View Issue Details

IDProjectCategoryView StatusLast Update
0001113SOGoBackend Generalpublic2021-01-03 01:29
Reporteramaramrahul Assigned To 
PrioritynormalSeverityfeatureReproducibilityalways
Status newResolutionopen 
Product Version1.3.5 
Summary0001113: Kerberos GSSAPI authentication with Apache2 Frontend does not work
Description

I am using SOGO in debian lenny with apache2+mod_auth_kerb acting as a reverse proxy for it. I have configured and set up everything successfully.

There are two authentication methods possible with mod_auth_kerb:

  1. Basic Authentication (mod_auth_kerb validates the user against the KDC by using the password provided by the user) - I had to make a few modifications to /etc/apache2/conf.d/SOGo.conf and everything worked fine.

  2. GSSAPI Authentication (mod_auth_kerb validates the user against the KDC by using the negotiate method) - When I try to use this method, I get the below error in browser:

Proxy Error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /SOGo/.

Reason: Error reading from remote server

And apache2 error.log shows:

[Wed Feb 02 19:39:52 2011] [error] [client 192.168.36.103] (20014)Internal error: proxy: error reading status line from remote server 127.0.0.1
[Wed Feb 02 19:39:52 2011] [debug] mod_proxy_http.c(1439): [client 192.168.36.103] proxy: NOT Closing connection to client although reading from backend server 127.0.0.1 failed.
[Wed Feb 02 19:39:52 2011] [error] [client 192.168.36.103] proxy: Error reading from remote server returned by /SOGo/

And /var/log/sogo.log has this error (this is perhaps most important):

Feb 02 18:21:21 sogod [2896]: [ERROR] <0x0x1b30210[WOHttpAdaptor]> http server caught: <NSException: 0x1e1ac90> NAME:NSGenericException REASON:subclass NGHttpCredentials(instance) should override userName INFO:(nil)
Feb 02 18:21:21 sogod [2896]: [ERROR] <0x0x1b30210[WOHttpAdaptor]> http server caught: <NSException: 0x1dac310> NAME:NSGenericException REASON:subclass NGHttpCredentials(instance) should override userName INFO:(nil)

I could confirm that GSSAPI authentication is working fine. I am not interested in accessing mails using IMAP. I've read a previous thread and know that currently this isn't even possible. I just want to be able to access my calendar. Any suggestions would be greatly appreciated.

TagsNo tags attached.

Relationships

related to 0001192 new Ability to use normal SOGo Authentication with SOGoTrustProxyAuthentication=YES 

Activities

ludovic

ludovic

2011-02-13 09:54

administrator   ~0002101

This will likely require some development work in SOGo for this to work correctly.

MrJacK

MrJacK

2011-03-04 10:22

reporter   ~0002192

Could you try this :

<Location /SOGo>
Bla...
Blaa...
SetEnv proxy-nokeepalive 1
RewriteEngine On
RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}]
</Location>

And :

RequestHeader set "x-webobjects-remote-user" "%{SOGO_REMOTE_USER}e"

Can you post your <Location /SOGo> configuration part ?

steve

steve

2011-03-05 03:39

reporter   ~0002198

I can confirm too that this doesn't seem to work. The user seems to be passing correctly to SOGo, but I only ever get a 403 Unauthorized. I never get beyond /SOGo. The manual seems to imply that Kerberos is supported so I thought I was doing something incorrect until I saw this bug report. Like amaramrahul I have confirmed that Kerberos auth is working just fine. SOGo just doesn't seem to know what to do after the user is authenticated.

BTW, since the full Kerberos principal seemed to be passed to SOGo, I used a newer version of mod_auth_kerb that contains the feature KrbLocalUserMapping to strip the realm just in case it was causing a problem.

amaramrahul

amaramrahul

2011-03-07 12:53

reporter   ~0002208

Sorry for the late response. I have tried modifying <Location /SOGo> as suggested by MrJacK but it does not seem to work. These are the settings I am currently using which make proxy authentication work:

<Location /SOGo>
AuthType Kerberos
Require valid-user
SetEnv proxy-nokeepalive 1
Allow from all

KrbAuthRealms EXAMPLE.COM
KrbServiceName HTTP/scs.example.com@EXAMPLE.COM
Krb5Keytab /home/sogo/GNUstep/Defaults/sasl2/HTTP.keytab
</Location>

<Proxy http://127.0.0.1:20000/SOGo>
RewriteEngine On
RewriteCond %{REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER %{RU}e

RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e env=REMOTE_HOST

AddDefaultCharset UTF-8

Order allow,deny
Allow from all
</Proxy>

GSSAPI authentication though fails with the error I had given above. Any suggestions on what else could be wrong?

Also I got a couple of queries.

  1. Should the Rewrite lines be in <Location /SOGo>...</Location> or in <Proxy http://127.0.0.1:20000/SOGo>...&lt;/Proxy> as it is currently or does it not really matter?

  2. This is more of an observation. Changing 'RequestHeader set REMOTE_USER %{RU}e' to 'RequestHeader set "x-webobjects-remote-user" %{RU}e' in the above rewrite rules was not working.

MrJacK

MrJacK

2011-03-08 03:07

reporter   ~0002212

I have make some tests yesterday, this configuration works for me :

<Location /SOGo>
Order allow,deny
Allow from all
AuthName "Whatever..."
AuthType Kerberos
Krb5Keytab /etc/apache2/krb5.keytab
KrbAuthRealms MYDOMAIN.TLD
KrbMethodNegotiate On
KrbServiceName HTTP/server.mydomain.tld@MYDOMAIN.TLD
KrbMethodK5Passwd On
KrbSaveCredentials on
KrbAuthoritative On
KrbLocalUserMapping On
require valid-user
SetEnv proxy-nokeepalive 1
RewriteEngine On
RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}]
</Location>

ProxyRequests Off
SetEnv proxy-nokeepalive 1
ProxyPreserveHost On
ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0

<Proxy http://127.0.0.1:20000/SOGo>
RequestHeader set "x-webobjects-server-port" "80"
RequestHeader set "x-webobjects-server-name" "server.mydomain.tld"
RequestHeader set "x-webobjects-server-url" "http://server.mydomain.tld&quot;
RequestHeader set "x-webobjects-remote-user" "%{SOGO_REMOTE_USER}e"
RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e env=REMOTE_HOST
AddDefaultCharset UTF-8
Order allow,deny
Allow from all
</Proxy>

You need mod_auth_kerb 5.4 for this (Option KrbLocalUserMapping)

Keytab generated with :

msktutil -c -b "CN=COMPUTERS" -s HTTP/server.mydomain.tld -h server.mydomain.tld -k /etc/apache2/krb5.keytab --computer-name server --upn HTTP/server.mydomain.tld --server dc.mydomain.tld --verbose --enctypes 28

Ubuntu server 10.04, TB 3.1.7, 2008 R2 DCs and of course SOGo 1.3.5a

steve

steve

2011-03-08 03:32

reporter   ~0002214

MrJack-

This config works on CentOS too! I was already using the KrbLocalUserMapping, but I think the key was your rewrite rule: RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}] and the remote-user line in the request header.

I'm getting a strange SOGoCache error now in the logs, but I think that might be due to something else I'm doing and it doesn't seem to prevent this from working.

Thanks so much for the help.

amaramrahul

amaramrahul

2011-03-08 05:29

reporter   ~0002215

Yipee! As suggested by steve, setting "KrbLocalUserMapping On", and writing the rewrite rules and request header as suggested by MrJacK has solved the issue. Here is my configuration of /etc/apache2/conf.d/SOGo.conf which is working (this works with both kerberos password and GSSAPI authentication).

...
...
...
<Location /SOGo>
AuthType Kerberos
Require valid-user
SetEnv proxy-nokeepalive 1
Allow from all

KrbAuthRealms EXAMPLE.COM
KrbServiceName HTTP/scs.example.com@EXAMPLE.COM
Krb5Keytab /home/sogo/GNUstep/Defaults/sasl2/HTTP.keytab
KrbLocalUserMapping On

RewriteEngine On
RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}]
</Location>
...
...
...
<Proxy http://127.0.0.1:20000/SOGo>

adjust the following to your configuration

#RequestHeader set "x-webobjects-server-port" "443"
#RequestHeader set "x-webobjects-server-name" "yourhostname"
#RequestHeader set "x-webobjects-server-url" "https://yourhostname&quot;

RequestHeader set "x-webobjects-remote-user" "%{SOGO_REMOTE_USER}e"

RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e env=REMOTE_HOST

AddDefaultCharset UTF-8

Order allow,deny
Allow from all
</Proxy>
...
...
...

Pegasus

Pegasus

2015-10-23 20:27

reporter   ~0009057

So why is the bug still marked "new"? It sounds like the above procedure is a solution rather than a workaround.

ludovic

ludovic

2015-10-23 20:39

administrator   ~0009058

Anyone care to write concise documentation so we can include it in our official doc? A pull request on GitHub would be preferred.

ggiesen

ggiesen

2015-11-11 10:57

reporter   ~0009087

Last edited: 2015-11-11 11:02

View 2 revisions

I've got proxy authentication working fine to access the sogo interface, but it doesn't seem to be able to pass through the creds to dovecot to access the mailbox itself. Can anyone elaborate on how they got this to work?

I have direct access to dovecot working with Kerberos

koc

koc

2018-09-28 11:24

reporter   ~0013069

The configuration provided above do not work with apache 2.4 and sogo 3.2.6 native to debian stretch. Is there an update you can share?

abma

abma

2019-11-13 05:19

reporter   ~0013893

for the reference, this is how it works for me on debian 10 with apache 2.4, dovecot 2.3.4 and sogo 4.1.1.20191113-1:

in /etc/apache2/conf.d/SOGo.conf:

<Location /SOGo>
AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
GssapiCredStore keytab:/etc/apache2/http.keytab
GssapiAcceptorName HTTP@auth.realm.com
require valid-user
GssapiLocalName on
</Location>

RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}s"

note the "s", when you use https. in all example "e" is used which seems only available when apache is used via http.

/etc/sogo/sogo.conf:
SOGoTrustProxyAuthentication = YES;
SOGoIMAPServer = "imap://localhost:143/";

/etc/dovecot/conf.d/auth-ldap.conf.ext:

passdb {
driver = static
args = allow_nets=127.0.0.1/32 nopassword
}

the example is not complete, but the most important parts should be there.

koc

koc

2021-01-03 01:29

reporter   ~0015017

After upgrading my server to Debian 10, I wanted to give this a one more chance.
I am using apache2, postgresql, postfix and dovecot versions native to debian 10.
I tested sogo both with native version 4.0.7 and nightly version 5.0.1, still couldn't make it work.

Here is my working sql user database solution configuration files, I can access my e-mails if I use the same kerberos password for my sql user:
/database/
SOGoProfileURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_user_profile";
OCSFolderInfoURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_folder_info";
OCSSessionsFolderURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_sessions_folder";
/authentication /
SOGoPasswordChangeEnabled = YES;
SOGoUserSources = (
{
type = ldap;
CNFieldName = cn;
UIDFieldName = uid;
IDFieldName = uid;
bindFields = (uid);
baseDN = "ou=users,dc=example,dc=com";
bindDN = "";
bindPassword = "";
canAuthenticate = NO;
displayName = "SOGo Users";
hostname = "ldap://ldap.example.com";
port = 389;
id = ldap_users;
isAddressBook = YES;
},
{
type = sql;
id = sql_users;
viewURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_users";
canAuthenticate = YES;
isAddressBook = NO;
userPasswordAlgorithm = md5;
}
);
/web/
SOGoMailAuxiliaryUserAccountsEnabled = YES;
SOGoTrustProxyAuthentication = YES;
/general/
SOGoLanguage = TurkishTurkey;
SOGoTimeZone = Europe/Istanbul;
SOGoFirstDayOfWeek = 1;
WOWorkersCount = 5;
/debug/
SOGoDebugRequests = YES;
SoDebugBaseURL = YES;
LDAPDebugEnabled = YES;
SOGoUIxDebugEnabled = YES;
WODontZipResponse = YES;
}
<VirtualHost 10.10.10.10:80>
ServerName sogo.example.com
ServerAdmin info@example.com
Redirect / https://sogo.example.com/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost 10.10.10.10:443>
ServerName sogo.example.com
ServerAdmin info@example.com
DocumentRoot /usr/lib/GNUstep/SOGo/WebServerResources/
SSLEngine on
SSLCertificateChainFile /etc/ssl/certs/ca.cert.pem
SSLCertificateKeyFile /etc/ssl/private/sogo.key.pem
SSLCertificateFile /etc/ssl/certs/sogo.cert.pem
LogLevel debug ssl:debug
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/$
RewriteRule (.*) /SOGo/ [R=301]
Alias /SOGo.woa/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
Alias /SOGo/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
<Directory /usr/lib/GNUstep/SOGo/>
AllowOverride None
Require all granted
<IfModule expires_module>
ExpiresActive On
ExpiresDefault "access plus 1 year"
</IfModule>
</Directory>
ProxyRequests Off
SetEnv proxy-nokeepalive 1
ProxyPreserveHost On
ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0
<Proxy http://127.0.0.1:20000/SOGo>
<IfModule headers_module>
RequestHeader unset "x-webobjects-remote-user"
RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
</IfModule>
AddDefaultCharset UTF-8
Require all granted
</Proxy>
<IfModule rewrite_module>
RewriteEngine On
RewriteRule ^/.well-known/caldav/?$ /SOGo/dav [R=301]
RewriteRule ^/.well-known/carddav/?$ /SOGo/dav [R=301]
</IfModule>
</VirtualHost>
</IfModule>

Here is my not working gssapi solution:
{
/database/
SOGoProfileURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_user_profile";
OCSFolderInfoURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_folder_info";
OCSSessionsFolderURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_sessions_folder";
/authentication /
SOGoPasswordChangeEnabled = NO;
SOGoUserSources = (
{
type = ldap;
CNFieldName = cn;
UIDFieldName = uid;
IDFieldName = uid;
bindFields = (uid);
baseDN = "ou=users,dc=example,dc=com";
bindDN = "";
bindPassword = "";
canAuthenticate = YES;
displayName = "SOGo Users";
hostname = "ldap://ldap.example.com";
port = 389;
id = ldap_users;
isAddressBook = YES;
}
);
/web/
SOGoMailAuxiliaryUserAccountsEnabled = YES;
SOGoTrustProxyAuthentication = YES;
/general/
SOGoLanguage = TurkishTurkey;
SOGoTimeZone = Europe/Istanbul;
SOGoFirstDayOfWeek = 1;
WOWorkersCount = 5;
/debug/
SOGoDebugRequests = YES;
SoDebugBaseURL = YES;
LDAPDebugEnabled = YES;
SOGoUIxDebugEnabled = YES;
WODontZipResponse = YES;
}
<VirtualHost 10.10.10.10:80>
ServerName sogo.example.com
ServerAdmin info@example.com
Redirect / https://sogo.example.com/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost 10.10.10.10:443>
ServerName sogo.example.com
ServerAdmin info@example.com
DocumentRoot /usr/lib/GNUstep/SOGo/WebServerResources/
SSLEngine on
SSLCertificateChainFile /etc/ssl/certs/ca.cert.pem
SSLCertificateKeyFile /etc/ssl/private/sogo.key.pem
SSLCertificateFile /etc/ssl/certs/sogo.cert.pem
LogLevel debug ssl:debug
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/$
RewriteRule (.) /SOGo/ [R=301]
Alias /SOGo.woa/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
Alias /SOGo/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
<Directory /usr/lib/GNUstep/SOGo/>
AllowOverride None
Require all granted
<IfModule expires_module>
ExpiresActive On
ExpiresDefault "access plus 1 year"
</IfModule>
</Directory>
<Location /SOGo>
AuthType gssapi
AuthName "Kerberos Parola"
GssapiBasicAuth on
GssapiLocalName on
GssapiAllowedMech krb5
GssapiCredStore keytab:/etc/apache2/apache2.keytab
GssapiSSLonly on
Require valid-user
SetEnv proxy-nokeepalive 1
Require all granted
RewriteEngine on
RewriteRule .
- [E=SOGO_REMOTE_USER:%{REMOTE_USER}]
</Location>
ProxyRequests Off
SetEnv proxy-nokeepalive 1
ProxyPreserveHost On
ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0
<Proxy http://127.0.0.1:20000/SOGo>
<IfModule headers_module>
RequestHeader set "x-webobjects-remote-user" "%{SOGO_REMOTE_USER}e"
RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e env=REMOTE_HOST
</IfModule>
AddDefaultCharset UTF-8
Require all granted
</Proxy>
<IfModule rewrite_module>
RewriteEngine On
RewriteRule ^/.well-known/caldav/?$ /SOGo/dav [R=301]
RewriteRule ^/.well-known/carddav/?$ /SOGo/dav [R=301]
</IfModule>
</VirtualHost>
</IfModule>

I receive "Unhandled error response" response from the web login page and

Jan 03 09:04:56 sogod [20639]: |SOGo| starting method 'POST' on uri '/SOGo/connect'
2021-01-03 09:04:56.802 sogod[20639:20639] EXCEPTION: <NSException: 0x558b484b34b0> NAME:NSInvalidArgumentException REASON:SOGoProxyAuthenticator(instance) does not recognize checkLogin:password:domain:perr:expire:grace:useCache: INFO:(null)

from sogo log.

Any help, appreciated.

Issue History

Date Modified Username Field Change
2011-02-02 09:18 amaramrahul New Issue
2011-02-13 09:54 ludovic Note Added: 0002101
2011-02-13 09:54 ludovic Severity minor => feature
2011-03-04 10:22 MrJacK Note Added: 0002192
2011-03-05 03:39 steve Note Added: 0002198
2011-03-07 12:53 amaramrahul Note Added: 0002208
2011-03-08 03:07 MrJacK Note Added: 0002212
2011-03-08 03:32 steve Note Added: 0002214
2011-03-08 05:29 amaramrahul Note Added: 0002215
2011-03-17 12:50 wsourdeau Relationship added related to 0001192
2015-10-23 20:27 Pegasus Note Added: 0009057
2015-10-23 20:39 ludovic Note Added: 0009058
2015-11-11 10:57 ggiesen Note Added: 0009087
2015-11-11 11:02 ggiesen Note Edited: 0009087 View Revisions
2018-09-28 11:24 koc Note Added: 0013069
2019-11-13 05:19 abma Note Added: 0013893
2021-01-03 01:29 koc Note Added: 0015017