:   Khapare Joshi khapar...@gmail.com
To: users@sogo.nu
Date:   01/10/2013 02:29 PM
Subject:Re: [SOGo] authentication with kerberos



can you share how did you configure sogo with kerberos ?

On Thu, Jan 10, 2013 at 8:03 PM, cmsch...@rockwellcollins.com wrote:
Is there anyway for SOGO to authenticate with UPPERCASE domain names? I 
was
having issues with Dovecot with LDAP, so i configured it with Kerberos, 
which
works great. However, when SOGO passes the authentication piece to 
Dovecot, it
uses a lowercase domain name..

i.e.

u...@example.com

instead of

u...@example.com for kerberos to work.

Any insight?

Thanks -

Chris

CentOS release 6.3 (Final) 2.6.32-279.19.1.el6.x86_64

sogo-2.0.3a-1.centos6.x86_64
postfix-2.6.6-2.2.el6_1.x86_64
dovecot-2.0.9-2.el6_1.1.x86_64
--
users@sogo.nu
https://inverse.ca/sogo/lists


-- 
users@sogo.nu
https://inverse.ca/sogo/lists