Re: [SOGo] kerberos sogo

[Kees van Vloten]

The session key is a 32 bytes random string, all details are in: 
https://github.com/gssapi/mod_auth_gssapi
You can also specify it inline but then it must be base64 encoded, e.g.
makepasswd --chars=32 | base64

And in the apache conf:

GssapiSessionKey key:<the base64 encoded key>

In this case there is no file, hence no file permissions to think about.

If your machine is a Samba domain member you can also use the default 
/etc/krb5.keytab just do:

chgrp www-data /etc/krb5.keytab

To make it accessible for apache.
Do note that www-data is the group on Debian, other distros may use a 
different group name.

If your machine is not a domain-member, it is a bit more work.

You create a machine account in samba and create the principal:

samba-tool computer create <hostname>
# Set encryption types on the account
net ads enctypes set <hostname> 28
# set a password on the computer account:
PW=$(makepasswd --chars=32 | iconv -f UTF-8 -t UTF-16LE | base64 -w 0)
echo "dn: <host DN>\nchangetype: modify\nreplace: 
unicodePwd\nunicodePwd::${PW}" | ldbmodify -H /var/lib/samba/private/sam.ldb

PRINCIPAL="http/<host fqdn>"
samba-tool spn add ${PRINCIPAL} <hostname> -H /var/lib/samba/private/sam.ldb
samba-tool domain exportkeytab -d 8 --principal=${PRINCIPAL} 
<keytab_filename>

Now copy the keytab filename to the target host and provide access to 
apache with:

chgrp www-data /etc/krb5.keytab

Done.

On 22-10-2022 15:20, mich (supp...@foxnet.be) wrote:

Hello Kees

Thanks for the approach.

A tu tutorial more detailed, especially for the creation of keys 
gssapi_session.key, apache.keytab is I do not use LDAP to identify me 
during user connections, I use mysql.

With the solution you asked for, Kerberos is used for authentication, 
not Mysql nor LDAP.

Samba4 provides MS-AD functionality, which is a.o. Kerberos + LDAP. In 
the example below LDAP is used for authorization on top of the 
authentication provided by Kerberos (to get access a user must be member 
of a certain group, the "users_with_sogo_access" group).

Sogo still requires a database to store the user profile.

- Kees

Michel

*De : *<users-requ...@sogo.nu> au nom de "users@sogo.nu" <users@sogo.nu>
*Répondre à : *"users@sogo.nu" <users@sogo.nu>
*Date : *vendredi 21 octobre 2022 à 11:43
*À : *"users@sogo.nu" <users@sogo.nu>
*Objet : *Re: [SOGo] kerberos sogo

You can let your webserver do the authentication, there it can do 
krb5/gssapi authentication.

In sogo.conf st:

SOGoTrustProxyAuthentication = YES;

In Apache conf put something like:

<Location /SOGo>
    AuthName "Login"
    AuthType GSSAPI
    GssapiSSLonly On
    GssapiLocalName On
    GssapiUseSessions On
    GssapiSessionKey file:/var/lib/apache2/secrets/gssapi_session.key 
<file:///var/lib/apache2/secrets/gssapi_session.key>
    GssapiCredStore keytab:/etc/keytab/apache.keytab
    GssapiDelegCcacheDir /run/apache2/krb5
    GssapiBasicAuth on
    GssapiAllowedMech krb5
    GssapiBasicAuthMech krb5
    Session On
    SessionCookieName gssapi_session path=/private;httponly;secure;
    Require valid-user
    SetEnv proxy-nokeepalive 1
    RewriteEngine On
    RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}]
</Location>

If you also want authorization with ldap group-membership then that 
can simply be added to the Apache config. Replace "Require valid-user" 
with:

AuthLDAPURL "ldap://dc1.example.com 
dc2.example.com/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)" 
<ldap://dc1.example.comdc2.example.com/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)>
AuthLDAPRemoteUserAttribute sAMAccountName
<RequireAll>
    Require valid-user
    Require ldap-attribute userAccountControl="512"
    Require ldap-filter 
memberof:1.2.840.113556.1.4.1941:=CN=<MY-AUTHORIZATION-GROUP>,OU=<AUTHORIZATION-GROUPS>,DC=example,DC=com
</RequireAll>

This example is for Samba4 (or AD).

There is one side-effect of webserver authentication: the user's 
password is not available in Sogo. This means that you must have 
password-less login from Sogo to imap and smtp/submission.

For example run Sogo on the same machine as Dovecot and add this to 
the dovecot config:

passdb {
 args = nopassword=y allow_nets=127.0.0.1/32
 driver = static
}

- Kees

On 21-10-2022 11:04, Christian Mack (christian.m...@uni-konstanz.de) 
wrote:

    Hello

    SOGo itself does not know about Kerberos.
    But you can use its SAML interface in order to use it.
    For that to work you have to setup an "Identity Provider" which
    delivers Kerberos Tickets and a "Service Provider" for SOGo which
    handles authentication for it.
    Also your mail servers (IMAP + SMTP) have to either use kerberos
    for authentication, or you have to allow not authenticated access
    from the SOGo server.

    SAML settings are documented in the Installation Documentation of
    SOGo, but how to set up Identity and Service Providers is not.
    You will need additional expertise for that.

    How to enable and use Kerberos authentication with your mail
    server, you have to check on its documentation.


    Kind regards,
    Christian Mack

    Am 20.10.22 um 13:10 schrieb mich (supp...@foxnet.be):

        Hello

        Is this solution "kerberos sogo" still actuality?

        Is also if it works online and not locally is there any
        documentation on the subject?

        Michel