General discussion on installation and configuration of SOGo

Text archives Help


Re: [SOGo] kerberos authentication


Chronological Thread 
  • From: Marco Bencivenni < >
  • To:
  • Subject: Re: [SOGo] kerberos authentication
  • Date: Tue, 1 Feb 2011 11:44:27 +0100
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=Wr0sxSlKFaBn37Obc1vZSnPleya21L8/cMlNyAIuO8NnHXbZXzV0v+kwiHDq68ncLM FBR8iM0gTnJ66a1MlUL2xz5CPIUXDLZwIY/Nnzsh2P41OutiWV6s36cjscolDURY/2hM D2/bUHnAIx/tI17a1AZV3ipOBOGvtw6SehvIw=

I don't have any information in sogo log but I have something in apache error log:

[Tue Feb 01 11:40:43 2011] [debug] src/mod_auth_kerb.c(1432): [client 131.154.7.18] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Tue Feb 01 11:40:43 2011] [debug] src/mod_auth_kerb.c(915): [client 131.154.7.18] Using HTTP/ as server principal for password verification
[Tue Feb 01 11:40:43 2011] [debug] src/mod_auth_kerb.c(655): [client 131.154.7.18] Trying to get TGT for user
[Tue Feb 01 11:40:43 2011] [debug] src/mod_auth_kerb.c(569): [client 131.154.7.18] Trying to verify authenticity of KDC using principal HTTP/
[Tue Feb 01 11:40:43 2011] [debug] src/mod_auth_kerb.c(994): [client 131.154.7.18] kerb_authenticate_user_krb5pwd ret=0 authtype=Basic
[Tue Feb 01 11:40:43 2011] [debug] mod_proxy_http.c(56): proxy: HTTP: canonicalising URL //127.0.0.1:20000/SOGo/
[Tue Feb 01 11:40:43 2011] [debug] proxy_util.c(1488): [client 131.154.7.18] proxy: http: found worker http://127.0.0.1:20000/SOGo for http://127.0.0.1:20000/SOGo/
[Tue Feb 01 11:40:43 2011] [debug] mod_proxy.c(966): Running scheme http handler (attempt 0)
[Tue Feb 01 11:40:43 2011] [debug] mod_proxy_http.c(1976): proxy: HTTP: serving URL http://127.0.0.1:20000/SOGo/
[Tue Feb 01 11:40:43 2011] [debug] proxy_util.c(2044): proxy: HTTP: has acquired connection for (127.0.0.1)
[Tue Feb 01 11:40:43 2011] [debug] proxy_util.c(2102): proxy: connecting http://127.0.0.1:20000/SOGo/ to 127.0.0.1:20000
[Tue Feb 01 11:40:43 2011] [debug] proxy_util.c(2195): proxy: connected /SOGo/ to 127.0.0.1:20000
[Tue Feb 01 11:40:43 2011] [debug] proxy_util.c(2347): proxy: HTTP: fam 2 socket created to connect to 127.0.0.1
[Tue Feb 01 11:40:43 2011] [debug] proxy_util.c(2449): proxy: HTTP: connection complete to 127.0.0.1:20000 (127.0.0.1)
[Tue Feb 01 11:40:43 2011] [debug] mod_proxy_http.c(1753): proxy: start body send
[Tue Feb 01 11:40:43 2011] [debug] mod_proxy_http.c(1842): proxy: end body send
[Tue Feb 01 11:40:43 2011] [debug] proxy_util.c(2062): proxy: HTTP: has released connection for (127.0.0.1)


Marco B

2011/2/1 Marco Bencivenni < "> >
Dear all,

excuse me but I prevoiulsy posted an incorrect configuration.
The problem is that I tru to use a kerberos authentication but I got a blank page withe the only word "Unauthorized"
The configuration apache-kerberos is correct, but there is something in SOGo configuration in order to use kerberos credentials.
I hope that someone has already faced this type of problem.
Thanks in advance,
Marco B


In my SOGo.conf  I uncomment:

<Location /SOGo>
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate Off
  KrbMethodK5Passwd On
  KrbAuthRealms ####.IT
  KrbServiceName HTTP/
  Krb5KeyTab /etc/httpd/conf/keytab
  require valid-user
  Order allow,deny

  Allow from all
</Location>
 
and

  RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}e"


My .GNUstepDefaults is


        <key>OCSFolderInfoURL</key>
        <string>mysql://sogo: :3306/sogo/sogo_folder_info</string>
        <key>SOGoACLsSendEMailNotifications</key>
        <string>YES</string>
        <key>SOGoAppointmentSendEMailNotifications</key>
        <string>YES</string>
        <key>SOGoDraftsFolderName</key>
        <string>Drafts</string>
        <key>SOGoFoldersSendEMailNotifications</key>
        <string>YES</string>
        <key>SOGoIMAPServer</key>
        <string>imaps://###.it:993/?tls=YES</string>
        <key>SOGoLanguage</key>
        <string>Italian</string>
        <key>SOGoMailDomain</key>
        <string>cnaf.infn.it</string>
        <key>SOGoProfileURL</key>
        <string>mysql://sogo: :3306/sogo/sogo_user_profile</string>
        <key>SOGoSentFolderName</key>
        <string>Sent</string>
        <key>SOGoTimeZone</key>
        <string>Europe/Rome</string>
        <key>SOGoTrashFolderName</key>
        <string>Trash</string>
        <key>SOGoTrustProxyAuthentication</key>
        <string>YES</string>
        <key>SOGoUserSources</key>
        <array>
            <dict>
                <key>CNFieldName</key>
                <string>cn</string>
                <key>IDFieldName</key>
                <string>uid</string>
                <key>UIDFieldName</key>
                <string>uid</string>
                <key>baseDN</key>
                <string>ou=people,ou=cnaf,o=infn,c=it</string>
                <key>canAuthenticate</key>
                <string>YES</string>
                <key>displayName</key>
                <string>Shared Addresses</string>
                <key>hostname</key>
                <string>131.154.128.32</string>
                <key>id</key>
                <string>public</string>
                <key>isAddressBook</key>
                <string>YES</string>
                <key>port</key>
                <string>389</string>
                <key>type</key>
                <string>ldap</string>
            </dict>
        </array>
    </dict>
</dict>
</plist>



2011/1/26 < " target="_blank"> >

Hi Marco,

to use external authentication like Kerberos you have to use HTTP Header in
front of SOGo:
http://www.sogo.nu/english/support/faq/article/how-to-use-webauth-with-sogo-2.html

There are a lot of examples in the Web for doing that. But the exact
configuration steps depend on your setup. Especially for Apache and Kerberos
there are a lot of how-tos.

esco





Archive powered by MHonArc 2.6.16.

Top of page