I'm having issues getting our instance of SOGo to authenticate with
CAS. We have been running both SOGo and CAS for a while I figure it is
now time to try to get them to work together. I am able to authenticate
to the SOGo web interface but am getting that "failure to obtain a PGT
from the C.A.S. service" Both the SOGo server (sogo.domain.com) and the
cas server (auth.domain.com) are using ssl with valid (signed by
Godaddy's CA) certificates. I have cas-proxy-validate.py installed and
this in my apache2 SOGo.conf file:
----------------- conf.d/SOGo.conf ------------
ProxyPass /SOGo/casProxy http://localhost/cgi-bin/cas-proxy-validate.py
#<Proxy http://localhost/app/cas-proxy-validate.py>
<Proxy http://localhost/cgi-bin/cas-proxy-validate.py>
Order deny,allow
Allow from all
</Proxy>
-----------------------------------------------------
I did change the <Proxy http://localhost/app/cas-proxy-validate.py> to
<Proxy http://localhost/cgi-bin/cas-proxy-validate.py> I would assume
that is a typo in the conf.d/SOGo.conf file. I do get the "missing
parameter." when I got to https://sogo.domain.com/SOGo/casProxy . So
the cas-proxy-validate.py cgi is running. (notice I did set "Allow from
all" at least for now to rule that out).
Here is my SOGo .GNUStepDefualts:
------------- .GNUStepDefaults ---------------
{
NSGlobalDomain = {
};
sogod = {
OCSEMailAlarmsFolderURL =
"postgresql://sogo:**********@db04.private:5432/sogotesting/sogo_alarms_folder";
OCSFolderInfoURL =
"postgresql://sogo:**********@db04.private:5432/sogotesting/sogo_folder_info";
OCSSessionsFolderURL =
"postgresql://sogo:**********@db04.private:5432/sogotesting/sogo_sessions_folder";
SOGoACLsSendEMailNotifications = YES;
SOGoAppointmentSendEMailNotifications = YES;
SOGoAuthenticationType = cas;
SOGoCASServiceURL = https://auth.domain.com/cas;
SOGoDraftsFolderName = INBOX.Drafts;
SOGOEnableEmailAlarms = YES;
SOGoFoldersSendEMailNotifications = YES;
SOGoForceIMAPLoginWithEmail = YES;
SOGoIMAPServer = mailbackend.private;
SOGoLanguage = English;
SOGoMailDomain = emaildomain.com;
SOGoMailingMechanism = smtp;
SOGoOtherUsersFolderName = "Other Users";
SOGoProfileURL =
"postgresql://sogo:**********@db04.private:5432/sogotesting/sogo_user_profile";
SOGoSentFolderName = INBOX.Sent;
SOGoSharedFolderName = "INBOX.Shared Folders";
SOGoTimeZone = America/Chicago;
SOGoTrashFolderName = INBOX.Trash;
domains = {
esu10.org = {
SOGoMailDomain = emaildomain.com;
SOGoSMTPServer = mail.domain.com;
SOGoUserSources = (
{
CNFieldName = cn;
IDFieldName = uid;
UIDFieldName = mail;
baseDN = "dc=domain,dc=com";
bindDN = "cn=Search,dc=domain,dc=com";
bindFields = (mail);
bindPassword = ****************;
canAuthenticate = YES;
displayName = "Global Address Book";
hostname = ldap.private;
id = emaildomain;
isAddressBook = YES;
port = 389;
type = ldap;
scope = sub;
}
);
}
};
WOUseRelativeURLs = YES;
WOWorkersCount = 10;
};
}
-----------------------------------------------------
I also have "PREFORK=10" in /etc/default/sogo. I'm not sure if I also
need WOWorkersCount so I set both.
Here are the relevant logs from both SOGo and Jasig's CAS for an example
of a "failure to obtain a PGT from the C.A.S. service":
------- from sogo.log --------------------------
Aug 23 11:28:41 sogod [18674]: [WARN] <0x0xfa3280[SOGoCASSession]>
failure to obtain a PGT from the C.A.S. service
localhost - - [23/Aug/2011:11:28:41 GMT] "GET
/SOGo/so/?ticket=ST-4913-6Yrbmq9cu20LPGRdUY4h-cas HTTP/1.1" 302 0/0
0.118 - - 900K
localhost - - [23/Aug/2011:11:28:41 GMT] "GET /SOGo/ HTTP/1.1" 302 0/0
0.013 - - 432K
localhost - - [23/Aug/2011:11:28:41 GMT] "GET /SOGo/[email protected]
HTTP/1.1" 302 0/0 0.002 - - 44K
localhost - - [23/Aug/2011:11:28:41 GMT] "GET
/SOGo/[email protected]/view HTTP/1.1" 302 0/0 0.004 - - 12K
localhost - - [23/Aug/2011:11:28:41 GMT] "GET
/SOGo/so/[email protected]/Mail HTTP/1.1" 302 0/0 0.002 - - 24K
2011-08-23 11:28:41.213 sogod[18674] WARNING: IMAP4 connection pooling
is disabled!
Aug 23 11:28:41 sogod [18674]: [ERROR] <0x0x119c920[SOGoCASSession]>
attempted to obtain a ticket for service 'imap://mailbackend.private'
while no PGT available
Aug 23 11:28:41 sogod [18674]: [ERROR] <0x011B95C0[SOGoMailAccount]:0>
no IMAP4 password available
Aug 23 11:28:41 sogod [18674]: [ERROR]
<0x011A4270[SOGoMailFolder]:folderINBOX> Could not connect IMAP4
localhost - - [23/Aug/2011:11:28:41 GMT] "GET
/SOGo/so/[email protected]/Mail/view HTTP/1.1" 200 7075/0 0.065 27969
74% 2M
Aug 23 11:28:41 sogod [18674]: [WARN] <0x0xf9ca90[SOGoWebDAVAclManager]>
entry '{DAV:}write' already exists in DAV permissions table
Aug 23 11:28:41 sogod [18674]: [WARN] <0x0xf9ca90[SOGoWebDAVAclManager]>
entry '{DAV:}write-properties' already exists in DAV permissions table
Aug 23 11:28:41 sogod [18674]: [WARN] <0x0xf9ca90[SOGoWebDAVAclManager]>
entry '{DAV:}write-content' already exists in DAV permissions table
localhost - - [23/Aug/2011:11:28:41 GMT] "POST
/SOGo/so/[email protected]/Calendar/alarmslist?browserTime=1314116921
HTTP/1.1" 200 2/0 0.010 - - 128K
Aug 23 11:28:41 sogod [18674]: [ERROR] <0x0xf94e80[SOGoCASSession]>
attempted to obtain a ticket for service 'imap://mailbackend.private'
while no PGT available
Aug 23 11:28:41 sogod [18674]: [ERROR] <0x0107E620[SOGoMailAccount]:0>
no IMAP4 password available
Aug 23 11:28:41 sogod [18674]: [ERROR] <0x0107E620[SOGoMailAccount]:0>
Could not connect IMAP4
localhost - - [23/Aug/2011:11:28:41 GMT] "POST
/SOGo/so/[email protected]/Mail/0/mailboxes HTTP/1.1" 200 17/0 0.003
- - 4K
localhost - - [23/Aug/2011:11:28:41 GMT] "POST
/SOGo/so/[email protected]/Mail/foldersState HTTP/1.1" 200 0/0 0.003
- - 4K
------------------------------------------------------
----------- from my jasig cas.log -------------
2011-08-23 11:28:40,957 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
AuthenticationHandler:
org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully
authenticated the user which provided the following credentials:
[username: [email protected]]
2011-08-23 11:28:40,958 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service
ticket [ST-4913-6Yrbmq9cu20LPGRdUY4h-cas] for service
[https://sogo.domain.com/SOGo/so/] for user [[email protected]]
2011-08-23 11:28:41,067 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
AuthenticationHandler:
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler
failed to authenticate the user which provided the following
credentials: [callbackUrl: https://sogo.domain.com/SOGo/casProxy]
2011-08-23 11:28:41,067 ERROR
[org.jasig.cas.web.ServiceValidateController] - TicketException
generating ticket for: [callbackUrl: https://sogo.domain.com/SOGo/casProxy]
org.jasig.cas.ticket.TicketCreationException:
error.authentication.credentials.bad
at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket_aroundBody6(CentralAuthenticationServiceImpl.java:300)
....
------------------------------------------------------
I do use dovecot on the back end with pam_cas from
Pam_cas-2.0.11-esup-2.0.5 for IMAP but the sogo server is not even
attempting to contact the back end imap server when I enable CAS.
I just seem to be running up against a wall. Is there anyone that
could help me with this? Are there that many people running SOGo along
with C.A.S. it has been mentioned before but their seems to be very
little documentation on it.
Thanks,
Jordan
--
[email protected]
https://inverse.ca/sogo/lists
