Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configuration & testing (for Sogo using Keycloak) #4

Open
quenenni opened this issue Jun 29, 2020 · 0 comments
Open

Configuration & testing (for Sogo using Keycloak) #4

quenenni opened this issue Jun 29, 2020 · 0 comments

Comments

@quenenni
Copy link

quenenni commented Jun 29, 2020

Hello,

I'm trying to configure Sogo to use my keycloak Idp.
Like Umardraz in #3 , I also have troubles to understand some parts of the readme.

What I did is a bit different.
I'm on a Debian Buster with Dovecot & Postfix with Ldap.
Sogo is working when using directly Ldap.
Now trying the Sso part.

The "Installation" section of your Readme is done with success (git clone + composer + php extensions)

In the Configuration section:
I installed libpam-script package (apt install libpam-script) => a new line is added first in the pam.d/common-* files : auth sufficient pam_script.so

With point 3 ("Use the given pam_script_auth file (or create a symlink from pam_script_auth to pam-script-saml.php)")

From the readme of libpam script package, it says that the scripts are by default located in /etc/pam-script (on Debian), but I guess the dir parameter is there to adapt this if needed.

I created that folder and added 2 symlinks in /etc/libpam-script to your scripts:

lrwxrwxrwx 1 root root 40 Jun 29 15:26 pam_script_auth -> /var/www/pam-script-saml/pam_script_auth
lrwxrwxrwx 1 root root 44 Jun 29 15:29 pam-script-saml.php -> /var/www/pam-script-saml/pam-script-saml.php

Now that I have the 2 symlink in /etc/pam-script/, I adapted the file /etc/pam.d/common-auth to:

auth    sufficient                      pam_script.so dir=/etc/pam-script grace=900 only_from=127.0.0.1 userid=mail

Is this correct?
From what I saw in your pam_script_auth file, the file pam-script-saml.php must be in the same directory.
Can we choose where to put both files and just adapt the dir parameter?

  • Concerning the param 'idp', knowing I have the idp-metadata.xml file in /etc/sogo, is this the correct file to reference?
idp=/etc/sogo/idp-metadata.xml

* Concerning the param trusted_sp, I must put the "EntityID of SP".
Is this the client ID defined in the keycloak realm -> client?
The client ID defined in my keycloak realm is the address to my Sogo saml2 metadata.
[EDIT] It's indeed the right value a my tests showed up later

trusted_sp=https://my.sogo.host/SOGo/saml2-metadata
  • I also tried to use your test.sh script included in the repo, but I don't know how to fill the test.env file.
    Would this be the correct format? But what values to put there?
ITERATIONS=
IDP_METADATA=/etc/sogo/idp-metadata.xml
TRUSTED_SP=
PAM_AUTHTOK=
PAM_RHOST=
PAM_TYPE=
PAM_USER=

My problem is that I have an error with sogo when Keycloak send the user back to Sogo.

NSInvalidArgumentException REASON:Tried to add nil value for key 'login' to dictionary INFO:{}

I don't know if the error is in my Sogo or Keycloak configuration or because of the problem with authenticating in Dovecot from Sogo with a token (so the need for this auth script).

That's why I would like to try your test.sh script to be sure that part is working.

Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant