Re: [SOGo] authentication with kerberos
Looks like you might be right.. Well.. back to LDAP I guess..
Thanks
Chris
From: Heiner Markert
To: users@sogo.nu
Cc: cmsch...@rockwellcollins.com
Date: 01/11/2013 08:10 AM
Subject:Re: [SOGo] authentication with kerberos
Hello,
this might be bug 1200:
http://www.sogo.nu/bugs/view.php?id=1200
Best regards,
Heiner
Am Thursday 10 January 2013 23:25:05 schrieb cmsch...@rockwellcollins.com:
> Hello - thanks for the response.. As requested.. and a few other
things..
>
> /etc/httpd/conf.d/SOGo.conf
>
> ***
>
> AuthType Kerberos
> Require valid-user
> SetEnv proxy-nokeepalive 1
> Allow from all
>
> KrbAuthRealms EXAMPLE.COM
> KrbServiceName HTTP/host.example@example.com
> Krb5Keytab /etc/httpd/krb5.keytab
> KrbLocalUserMapping On
> RewriteEngine On
> RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}]
>
>
> ProxyRequests Off
> SetEnv proxy-nokeepalive 1
> ProxyPreserveHost On
> ProxyPass /SOGo http://127.0.0.1:2/SOGo retry=0
>
> http://127.0.0.1:2/SOGo> [^]
> RequestHeader set "x-webobjects-server-port" "80"
> RequestHeader set "x-webobjects-server-name" "host"
> RequestHeader set "x-webobjects-server-url" "http://host";
> RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}e"
> RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
> RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e
> env=REMOTE_HOST
> AddDefaultCharset UTF-8
> Order allow,deny
>
> RewriteEngine On
> RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT]
> ***
>
> And actually - I got this working okay. But the problem still seems to
be
> that I have dovecot working with Kerberos - I can telnet into the IMAP
> port using my username and password and it works just fine..
>
> **
> [root@centos01 httpd]# telnet localhost 143
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE
> STARTTLS AUTH=PLAIN] Dovecot ready.
> . login username password
> . OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
IDLE
> SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT
> CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC
> ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in
> ***
>
> My dovecot config looks like this:
>
> ***
> [root@centos01 httpd]# dovecot -n
> # 2.0.9: /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.32-279.19.1.el6.x86_64 x86_64 CentOS release 6.3 (Final)
> auth_debug = yes
> auth_debug_passwords = yes
> auth_username_format = %Lu
> auth_verbose = yes
> disable_plaintext_auth = no
> mbox_write_locks = fcntl
> passdb {
> driver = pam
> }
> ssl_cert = ssl_key = userdb {
> args = uid=503 gid=503 home=/home/vmail/%u
> driver = static
> }
> ***
>
> The pam_dovecot looks like this...
>
> ***
> [root@centos01 httpd]# cat /etc/pam.d/dovecot
> #%PAM-1.0
> authsufficient pam_krb5.so no_user_check validate
> account sufficient pam_permit.so
> [root@centos01 httpd]#
>
> However, when I log into SOGo, then I get the error in my
> /var/log/maillog.
>
> Jan 10 16:19:45 centos01 dovecot: auth: Debug: pam(user,127.0.0.1):
lookup
> service=dovecot
>
> Any ideas?
>
> Thanks -
>
> Chris
>
>
>
>
>
> From: Khapare Joshi
> To: users@sogo.nu
> Date: 01/10/2013 02:29 PM
> Subject:Re: [SOGo] authentication with kerberos
>
>
>
> can you share how did you configure sogo with kerberos ?
>
> On Thu, Jan 10, 2013 at 8:03 PM, wrote:
> Is there anyway for SOGO to authenticate with UPPERCASE domain names? I
> was
> having issues with Dovecot with LDAP, so i configured it with Kerberos,
> which
> works great. However, when SOGO passes the authentication piece to
> Dovecot, it
> uses a lowercase domain name..
>
> i.e.
>
> u...@example.com
>
> instead of
>
> u...@example.com for kerberos to work.
>
> Any insight?
>
> Thanks -
>
> Chris
>
> CentOS release 6.3 (Final) 2.6.32-279.19.1.el6.x86_64
>
> sogo-2.0.3a-1.centos6.x86_64
> postfix-2.6.6-2.2.el6_1.x86_64
> dovecot-2.0.9-2.el6_1.1.x86_64
> --
> users@sogo.nu
> https://inverse.ca/sogo/lists
--
users@sogo.nu
https://inverse.ca/sogo/lists
--
users@sogo.nu
https://inverse.ca/sogo/lists
Re: [SOGo] authentication with kerberos
Hello,
this might be bug 1200:
http://www.sogo.nu/bugs/view.php?id=1200
Best regards,
Heiner
Am Thursday 10 January 2013 23:25:05 schrieb cmsch...@rockwellcollins.com:
> Hello - thanks for the response.. As requested.. and a few other things..
>
> /etc/httpd/conf.d/SOGo.conf
>
> ***
>
> AuthType Kerberos
> Require valid-user
> SetEnv proxy-nokeepalive 1
> Allow from all
>
> KrbAuthRealms EXAMPLE.COM
> KrbServiceName HTTP/host.example@example.com
> Krb5Keytab /etc/httpd/krb5.keytab
> KrbLocalUserMapping On
> RewriteEngine On
> RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}]
>
>
> ProxyRequests Off
> SetEnv proxy-nokeepalive 1
> ProxyPreserveHost On
> ProxyPass /SOGo http://127.0.0.1:2/SOGo retry=0
>
> http://127.0.0.1:2/SOGo> [^]
> RequestHeader set "x-webobjects-server-port" "80"
> RequestHeader set "x-webobjects-server-name" "host"
> RequestHeader set "x-webobjects-server-url" "http://host";
> RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}e"
> RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
> RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e
> env=REMOTE_HOST
> AddDefaultCharset UTF-8
> Order allow,deny
>
> RewriteEngine On
> RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT]
> ***
>
> And actually - I got this working okay. But the problem still seems to be
> that I have dovecot working with Kerberos - I can telnet into the IMAP
> port using my username and password and it works just fine..
>
> **
> [root@centos01 httpd]# telnet localhost 143
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
> STARTTLS AUTH=PLAIN] Dovecot ready.
> . login username password
> . OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
> SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT
> CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC
> ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in
> ***
>
> My dovecot config looks like this:
>
> ***
> [root@centos01 httpd]# dovecot -n
> # 2.0.9: /etc/dovecot/dovecot.conf
> # OS: Linux 2.6.32-279.19.1.el6.x86_64 x86_64 CentOS release 6.3 (Final)
> auth_debug = yes
> auth_debug_passwords = yes
> auth_username_format = %Lu
> auth_verbose = yes
> disable_plaintext_auth = no
> mbox_write_locks = fcntl
> passdb {
> driver = pam
> }
> ssl_cert = ssl_key = userdb {
> args = uid=503 gid=503 home=/home/vmail/%u
> driver = static
> }
> ***
>
> The pam_dovecot looks like this...
>
> ***
> [root@centos01 httpd]# cat /etc/pam.d/dovecot
> #%PAM-1.0
> authsufficient pam_krb5.so no_user_check validate
> account sufficient pam_permit.so
> [root@centos01 httpd]#
>
> However, when I log into SOGo, then I get the error in my
> /var/log/maillog.
>
> Jan 10 16:19:45 centos01 dovecot: auth: Debug: pam(user,127.0.0.1): lookup
> service=dovecot
>
> Any ideas?
>
> Thanks -
>
> Chris
>
>
>
>
>
> From: Khapare Joshi
> To: users@sogo.nu
> Date: 01/10/2013 02:29 PM
> Subject:Re: [SOGo] authentication with kerberos
>
>
>
> can you share how did you configure sogo with kerberos ?
>
> On Thu, Jan 10, 2013 at 8:03 PM, wrote:
> Is there anyway for SOGO to authenticate with UPPERCASE domain names? I
> was
> having issues with Dovecot with LDAP, so i configured it with Kerberos,
> which
> works great. However, when SOGO passes the authentication piece to
> Dovecot, it
> uses a lowercase domain name..
>
> i.e.
>
> u...@example.com
>
> instead of
>
> u...@example.com for kerberos to work.
>
> Any insight?
>
> Thanks -
>
> Chris
>
> CentOS release 6.3 (Final) 2.6.32-279.19.1.el6.x86_64
>
> sogo-2.0.3a-1.centos6.x86_64
> postfix-2.6.6-2.2.el6_1.x86_64
> dovecot-2.0.9-2.el6_1.1.x86_64
> --
> users@sogo.nu
> https://inverse.ca/sogo/lists
--
users@sogo.nu
https://inverse.ca/sogo/lists
Re: [SOGo] authentication with kerberos
Hello - thanks for the response.. As requested.. and a few other things..
/etc/httpd/conf.d/SOGo.conf
***
AuthType Kerberos
Require valid-user
SetEnv proxy-nokeepalive 1
Allow from all
KrbAuthRealms EXAMPLE.COM
KrbServiceName HTTP/host.example@example.com
Krb5Keytab /etc/httpd/krb5.keytab
KrbLocalUserMapping On
RewriteEngine On
RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}]
ProxyRequests Off
SetEnv proxy-nokeepalive 1
ProxyPreserveHost On
ProxyPass /SOGo http://127.0.0.1:2/SOGo retry=0
http://127.0.0.1:2/SOGo> [^]
RequestHeader set "x-webobjects-server-port" "80"
RequestHeader set "x-webobjects-server-name" "host"
RequestHeader set "x-webobjects-server-url" "http://host";
RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}e"
RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e
env=REMOTE_HOST
AddDefaultCharset UTF-8
Order allow,deny
RewriteEngine On
RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT]
***
And actually - I got this working okay. But the problem still seems to be
that I have dovecot working with Kerberos - I can telnet into the IMAP
port using my username and password and it works just fine..
**
[root@centos01 httpd]# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
STARTTLS AUTH=PLAIN] Dovecot ready.
. login username password
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT
CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC
ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in
***
My dovecot config looks like this:
***
[root@centos01 httpd]# dovecot -n
# 2.0.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-279.19.1.el6.x86_64 x86_64 CentOS release 6.3 (Final)
auth_debug = yes
auth_debug_passwords = yes
auth_username_format = %Lu
auth_verbose = yes
disable_plaintext_auth = no
mbox_write_locks = fcntl
passdb {
driver = pam
}
ssl_cert =
To: users@sogo.nu
Date: 01/10/2013 02:29 PM
Subject:Re: [SOGo] authentication with kerberos
can you share how did you configure sogo with kerberos ?
On Thu, Jan 10, 2013 at 8:03 PM, wrote:
Is there anyway for SOGO to authenticate with UPPERCASE domain names? I
was
having issues with Dovecot with LDAP, so i configured it with Kerberos,
which
works great. However, when SOGO passes the authentication piece to
Dovecot, it
uses a lowercase domain name..
i.e.
u...@example.com
instead of
u...@example.com for kerberos to work.
Any insight?
Thanks -
Chris
CentOS release 6.3 (Final) 2.6.32-279.19.1.el6.x86_64
sogo-2.0.3a-1.centos6.x86_64
postfix-2.6.6-2.2.el6_1.x86_64
dovecot-2.0.9-2.el6_1.1.x86_64
--
users@sogo.nu
https://inverse.ca/sogo/lists
--
users@sogo.nu
https://inverse.ca/sogo/lists
Re: [SOGo] authentication with kerberos
Sorry.. some more information.. If I log into the IMAP service (port 143 via telnet).. I see this in the /var/log/secure Jan 10 16:31:49 centos01 auth: pam_krb5[15155]: error reading keytab 'FILE:/etc/krb5.keytab' Jan 10 16:31:49 centos01 auth: pam_krb5[15155]: TGT verified Jan 10 16:31:49 centos01 auth: pam_krb5[15155]: authentication succeeds for 'user' (u...@example.com) However, when I log into SOGo, I get this... Jan 10 16:31:19 centos01 auth: pam_krb5[15155]: authentication fails for 'u...@example.com' (u...@example.com): Authentication failure (KDC reply did not match expectations) From: Khapare Joshi To: users@sogo.nu Date: 01/10/2013 02:29 PM Subject: Re: [SOGo] authentication with kerberos can you share how did you configure sogo with kerberos ? On Thu, Jan 10, 2013 at 8:03 PM, wrote: Is there anyway for SOGO to authenticate with UPPERCASE domain names? I was having issues with Dovecot with LDAP, so i configured it with Kerberos, which works great. However, when SOGO passes the authentication piece to Dovecot, it uses a lowercase domain name.. i.e. u...@example.com instead of u...@example.com for kerberos to work. Any insight? Thanks - Chris CentOS release 6.3 (Final) 2.6.32-279.19.1.el6.x86_64 sogo-2.0.3a-1.centos6.x86_64 postfix-2.6.6-2.2.el6_1.x86_64 dovecot-2.0.9-2.el6_1.1.x86_64 -- users@sogo.nu https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] authentication with kerberos
can you share how did you configure sogo with kerberos ? On Thu, Jan 10, 2013 at 8:03 PM, wrote: > Is there anyway for SOGO to authenticate with UPPERCASE domain names? I was > having issues with Dovecot with LDAP, so i configured it with Kerberos, > which > works great. However, when SOGO passes the authentication piece to > Dovecot, it > uses a lowercase domain name.. > > i.e. > > u...@example.com > > instead of > > u...@example.com for kerberos to work. > > Any insight? > > Thanks - > > Chris > > CentOS release 6.3 (Final) 2.6.32-279.19.1.el6.x86_64 > > sogo-2.0.3a-1.centos6.x86_64 > postfix-2.6.6-2.2.el6_1.x86_64 > dovecot-2.0.9-2.el6_1.1.x86_64 > -- > users@sogo.nu > https://inverse.ca/sogo/lists > -- users@sogo.nu https://inverse.ca/sogo/lists
[SOGo] authentication with kerberos
Is there anyway for SOGO to authenticate with UPPERCASE domain names? I was having issues with Dovecot with LDAP, so i configured it with Kerberos, which works great. However, when SOGO passes the authentication piece to Dovecot, it uses a lowercase domain name.. i.e. u...@example.com instead of u...@example.com for kerberos to work. Any insight? Thanks - Chris CentOS release 6.3 (Final) 2.6.32-279.19.1.el6.x86_64 sogo-2.0.3a-1.centos6.x86_64 postfix-2.6.6-2.2.el6_1.x86_64 dovecot-2.0.9-2.el6_1.1.x86_64 -- users@sogo.nu https://inverse.ca/sogo/lists
