Re: [SOGo] authentication with kerberos
Looks like you might be right.. Well.. back to LDAP I guess.. Thanks Chris From: Heiner Markert To: users@sogo.nu Cc: cmsch...@rockwellcollins.com Date: 01/11/2013 08:10 AM Subject:Re: [SOGo] authentication with kerberos Hello, this might be bug 1200: http://www.sogo.nu/bugs/view.php?id=1200 Best regards, Heiner Am Thursday 10 January 2013 23:25:05 schrieb cmsch...@rockwellcollins.com: > Hello - thanks for the response.. As requested.. and a few other things.. > > /etc/httpd/conf.d/SOGo.conf > > *** > > AuthType Kerberos > Require valid-user > SetEnv proxy-nokeepalive 1 > Allow from all > > KrbAuthRealms EXAMPLE.COM > KrbServiceName HTTP/host.example@example.com > Krb5Keytab /etc/httpd/krb5.keytab > KrbLocalUserMapping On > RewriteEngine On > RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}] > > > ProxyRequests Off > SetEnv proxy-nokeepalive 1 > ProxyPreserveHost On > ProxyPass /SOGo http://127.0.0.1:2/SOGo retry=0 > > http://127.0.0.1:2/SOGo> [^] > RequestHeader set "x-webobjects-server-port" "80" > RequestHeader set "x-webobjects-server-name" "host" > RequestHeader set "x-webobjects-server-url" "http://host"; > RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}e" > RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0" > RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e > env=REMOTE_HOST > AddDefaultCharset UTF-8 > Order allow,deny > > RewriteEngine On > RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT] > *** > > And actually - I got this working okay. But the problem still seems to be > that I have dovecot working with Kerberos - I can telnet into the IMAP > port using my username and password and it works just fine.. > > ** > [root@centos01 httpd]# telnet localhost 143 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE > STARTTLS AUTH=PLAIN] Dovecot ready. > . login username password > . OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE > SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT > CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC > ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in > *** > > My dovecot config looks like this: > > *** > [root@centos01 httpd]# dovecot -n > # 2.0.9: /etc/dovecot/dovecot.conf > # OS: Linux 2.6.32-279.19.1.el6.x86_64 x86_64 CentOS release 6.3 (Final) > auth_debug = yes > auth_debug_passwords = yes > auth_username_format = %Lu > auth_verbose = yes > disable_plaintext_auth = no > mbox_write_locks = fcntl > passdb { > driver = pam > } > ssl_cert = ssl_key = userdb { > args = uid=503 gid=503 home=/home/vmail/%u > driver = static > } > *** > > The pam_dovecot looks like this... > > *** > [root@centos01 httpd]# cat /etc/pam.d/dovecot > #%PAM-1.0 > authsufficient pam_krb5.so no_user_check validate > account sufficient pam_permit.so > [root@centos01 httpd]# > > However, when I log into SOGo, then I get the error in my > /var/log/maillog. > > Jan 10 16:19:45 centos01 dovecot: auth: Debug: pam(user,127.0.0.1): lookup > service=dovecot > > Any ideas? > > Thanks - > > Chris > > > > > > From: Khapare Joshi > To: users@sogo.nu > Date: 01/10/2013 02:29 PM > Subject:Re: [SOGo] authentication with kerberos > > > > can you share how did you configure sogo with kerberos ? > > On Thu, Jan 10, 2013 at 8:03 PM, wrote: > Is there anyway for SOGO to authenticate with UPPERCASE domain names? I > was > having issues with Dovecot with LDAP, so i configured it with Kerberos, > which > works great. However, when SOGO passes the authentication piece to > Dovecot, it > uses a lowercase domain name.. > > i.e. > > u...@example.com > > instead of > > u...@example.com for kerberos to work. > > Any insight? > > Thanks - > > Chris > > CentOS release 6.3 (Final) 2.6.32-279.19.1.el6.x86_64 > > sogo-2.0.3a-1.centos6.x86_64 > postfix-2.6.6-2.2.el6_1.x86_64 > dovecot-2.0.9-2.el6_1.1.x86_64 > -- > users@sogo.nu > https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] authentication with kerberos
Hello, this might be bug 1200: http://www.sogo.nu/bugs/view.php?id=1200 Best regards, Heiner Am Thursday 10 January 2013 23:25:05 schrieb cmsch...@rockwellcollins.com: > Hello - thanks for the response.. As requested.. and a few other things.. > > /etc/httpd/conf.d/SOGo.conf > > *** > > AuthType Kerberos > Require valid-user > SetEnv proxy-nokeepalive 1 > Allow from all > > KrbAuthRealms EXAMPLE.COM > KrbServiceName HTTP/host.example@example.com > Krb5Keytab /etc/httpd/krb5.keytab > KrbLocalUserMapping On > RewriteEngine On > RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}] > > > ProxyRequests Off > SetEnv proxy-nokeepalive 1 > ProxyPreserveHost On > ProxyPass /SOGo http://127.0.0.1:2/SOGo retry=0 > > http://127.0.0.1:2/SOGo> [^] > RequestHeader set "x-webobjects-server-port" "80" > RequestHeader set "x-webobjects-server-name" "host" > RequestHeader set "x-webobjects-server-url" "http://host"; > RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}e" > RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0" > RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e > env=REMOTE_HOST > AddDefaultCharset UTF-8 > Order allow,deny > > RewriteEngine On > RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT] > *** > > And actually - I got this working okay. But the problem still seems to be > that I have dovecot working with Kerberos - I can telnet into the IMAP > port using my username and password and it works just fine.. > > ** > [root@centos01 httpd]# telnet localhost 143 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE > STARTTLS AUTH=PLAIN] Dovecot ready. > . login username password > . OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE > SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT > CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC > ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in > *** > > My dovecot config looks like this: > > *** > [root@centos01 httpd]# dovecot -n > # 2.0.9: /etc/dovecot/dovecot.conf > # OS: Linux 2.6.32-279.19.1.el6.x86_64 x86_64 CentOS release 6.3 (Final) > auth_debug = yes > auth_debug_passwords = yes > auth_username_format = %Lu > auth_verbose = yes > disable_plaintext_auth = no > mbox_write_locks = fcntl > passdb { > driver = pam > } > ssl_cert = ssl_key = userdb { > args = uid=503 gid=503 home=/home/vmail/%u > driver = static > } > *** > > The pam_dovecot looks like this... > > *** > [root@centos01 httpd]# cat /etc/pam.d/dovecot > #%PAM-1.0 > authsufficient pam_krb5.so no_user_check validate > account sufficient pam_permit.so > [root@centos01 httpd]# > > However, when I log into SOGo, then I get the error in my > /var/log/maillog. > > Jan 10 16:19:45 centos01 dovecot: auth: Debug: pam(user,127.0.0.1): lookup > service=dovecot > > Any ideas? > > Thanks - > > Chris > > > > > > From: Khapare Joshi > To: users@sogo.nu > Date: 01/10/2013 02:29 PM > Subject:Re: [SOGo] authentication with kerberos > > > > can you share how did you configure sogo with kerberos ? > > On Thu, Jan 10, 2013 at 8:03 PM, wrote: > Is there anyway for SOGO to authenticate with UPPERCASE domain names? I > was > having issues with Dovecot with LDAP, so i configured it with Kerberos, > which > works great. However, when SOGO passes the authentication piece to > Dovecot, it > uses a lowercase domain name.. > > i.e. > > u...@example.com > > instead of > > u...@example.com for kerberos to work. > > Any insight? > > Thanks - > > Chris > > CentOS release 6.3 (Final) 2.6.32-279.19.1.el6.x86_64 > > sogo-2.0.3a-1.centos6.x86_64 > postfix-2.6.6-2.2.el6_1.x86_64 > dovecot-2.0.9-2.el6_1.1.x86_64 > -- > users@sogo.nu > https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] authentication with kerberos
Hello - thanks for the response.. As requested.. and a few other things.. /etc/httpd/conf.d/SOGo.conf *** AuthType Kerberos Require valid-user SetEnv proxy-nokeepalive 1 Allow from all KrbAuthRealms EXAMPLE.COM KrbServiceName HTTP/host.example@example.com Krb5Keytab /etc/httpd/krb5.keytab KrbLocalUserMapping On RewriteEngine On RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}] ProxyRequests Off SetEnv proxy-nokeepalive 1 ProxyPreserveHost On ProxyPass /SOGo http://127.0.0.1:2/SOGo retry=0 http://127.0.0.1:2/SOGo> [^] RequestHeader set "x-webobjects-server-port" "80" RequestHeader set "x-webobjects-server-name" "host" RequestHeader set "x-webobjects-server-url" "http://host"; RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}e" RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0" RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e env=REMOTE_HOST AddDefaultCharset UTF-8 Order allow,deny RewriteEngine On RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT] *** And actually - I got this working okay. But the problem still seems to be that I have dovecot working with Kerberos - I can telnet into the IMAP port using my username and password and it works just fine.. ** [root@centos01 httpd]# telnet localhost 143 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. . login username password . OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in *** My dovecot config looks like this: *** [root@centos01 httpd]# dovecot -n # 2.0.9: /etc/dovecot/dovecot.conf # OS: Linux 2.6.32-279.19.1.el6.x86_64 x86_64 CentOS release 6.3 (Final) auth_debug = yes auth_debug_passwords = yes auth_username_format = %Lu auth_verbose = yes disable_plaintext_auth = no mbox_write_locks = fcntl passdb { driver = pam } ssl_cert = To: users@sogo.nu Date: 01/10/2013 02:29 PM Subject:Re: [SOGo] authentication with kerberos can you share how did you configure sogo with kerberos ? On Thu, Jan 10, 2013 at 8:03 PM, wrote: Is there anyway for SOGO to authenticate with UPPERCASE domain names? I was having issues with Dovecot with LDAP, so i configured it with Kerberos, which works great. However, when SOGO passes the authentication piece to Dovecot, it uses a lowercase domain name.. i.e. u...@example.com instead of u...@example.com for kerberos to work. Any insight? Thanks - Chris CentOS release 6.3 (Final) 2.6.32-279.19.1.el6.x86_64 sogo-2.0.3a-1.centos6.x86_64 postfix-2.6.6-2.2.el6_1.x86_64 dovecot-2.0.9-2.el6_1.1.x86_64 -- users@sogo.nu https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] authentication with kerberos
Sorry.. some more information.. If I log into the IMAP service (port 143 via telnet).. I see this in the /var/log/secure Jan 10 16:31:49 centos01 auth: pam_krb5[15155]: error reading keytab 'FILE:/etc/krb5.keytab' Jan 10 16:31:49 centos01 auth: pam_krb5[15155]: TGT verified Jan 10 16:31:49 centos01 auth: pam_krb5[15155]: authentication succeeds for 'user' (u...@example.com) However, when I log into SOGo, I get this... Jan 10 16:31:19 centos01 auth: pam_krb5[15155]: authentication fails for 'u...@example.com' (u...@example.com): Authentication failure (KDC reply did not match expectations) From: Khapare Joshi To: users@sogo.nu Date: 01/10/2013 02:29 PM Subject: Re: [SOGo] authentication with kerberos can you share how did you configure sogo with kerberos ? On Thu, Jan 10, 2013 at 8:03 PM, wrote: Is there anyway for SOGO to authenticate with UPPERCASE domain names? I was having issues with Dovecot with LDAP, so i configured it with Kerberos, which works great. However, when SOGO passes the authentication piece to Dovecot, it uses a lowercase domain name.. i.e. u...@example.com instead of u...@example.com for kerberos to work. Any insight? Thanks - Chris CentOS release 6.3 (Final) 2.6.32-279.19.1.el6.x86_64 sogo-2.0.3a-1.centos6.x86_64 postfix-2.6.6-2.2.el6_1.x86_64 dovecot-2.0.9-2.el6_1.1.x86_64 -- users@sogo.nu https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] authentication with kerberos
can you share how did you configure sogo with kerberos ? On Thu, Jan 10, 2013 at 8:03 PM, wrote: > Is there anyway for SOGO to authenticate with UPPERCASE domain names? I was > having issues with Dovecot with LDAP, so i configured it with Kerberos, > which > works great. However, when SOGO passes the authentication piece to > Dovecot, it > uses a lowercase domain name.. > > i.e. > > u...@example.com > > instead of > > u...@example.com for kerberos to work. > > Any insight? > > Thanks - > > Chris > > CentOS release 6.3 (Final) 2.6.32-279.19.1.el6.x86_64 > > sogo-2.0.3a-1.centos6.x86_64 > postfix-2.6.6-2.2.el6_1.x86_64 > dovecot-2.0.9-2.el6_1.1.x86_64 > -- > users@sogo.nu > https://inverse.ca/sogo/lists > -- users@sogo.nu https://inverse.ca/sogo/lists
[SOGo] authentication with kerberos
Is there anyway for SOGO to authenticate with UPPERCASE domain names? I was having issues with Dovecot with LDAP, so i configured it with Kerberos, which works great. However, when SOGO passes the authentication piece to Dovecot, it uses a lowercase domain name.. i.e. u...@example.com instead of u...@example.com for kerberos to work. Any insight? Thanks - Chris CentOS release 6.3 (Final) 2.6.32-279.19.1.el6.x86_64 sogo-2.0.3a-1.centos6.x86_64 postfix-2.6.6-2.2.el6_1.x86_64 dovecot-2.0.9-2.el6_1.1.x86_64 -- users@sogo.nu https://inverse.ca/sogo/lists