Monday, 11 March 2013 16:40

SOGo single sign-on (SSO kerberos) against apache samba 4.0 AD

On CentOS 6.2:- .GNUstepDefaults is not in /home/sogo (as in docs) rather in /var/lib/sogo/GNUstep/ Working config for me looks like this:- (Having setup an AD, httpd.tabkey file and reverse DNS)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//GNUstep//DTD plist 0.9//EN" "http://www.gnustep.org/plist-0_9.xml">
<plist version="0.9">
<dict>
    <key>NSGlobalDomain</key>
    <dict>
    </dict>
    <key>sogod</key>
    <dict>
  <key>OCSFolderInfoURL</key>
  <string>mysql://sogo:sqlpasswd@localhost:3306/sogo/sogo_folder_info</string>
  <key>OCSSessionsFolderURL</key>
  <string>mysql://sogo:sqlpasswd@localhost:3306/sogo/sogo_sessions_folder</string>
  <key>SOGoACLsSendEMailNotifications</key>
  <string>YES</string>
  <key>SOGoAppointmentSendEMailNotifications</key>
  <string>YES</string>
  <key>SOGoDraftsFolderName</key>
  <string>Drafts</string>
  <key>SOGoFoldersSendEMailNotifications</key>
  <string>YES</string>
  <key>SOGoIMAPServer</key>
  <string>localhost</string>
  <key>SOGoLanguage</key>
  <string>English</string>
  <key>SOGoMailDomain</key>
  <string>maildomain.co.uk</string>
  <key>SOGoMailingMechanism</key>
  <string>smtp</string>
  <key>SOGoProfileURL</key>
  <string>mysql://sogo:mysqlpass@localhost:3306/sogo/sogo_user_profile</string>
  <key>SOGoSMTPServer</key>
  <string>localhost</string>
  <key>SOGoSentFolderName</key>
  <string>Sent</string>
  <key>SOGoTimeZone</key>
  <string>GB</string>
  <key>SOGoTrashFolderName</key>
  <string>Trash</string>
  <key>SOGoTrustProxyAuthentication</key>
  <string>YES</string>
  <key>SOGoUserSources</key>
  <array>
      <dict>
         <key>CNFieldName</key>
                <string>cn</string>
                <key>IDFieldName</key>
                <string>cn</string>
                <key>UIDFieldName</key>
                <string>userPrincipalName</string>
                <key>baseDN</key>
                <string>dc=DOMAIN,dc=hostname,dc=co,dc=uk</string>
                <key>bindDN</key>
                <string>cn=sogo,cn=Users,dc=DOMAIN,dc=hostname,dc=co,dc=uk</string>
                <key>bindFields</key>
                <array>
                        <string>sAMAccountName</string>
                        <string>userPrincipalName</string>
                </array>
                <key>bindPassword</key>
                <string>bindPassword</string>
                <key>canAuthenticate</key>
                <string>YES</string>
                <key>displayName</key>
                <string>Active Directory</string>
                <key>hostname</key>
                <string>server</string>
                <key>id</key>
                <string>directory</string>
                <key>isAddressBook</key>
                <string>YES</string>
                <key>port</key>
                <string>389</string>
      </dict>
  </array>
    </dict>
</dict>
</plist>
Note:-
  <key>SOGoTrustProxyAuthentication</key>
  <string>YES</string>
This had me stuck. SOGo.conf in /etc/httpd/conf.d/

Alias /SOGo.woa/WebServerResources/ \
      /usr/lib64/GNUstep/SOGo/WebServerResources/
Alias /SOGo/WebServerResources/ \
      /usr/lib64/GNUstep/SOGo/WebServerResources/
AliasMatch /SOGo/so/ControlPanel/Products/(.*)/Resources/(.*) \
           /usr/lib64/GNUstep/SOGo/$1.SOGo/Resources/$2

<Directory /usr/lib64/GNUstep/SOGo/>
    AllowOverride None
    Order deny,allow
    Allow from all

    # Explicitly allow caching of static content to avoid browser specific behavior.
    # A resource's URL MUST change in order to have the client load the new version.
    <IfModule expires_module>
      ExpiresActive On
      ExpiresDefault "access plus 1 year"
    </IfModule>
</Directory>

<LocationMatch "^/SOGo/so/ControlPanel/Products/.*UI/Resources/.*\.(jpg|png|gif|css|js)">
  SetHandler default-handler
</LocationMatch>

## Uncomment the following to enable proxy-side authentication, you will then
## need to set the "SOGoTrustProxyAuthentication" SOGo user default to YES and
## adjust the "x-webobjects-remote-user" proxy header in the "Proxy" section
## below.
<Location /SOGo>
       Order allow,deny
       Allow from all
       AuthName "Authname"
       AuthType Kerberos
       Require valid-user
       Krb5KeyTab /etc/httpd/conf/httpd.keytab
       KrbAuthRealms WINDOMAIN.domain.co.uk
#       KrbMethodNegotiate On
       KrbServiceName HTTP/This email address is being protected from spambots. You need JavaScript enabled to view it.
#       KrbServiceName Any
#       KrbVerifyKDC off
#       KrbMethodK5Passwd On
#       KrbSaveCredentials On
#       KrbAuthoritative On
       KrbLocalUserMapping On
       SetEnv proxy-nokeepalive 1
       RewriteEngine On
       RewriteRule .* - [E=SOGO_REMOTE_USER:%{REMOTE_USER}]
</Location>

ProxyRequests Off
SetEnv proxy-nokeepalive 1
ProxyPreserveHost On

ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0

<Proxy http://127.0.0.1:20000/SOGo> [^]
#RequestHeader set "x-webobjects-server-port" "80"
#RequestHeader set "x-webobjects-server-name" "server"
#RequestHeader set "x-webobjects-server-url" "http://server" 
RequestHeader set "x-webobjects-remote-user" "%{SOGO_REMOTE_USER}e"
RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e env=REMOTE_HOST
AddDefaultCharset UTF-8
Order allow,deny
</Proxy>

#RewriteEngine On
#RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT] 
It seems for unknown reasons that if it all looks correct and still won't work a reboot sorts it.
Last modified on Wednesday, 13 March 2013 10:55

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.