You can let your webserver do the authentication, there it can do
krb5/gssapi authentication.
In sogo.conf st:
SOGoTrustProxyAuthentication = YES;
In Apache conf put something like:
<Location /SOGo>
AuthName "Login"
AuthType GSSAPI
GssapiSSLonly On
GssapiLocalName On
GssapiUseSessions On
GssapiSessionKey file:/var/lib/apache2/secrets/gssapi_session.key
GssapiCredStore keytab:/etc/keytab/apache.keytab
GssapiDelegCcacheDir /run/apache2/krb5
GssapiBasicAuth on
GssapiAllowedMech krb5
GssapiBasicAuthMech krb5
Session On
SessionCookieName gssapi_session path=/private;httponly;secure;
Require valid-user
SetEnv proxy-nokeepalive 1
RewriteEngine On
RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}]
</Location>
If you also want authorization with ldap group-membership then that can
simply be added to the Apache config. Replace "Require valid-user" with:
AuthLDAPURL "ldap://dc1.example.com
dc2.example.com/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)"
AuthLDAPRemoteUserAttribute sAMAccountName
<RequireAll>
Require valid-user
Require ldap-attribute userAccountControl="512"
Require ldap-filter
memberof:1.2.840.113556.1.4.1941:=CN=<MY-AUTHORIZATION-GROUP>,OU=<AUTHORIZATION-GROUPS>,DC=example,DC=com
</RequireAll>
This example is for Samba4 (or AD).
There is one side-effect of webserver authentication: the user's
password is not available in Sogo. This means that you must have
password-less login from Sogo to imap and smtp/submission.
For example run Sogo on the same machine as Dovecot and add this to the
dovecot config:
passdb {
args = nopassword=y allow_nets=127.0.0.1/32
driver = static
}
- Kees
On 21-10-2022 11:04, Christian Mack ([email protected]) wrote:
Hello
SOGo itself does not know about Kerberos.
But you can use its SAML interface in order to use it.
For that to work you have to setup an "Identity Provider" which
delivers Kerberos Tickets and a "Service Provider" for SOGo which
handles authentication for it.
Also your mail servers (IMAP + SMTP) have to either use kerberos for
authentication, or you have to allow not authenticated access from the
SOGo server.
SAML settings are documented in the Installation Documentation of
SOGo, but how to set up Identity and Service Providers is not.
You will need additional expertise for that.
How to enable and use Kerberos authentication with your mail server,
you have to check on its documentation.
Kind regards,
Christian Mack
Am 20.10.22 um 13:10 schrieb mich ([email protected]):
Hello
Is this solution "kerberos sogo" still actuality?
Is also if it works online and not locally is there any documentation
on the subject?
Michel
