Hello Kees
Thanks for the approach. A tu tutorial more detailed, especially for the creation of keys gssapi_session.key, apache.keytab is I do not use LDAP to identify me during user connections, I use mysql. Michel De : <[email protected]> au nom de "[email protected]" <[email protected]> Répondre à : "[email protected]" <[email protected]> Date : vendredi 21 octobre 2022 à 11:43 À : "[email protected]" <[email protected]> Objet : Re: [SOGo] kerberos sogo You can let your webserver do the authentication, there it can do krb5/gssapi authentication. In sogo.conf st: SOGoTrustProxyAuthentication = YES; In Apache conf put something like: <Location /SOGo> AuthName "Login" AuthType GSSAPI GssapiSSLonly On GssapiLocalName On GssapiUseSessions On GssapiSessionKey file:/var/lib/apache2/secrets/gssapi_session.key GssapiCredStore keytab:/etc/keytab/apache.keytab GssapiDelegCcacheDir /run/apache2/krb5 GssapiBasicAuth on GssapiAllowedMech krb5 GssapiBasicAuthMech krb5 Session On SessionCookieName gssapi_session path=/private;httponly;secure; Require valid-user SetEnv proxy-nokeepalive 1 RewriteEngine On RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}] </Location> If you also want authorization with ldap group-membership then that can simply be added to the Apache config. Replace "Require valid-user" with: AuthLDAPURL "ldap://dc1.example.com dc2.example.com/DC=example,DC=com?sAMAccountName?sub?(objectClass=user)" AuthLDAPRemoteUserAttribute sAMAccountName <RequireAll> Require valid-user Require ldap-attribute userAccountControl="512" Require ldap-filter memberof:1.2.840.113556.1.4.1941:=CN=<MY-AUTHORIZATION-GROUP>,OU=<AUTHORIZATION-GROUPS>,DC=example,DC=com </RequireAll> This example is for Samba4 (or AD). There is one side-effect of webserver authentication: the user's password is not available in Sogo. This means that you must have password-less login from Sogo to imap and smtp/submission. For example run Sogo on the same machine as Dovecot and add this to the dovecot config: passdb { args = nopassword=y allow_nets=127.0.0.1/32 driver = static } - Kees On 21-10-2022 11:04, Christian Mack ([email protected]) wrote: Hello SOGo itself does not know about Kerberos. But you can use its SAML interface in order to use it. For that to work you have to setup an "Identity Provider" which delivers Kerberos Tickets and a "Service Provider" for SOGo which handles authentication for it. Also your mail servers (IMAP + SMTP) have to either use kerberos for authentication, or you have to allow not authenticated access from the SOGo server. SAML settings are documented in the Installation Documentation of SOGo, but how to set up Identity and Service Providers is not. You will need additional expertise for that. How to enable and use Kerberos authentication with your mail server, you have to check on its documentation. Kind regards, Christian Mack Am 20.10.22 um 13:10 schrieb mich ([email protected]): Hello Is this solution "kerberos sogo" still actuality? Is also if it works online and not locally is there any documentation on the subject? Michel
