[SOGo] SOGo + Dovecot + Keycloak + Apache + libapache2-mod-auth-openidc -> working setup
Hi,
after trying to the SAML working with dovecot without success for
several days I tried a different approach today. Instead off using
SAML I switched to use the libapache2-mod-auth-openidc module. I
changed the apache sogo.conf to support the OIDC module with the
settings below. Please note that you need to add some checks about
valid claims, take a look at
https://github.com/OpenIDC/mod_auth_openidc/wiki -> "Require claim
sub:".
--- /etc/apache2/sites-available/sogo.conf ---
OIDCCryptoPassphrase"verylongsecret"
OIDCProviderMetadataURL
https://auth.example.com/realms/master/.well-known/openid-configuration
OIDCRedirectURI http://sogo.example.com/redirect_uri
OIDCClientIDSOGo
OIDCClientSecretrandom_client_secret
OIDCRemoteUserClaim email
OIDCScope "email openid"
OIDCAuthNHeader x-webobjects-remote-user
OIDCXForwardedHeaders X-Forwarded-Proto X-Forwarded-Port
X-Forwarded-Host
OIDCRemoteUserClaim email
OIDCPassClaimsAsboth
AuthType openid-connect
Require valid-user
http://127.0.0.1:2/SOGo>
# Add Basic Authorization
RequestHeader set "x-webobjects-auth-type" "Basic"
# Combine Username and Password wth a colon ':' only when a
valid access_token is available
RequestHeader set Authorization
"%{OIDC_CLAIM_email}e:%{OIDC_access_token}e" env=OIDC_access_token
# Add the plain Text 'Basi ' and the base64 encode
Username:access_token to the Authorization header
RequestHeader set Authorization "expr=Basic
%{base64:%{HTTP:Authorization}}"
--- /etc/apache2/sites-available/sogo.conf ---
I removed every SOGoSAML2* config setting from /etc/sogo/sogo.conf and
changed these settings:
SOGoTrustProxyAuthentication= YES;
NGImap4AuthMechanism= PLAIN;
SOGoForceExternalLoginWithEmail = YES;
You need to adjust dovecot to support the login via PLAIN. The
access_token is stored as the password in the PLAIN authentication. To
support this make these changes:
--- /etc/dovecot/conf.d/auth-oauth2.conf.ext ---
auth_mechanisms = $auth_mechanisms plain
passdb {
driver = oauth2
mechanisms = plain
args = /etc/dovecot/dovecot-oauth2.plain.conf.ext
}
---
Please note that I use local introspection_mode, you need to copy the
keys required to validate the access_token to the directory
/etc/dovecot/keys/. The required keys are logged when you enable full
debug logs.
--- /etc/dovecot/dovecot-oauth2.plain.conf.ext ---
openid_configuration_url =
https://auth.example.com/realms/master/.well-known/openid-configuration
introspection_mode = local
issuers = https://auth.example.com/realms/master
local_validation_key_dict = fs:posix:prefix=/etc/dovecot/keys/
client_id = dovecot
client_secret = random_client_secret
scope = email
username_attribute = email
username_format = %Ln
---
Since the access_token from keycloak will expire within a minute (the
default) you should change the expire time to a higher values. This is
required since I didn't know how to pass the refresh_token to dovecot
to enable dovecot to renew the access_token from time to time... I
someone has an idea I really like to know.
And one very important information. You need to configure a
SOGoUserSources to enable a successful "c_uid" lookup. So create a
table a SOGo required and just put the email from the OIDC_CLAIM_email
into the colum "c_uid". I think this table isn't really needed, maybe
I will make a patch to avoid creating such a table.
Hope this helps some!
Re: [SOGo] SAML login not working / Keycloak 21.1.1 / Debian bookworm
Hi
and again I added some debug prints to SOGoSAML2Session.m. Now the
important part looks like
---
- (void) processAuthnResponse: (NSString *) authnResponse
NSPrintErr(@"lasso_profile_get_identity:");
lasso_identity = lasso_profile_get_identity (profile);
if (lasso_identity)
{
dump = lasso_identity_dump (lasso_identity);
nsDump = [NSString stringWithUTF8String: dump];
NSPrintErr(@"nsDumpB: %@", nsDump);
[saml2Dump setObject: nsDump forKey: @"identity"];
NSPrintErr(@"identityAA: %@", nsDump);
lasso_identity_destroy (lasso_identity);
NSPrintErr(@"lasso_identity_destroy/post");
}
NSPrintErr("sharedCache/pre");
[[SOGoCache sharedCache] setSaml2LoginDumps: saml2Dump
forIdentifier: identifier];
NSPrintErr("sharedCache/post");
free (responseData);
}
---
Again I tried to login, get redirected to keycloak (21.1.2, just
upgraded today) and after comming back to sogo this gets logged:
---
lasso_profile_get_identity:
nsDumpB: xmlns="http://www.entrouvert.org/namespaces/lasso/0.0";
Version="2">xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0";
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
RemoteProviderID="https://auth.example.com/realms/master";
FederationDumpVersion="2">Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">G-2594070f-2a5d-452d-8a25-97a59350d785
identityAA: xmlns="http://www.entrouvert.org/namespaces/lasso/0.0";
Version="2">xmlns:lasso="http://www.entrouvert.org/namespaces/lasso/0.0";
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
RemoteProviderID="https://auth.example.com/realms/master";
FederationDumpVersion="2">Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">G-2594070f-2a5d-452d-8a25-97a59350d785
lasso_identity_destroy/post
Program received signal SIGSEGV, Segmentation fault.
0x77439d35 in objc_msg_lookup () from
/lib/x86_64-linux-gnu/libobjc.so.4
(gdb) bt
#0 0x77439d35 in objc_msg_lookup () at
/lib/x86_64-linux-gnu/libobjc.so.4
#1 0x76de9cb9 in () at /lib/libgnustep-base.so.1.28
#2 0x77f3d304 in NSPrintErr (format=0x77f526f6) at
./SoObjects/SOGo/SOGoSAML2Session.m:91
#3 0x77f3f4d9 in -[SOGoSAML2Session processAuthnResponse:]
(self=0x55877870, _cmd=0x725e1a30
<_OBJC_SELECTOR_TABLE+720>, authnResponse=0x559906d0) at
./SoObjects/SOGo/SOGoSAML2Session.m:546
#4 0x725d6b39 in -[SOGoSAML2Actions saml2SignOnPOSTAction]
(self=0x55e2a1a0, _cmd=0x55aa6510) at
./UI/MainUI/SOGoSAML2Actions.m:175
#5 0x7794cd31 in () at /lib/libNGObjWeb.so.4.9
#6 0x779ea252 in () at /lib/libNGObjWeb.so.4.9
---
I also tried to comment out the call to lasso_identity_destroy() but
this didn't change the segfault. So I assume something gets messed up
before.
But now I really don't know how to get further on my own.
@users@sogo.nu: Any ideas?
PS: The NSPrintErr is this one and the segfault is the NSString line.
---
// print to stderr
static void NSPrintErr(NSString *format, ...) {
va_list args;
va_start(args, format);
NSString *string = [[NSString alloc] initWithFormat:format
arguments:args];
va_end(args);
fprintf(stderr, "%s\n", [string UTF8String]);
fflush(stderr);
#if !__has_feature(objc_arc)
[string release];
#endif
}
---
Re: [SOGo] Has someone a working SAML configuration most optimal with Keycloak as IDP?
Hi, DISCLAIMER: I have zero knowledge of SAML! me too I think after trying more than a week to get SOGo working with Keycloak... Having said that, there are two cases where people successfully used it, although not sure if they also used Keycloak. 1. https://www.mail-archive.com/users@sogo.nu/msg29860.html 2. https://marc.info/?l=sogo-users&m=147697076318929&w=2 I already found both post (and many more). But I can't find a post that is written this year and Keycloak changed a lot in the last years...
[SOGo] Has someone a working SAML configuration most optimal with Keycloak as IDP?
Hi, since I'm still have trouble getting SOGo 5.8.4 SAML login working with Keycloak 21.1.1 I wonder if someone has a working setup and is willing to share that configuration?
Re: [SOGo] SAML login not working / Keycloak 21.1.1 / Debian bookworm
Hi,
first of all, thanks for the help.
The profile.c if from the lasso module ->
https://github.com/adieu/lasso/blob/master/lasso/saml-2.0/profile.c
We need to find which lasso function in SOGoSAML2Session.m (I
assume, it may be another file) is called and make that error, then
check the arguments given.
I try to find the mentioned function with this changes:
--- SOGoSAML2Session.m ---
- (id) _initWithDump: (NSDictionary *) saml2Dump
inContext: (WOContext *) context
{
lasso_error_t rc;
LassoServer *server;
LassoProfile *profile;
const gchar *dump;
if ((self = [self init]))
{
server = [SOGoSAML2Session lassoServerInContext: context];
lassoLogin = lasso_login_new (server);
if (saml2Dump)
{
profile = LASSO_PROFILE (lassoLogin);
ASSIGN (login, [saml2Dump objectForKey: @"login"]);
ASSIGN (identifier, [saml2Dump objectForKey: @"identifier"]);
ASSIGN (assertion, [saml2Dump objectForKey: @"assertion"]);
ASSIGN(identity, [saml2Dump objectForKey: @"identity"]);
dump = [identity UTF8String];
if (dump)
{
NSLog(@"_initWithDump/identity/pre: %@", dump);
lasso_profile_set_identity_from_dump (profile, dump);
NSLog(@"_initWithDump/identity/pore: %@", dump);
}
---
---
Jun 28 09:00:30 sogod [831]: |SOGo| request took 0.102924 seconds to execute
Jun 28 09:00:30 sogod [831]: 79.140.187.148, 172.27.11.107 "POST
/SOGo/saml2-signon-post HTTP/1.1" 302 0/12977 0.105 - - 692K - 12
Jun 28 09:00:30 sogod [831]: |SOGo| starting method 'GET' on uri
'/SOGo//claas.hilbre...@linum.com'
Program received signal SIGSEGV, Segmentation fault.
0x77439d35 in objc_msg_lookup () from
/lib/x86_64-linux-gnu/libobjc.so.4
(gdb) bt
#0 0x77439d35 in objc_msg_lookup () at
/lib/x86_64-linux-gnu/libobjc.so.4
#1 0x76dc45cc in GSPrivateFormat
(s=s@entry=0x7fffa9f0, format=format@entry=0x7fffaa30,
ap=ap@entry=0x7fffbae0, locale=locale@entry=0x0) at
./Source/GSFormat.m:1869
#2 0x76de9d69 in -[GSPlaceholderString
initWithFormat:locale:arguments:]
(self=0x556ea340, _cmd=, format=out>, locale=0x0, argList=0x7fffbae0) at ./Source/GSString.m:1642
#3 0x76ec0674 in NSLogv (format=0x77fbf820
<_OBJC_INSTANCE_24.9>, args=0x7fffbae0) at ./Source/NSLog.m:425
#4 0x76ec09e9 in NSLog (format=) at
./Source/NSLog.m:297
#5 0x77f3e7ed in -[SOGoSAML2Session _initWithDump:inContext:]
(self=0x55ddd350, _cmd=0x77fc01b0
<_OBJC_SELECTOR_TABLE+688>, saml2Dump=0x55746610,
context=0x55ddce30)
at ./SoObjects/SOGo/SOGoSAML2Session.m:372
#6 0x77f3eb31 in +[SOGoSAML2Session _SAML2SessionWithDump:inContext:]
(self=0x77fbfd80 <_OBJC_Class_SOGoSAML2Session>,
_cmd=0x77fc01d0 <_OBJC_SELECTOR_TABLE+720>,
saml2Dump=0x55746610, context=0x55ddce30)
at ./SoObjects/SOGo/SOGoSAML2Session.m:413
#7 0x77f3ec69 in +[SOGoSAML2Session
SAML2SessionWithIdentifier:inContext:]
---
Re: [SOGo] SAML login not working / Keycloak 21.1.1 / Debian bookworm
Hi,
I recompiled the sogo 5.8.4 package from Debian sid and added some
NSLog outputs. So I can confirm that the SAML response is really ok
and the content is fine. But it seems something in my setup is wrong.
SOGo writes the current session to the sogo_sessions_folder. This
works fine, the content in stored in the mysql db. But after storing
the session two errors get logged:
---
(process:20775): Lasso-CRITICAL **: 20:45:24.648: 2023-06-27 20:45:24
(profile.c/:913) Trying to unref a non GObject pointer
file=profile.c:913 pointerbybname=profile->identity
pointer=0x55c2ab612ec0
(process:20775): Lasso-CRITICAL **: 20:45:24.648: 2023-06-27 20:45:24
(profile.c/:916) Trying to unref a non GObject pointer
file=profile.c:916 pointerbybname=profile->session
pointer=0x55c2ab547c90
---
I can't find the profile.c source code for now but I assumed sogo
tried to read from the table sogo_user_profile the users profile. But
even after creating this entry
INSERT INTO `sogo_user_profile` (`c_uid`, `c_defaults`, `c_settings`) VALUES
('claas.hilbre...@example.com', '{}', '{}');
I still get the above error... So what I'm missing?
---
Jun 27 18:45:24 sogod [20775]: 79.140.187.148, 172.27.11.107 "GET
/SOGo//claas.hilbre...@example.com HTTP/1.1" 302 0/0 0.015 - - 0 - 13
Jun 27 18:45:24 sogod [20775]: |SOGo| starting method 'POST' on uri
'/SOGo/saml2-signon-post'
2023-06-27 18:45:24.643 sogod[20775:20775] loginA: claas.hilbre...@example.com
2023-06-27 18:45:24.643 sogod[20775:20775] loginB: claas.hilbre...@example.com
2023-06-27 18:45:24.643 sogod[20775:20775] loginC: claas.hilbre...@example.com
2023-06-27 18:45:24.643 sogod[20775:20775] assertionA: xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ID_21fcb575-9d92-4539-889e-40cf22767fd0"
IssueInstant="2023-06-27T18:45:24.511Z"
Version="2.0">https://auth.example.com/realms/masterhttp://www.w3.org/2000/09/xmldsig#";>http://www.w3.org/2001/10/xml-exc-c14n#"/>http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>http://www.w3.org/2001/10/xml-exc-c14n#"/>http://www.w3.org/2001/04/xmlenc#sha256"/>KNo7JjLw1k6KyvJCzBkw6firW3TO2IvMr9Z+NiIeJqE=aDvUyS7iFXxi9ILF6byZeh1wbmqu2928G2KNa7zWGGEK0bDTv6udgHtoVnaBJ1+s4JE7G5QCBc/0KdmK+qveGwITcTXLSaSZHZuKfF3Nd1Q8HbA/m7YX9F0E8qFHBQkBCGvbSiR2Jttn2YXkGsxy+T455dV24Fl840KkM9ENiG4e2kHExHdM1aFMQbgBMxdJcWhBTkatnawBvSv5PpTvG8u0bU4UX7RlsdGnK+OnWCCe8tH1aKLUUaDRANuiEzroyVdBLbXEnmiYLru8QIx9ycckrx6NuIw6kNX73g07S5uQUS9fxemYs6BRNcHUHboL/aRPdq1XrgUDdBsTdDiFdQ==lW-L-g3kaWfrc5goQbcyY8W77J3-dWbKGA1joPXW19MMIICmzCCAYMCBgGAiWAFjDANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjIwNTAzMTAwMTUzWhcNMzIwNTAzMTAwMzMzWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCKbGwTJIDI7FURSwl83/CH15MTTVXN9ieRRcJ6Bd/tXogpNLMpqKCbMT3gdn7mF9XR+xNryKCwPIcDO2TMOE9yXxyLe4SQvj06zR+dK/v63sJk783rRO7APLFmoamQtONDc5nfqz3DpKbTCO0AqIK8Ki44TzQviEYaMzidApMI46bDl0ep5o/zCgzmNlVIZFdah4wp7c1wRw3+RVlrgJonT3dY7C+mHhLYrQ+pZsWb/6hmt1mvglf+Vh6iQrt6/I7uCMHH9LxxdRyaCCLZly6Zdei0qjlmp+VRTm+EMscct6kmeOgAXX5KCSh6n+flx7neL+MlQ0fgtGaBrnaxLzPDAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGOhSwEHfHPbBk/QmyYfIvvMekDEj6iZCx/mrLRY0QuZzimsGgTFGM4kHH3kBwRvrswiB/VFloUrAtSBK6/NLc7CGNAdZ+pazOYcD/b0FtmoeGNixQluXVPdzsLYLVVvxHC/XrHS7C9Ne2bfwal+OP5c/emuNuV6PSmqo8XZhSP3025TapoDph+07DKRZUiJbCYcKgWrW+/UbaLCi0enf7qY2q7f8ztCwMxkClNN1RxQb/Fh78CG8eIW5hypyP/FLMlcOiDMLynwoSxSuinuIT/pzS8KW5nh8CftevPh8peCrlLv6Xzux7Ys3FANnXOhUEKsgM1c+PTen87Nq3JZ6RM=G-2594070f-2a5d-452d-8a25-97a59350d785https://sogo.example.com/SOGo/saml2-signon-post"/>https://sogo.example.com/SOGo/saml2-metadataurn:oasis:names:tc:SAML:2.0:ac:classes:unspecifiedhttp://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">claas.hilbre...@example.comhttp://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">clahil
2023-06-27 18:45:24.643 sogod[20775:20775] identifierA:
G-2594070f-2a5d-452d-8a25-97a59350d785
2023-06-27 18:45:24.645 sogod[20775:20775]
SQL:
BEGIN;
2023-06-27 18:45:24.646 sogod[20775:20775]
query
has no results.
2023-06-27 18:45:24.646 sogod[20775:20775]
SQL:
SELECT t1.c_creationdate, t1.c_id, t1.c_lastseen, t1.c_value FROM
sogo_sessions_folder t1 WHERE t1.c_id='AY9zox6L6tlqhvTT';
2023-06-27 18:45:24.646 sogod[20775:20775]
query
has results, entering fetch-mode.
2023-06-27 18:45:24.646 sogod[20775:20775]
SQL:
ROLLBACK;
2023-06-27 18:45:24.646 sogod[20775:20775]
query
has no results.
2023-06-27 18:45:24.646 sogod[20775:20775]
SQL:
BEGIN;
2023-06-27 18:45:24.646 sogod[20775:20775]
query
has no results.
2023-06-27 18:45:24.646 sogod[20775:20775]
SQL:
INSERT INTO sogo_sessions_folder (c_lastseen, c_creationdate, c_value,
c_id) VALUES (1687891524, 1687891524,
'+6v3UAlzw1Uopz6KfBucDF/undxmEMWLRwYITYMMPL/WfB8aZiYjLw4LS+IqAGZDf4awmijbrXRySJkvBVBUMogRfM
Re: [SOGo] SAML login not working / Keycloak 21.1.1 / Debian bookworm
Hi, next Update. After using the URL https://www.scottbrady91.com/tools/saml-parser to inspect my SAML response I'm pretty sure everything is fine. This site is able to display SAML Response without any garbage. Now I'm getting a little step further (after manually doing this query: ALTER TABLE sogo_sessions_folder MODIFY c_value VARCHAR(4096);) --- Jun 26 18:45:21 sogod [2521]: |SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post' 2023-06-26 18:45:21.404 sogod[2521:2521] SQL: BEGIN; 2023-06-26 18:45:21.404 sogod[2521:2521] query has no results. 2023-06-26 18:45:21.404 sogod[2521:2521] SQL: SELECT t1.c_creationdate, t1.c_id, t1.c_lastseen, t1.c_value FROM sogo_sessions_folder t1 WHERE t1.c_id='+dm+GN1YY2Cu2LHI'; 2023-06-26 18:45:21.405 sogod[2521:2521] query has results, entering fetch-mode. 2023-06-26 18:45:21.405 sogod[2521:2521] SQL: ROLLBACK; 2023-06-26 18:45:21.405 sogod[2521:2521] query has no results. 2023-06-26 18:45:21.405 sogod[2521:2521] SQL: BEGIN; 2023-06-26 18:45:21.405 sogod[2521:2521] query has no results. 2023-06-26 18:45:21.405 sogod[2521:2521] SQL: INSERT INTO sogo_sessions_folder (c_lastseen, c_creationdate, c_value, c_id) VALUES (1687805121, 1687805121, 'iYz+xz02bTv8zdjSHNQUAGs6O/I49dCc4MhKKn0Nymqik2Dm+37+PGdVgU3d1q4izrES89wLe7h85jXF0PQhjE6wL494/RvTUin2e2gJvebZtJQ317RyX1x7KieUrbAqn9MGadEFI6+HsK6zwylpafHJ/163+u5Ii2C/mG2I0DXdFoddXQcl8YxeaOFscWNl2TdsSc/VJO897mRKoZuZZdu7U0xWTKdqK5y2vW40Oe6kJx9WUVp7GWX9rsbVeKtlTHJPHNQ2+GiyoeaOHTe676v7ufytiMOPQ1NmFqJ6vLgcfRgXyJd0P7WgUHWW+1KlbfTkveHRdsVzRhVXrhWp85rMYDV8tEZuVl2WXXuaZPSbg2BnX5QjQKgyrcauqAWktn4/uJmTRyA/fLI8oMf7WmbTmr5Gr+foXfP9Eq4lkCLWgPcitOKSs0dmyY++4nwuikMISapGekvdP1LX+elFve3vt34AXZ0/RPiAkWH+Kxh9Jr3ClBLQERjbJPgj9s/hefozT9iKoJhEaWL7EhJy2eOanwAKraA53cMI2TkXcVPbYcHkyg8N/qmhG+apwVe82a2frdFAEOT8tGsNUOfW3jIOaWEhUKSw4MnoC0qszwwZt5KYG7cSiIRCcypUeSMs1k78EBEuaI5G3A9ZviGwwP413YuV7lPH46xUDD3wJKTRWO0B2gHUZBuSRFc22HFXdYGljLuYl90PhlpR97cYBxNvhboTjT6jAZ3sPNF0QsPnvfNSNUWUvMY/e0Gp+0y5rUxQQ3WeDthFYFJxTS92rkknEiD47JsQuEEEIaFcn0ld1VszVP2ONr/biSEAMNm1VdCKshviN/21x1PP4D2YV21ntV1eHF9TgggpOIU4gqbV9FnYGtKUV86DKyHQlN7c0AvTxh4K2qL/qeUKhE4Epm3qLyEMwyPHn/JMAjmZ6WWWRdNaRmBcYGL4zL9Vqj7yrFvP/JyZtsBgDnbYR/3BuAF2TwAuOBSAYCDof +ZGcWPVXC+mnpv4Kd3xBLgolTbA H6cQe1wdVAa4hjmNZN/KFUUeuGI0v1tiNgy4Z+gnf6RZ+lf6ojr3Pw6uBI6OK/xUKnB4NdxPjJ408GxbXwbFk6ghUUGXPJ1rvGWV8+3MY9DS0g+QSnhX8ckSKZPT57tsZ0tJfTn0N8ycSaC5VmaLyN0oJZdFTIWNhqZ8debIl0WxszSZhHaS6Gb9GkvbDFMAmvLcDjYQp4AURQ22RhXb1r/YlHhdsr2EwvAafvUk+X8dHLETVXqTah4PXnu3z+eRSsR+LML4NojQ1w31hiMjQxFBZyiNB6gU0EMpHXTQ0BjzS4IocyFhamr4pL332+Q6fZll5tb/An+jnmXdU6Kp3dyrj0dI2loVS4zp4Qrfz/AJjJMUROKfTFlINQRRuEToBAMl6kVyKXTSvMlfB1Fa1Cf7esHSzegbgyPCKOHxlBqkssxXVQs78fQbczj8MDFNBTOe82+7eFrTqxY3xN1MDUcRI7awnXEQwYEOJEsR9F2X6JbY6Ee6n5DjCpRA1bgo6SuUPpB5M8Zgxff0GTaf3TyYigWqw8rdE+TLl6sGC+hAGGj9Iq0D8FAToj/dXVpC7aez5Umo8DzGxxS3Y9vMcRdvf8G4tEGP1V0KWgLMMY+cc5T1xv/jF1C9/e+Sh5dvx34beIGtBBWRS4vqjPdfLwn2vgSAwEtVvKBayzAz2WHRZJ9kK83PfSuvMeHUyqadbZUYewc7ryKkcIwcBvDXgzM6IkyZmZ58arkD6UEQLuFtDtYYrNB1WNSrxxiKrkSvaPhTFntYhH8nhDkQoVhzsQFMhYyo4XtpOSq3SsLc9s77A8YCm1M5jxgTOgyklwDBaatny0QDCeLpN9vpPQ5f00n8VfKwf2WVZ32okBk1kPnFZX3wiAfYeddSNDml/BzwoSVAiDvQkqnsmoZTWSh0mfWFOydcgMjQMD98E/F/28xykxvGoy3GPsrzvTytl9q4FR0fc0sxrNIRHtzfQqea4OiTJK1TAsHIzBirYu aXbnkcpFuyit7pgY46JwPK4abL 98E/F/28xykxvGoy3GPsrzvTytl9q4FR0fc0sxrNIRHtzfQqea4OiTJK1TAsHIzBirYuaXbnkcpFuyit7pgY46JwPK4abL 9/FPpQzff1tZeAx/MOmMmoH9QB4SU8OnqwlqRU7nqmR96W8TPjcfH+WIn8hW1do1VbEsXHVv4UvNLKlO0D3tY+/pWjSixNdov1mA1I4sWx6RreZFe7qWV/FWJT189aMz2LtGhy/azD2jVQFpHtUNTPS7STf1t6LhNVWsDhCDwWq1Ie9u/8PtFd2Tx9GLbjK3jXS9M9SCBC1nSCjP+v8aqRyjVPpntTYYnXQ8QLLbTrUmGF4No7ZRcovuzXiot+3X+1MUl+HPQPREgxF99Q9WkRdtYJHyMaHUZEkd62k+W57FUASiaCGwBz2hEimfBaSAj7yd4XAGYWJ2ZqGsBC0ne9+EfsdEdSDMt3YyGYuOusTPklJqHDxjS2n8XEDZneD3ISxDaZWT/Ps2/0kl4RtptzdGKOLv5oU05bi5twFIl1YG19ie62wsMuUN40ZZlrYXpCbl66h+TL35W1eYrYnMgLqsdR9QwWGgjeOX4Do9w4WM7GsFIKb6edCfnxFNb0oUj6HOsKfJLgbOlAHdJOJnjrIsLTwqz0TKKGjItH2qFK7DW9hNyY7uqSxe/B8m7sXIS6zznJqog5iy/Isc7PKNH7lEwqZqmHPOvwA1MRG8tImFlsM8mabPUP1QE9qiRwOv5DQuLm3950Ov8WwKmsMNFdBzOIyEcP9kmGlqPDfk5qO/rEyzJBN75xMjN+Ojh7egyZ6uWJZmDMhnqiFBKpnUsXAMStcZNyqHYhA55BVoMQmEx3c7QNL9kREOfLBKyzSEfvScyodvieGeblibPRBLKLqCz0xsrTUYTpb3iLM+lCfd5nGnLpjrOi2uptD7jHkrd5HGkcKBr33pi+G318MkhGBGCoHX8neC2EQGs0mSlmQ+S1JLvpbi2NoKQvuLnRDucQ6zZXdphTD9SJLKgbyEoHsSsFJdBQvZDIss3bj7eoiVY7NvAMcLRfDyr0Pzc1U=', '+dm+GN1YY2Cu2LHI'); 2023-06-26 18:45:21.405 sogod[2521:2521] query has no results. 2023-06-26 18:45:21.405 sogod[2521:2521] SQL: COMMIT; 2023-06-26 18:45:21.406 sogod[2521:2521] query has no results. Jun 26 18:45:21 sogod [2521]: |SOGo| constructed root-url: /SOGo/ Jun 26 18:45:21 sogod [2521]: |SOGo| setting root-url in context: /SOGo/ Jun 26 18:45:21 sogod [2521]: |SOGo| ROOT baseURL(no container, name=(null)): own: /SOGo/ (process:2521): Lasso-CRITICAL **: 20:45:21.407: 2023-06-26 20:45:21 (profile.c/:913) Trying to unref a non GObject pointer file=profile.c:913 poi
Re: [SOGo] SAML login not working / Keycloak 21.1.1 / Debian bookworm
Hi, after looking at the sourcecode, which is just: if (loginAttribue && (strcmp (attribute->Name, [loginAttribue UTF8String]) == 0)) I tried to debug the request flow. With the help of the apache dumpio module I was able to capture the whole traffic. II tried to decode the capture but it seems that the data is brocken. It starts like this: xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://sogo.linum.biz/SOGo/saml2-signon-post"; ID="ID_f2451abf-1693-4509-a54f-af20461c28d5" InResponseTo="_02F15ED37EA154C6F8927F722B48897D" IssueInstant="2023-06-26T15:46:30.664Z" Version="2.0"> looks like garbage. So somewhere in between the proxy setup something goes wrong.
Re: [SOGo] SAML login not working / Keycloak 21.1.1 / Debian bookworm
Hi, In your logs you have a segfault. You need to provide a backtrace according to https://www.sogo.nu/support/faq/how-do-i-debug-sogo.html Here it is: --- 2023-06-26 07:39:05.169 sogod[816:816] SQL: SELECT c_defaults FROM sogo_user_profile WHERE c_uid = 'anonymous'; 2023-06-26 07:39:05.171 sogod[816:816] query has results, entering fetch-mode. Jun 26 07:39:05 sogod [816]: |SOGo| request took 0.468025 seconds to execute Jun 26 07:39:05 sogod [816]: 79.140.187.148, 172.27.11.107 "GET /SOGo HTTP/1.1" 302 0/0 0.471 - - 4M - 11 Jun 26 07:39:10 sogod [816]: |SOGo| starting method 'POST' on uri '/SOGo/saml2-signon-post' Program received signal SIGSEGV, Segmentation fault. 0x76ac7744 in ?? () from /lib/x86_64-linux-gnu/libc.so.6 (gdb) bt #0 0x76ac7744 in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x77f400c1 in -[SOGoSAML2Session _updateDataFromLogin] (self=0x55705c40, _cmd=0x77fc0cc0 <_OBJC_SELECTOR_TABLE+640>) at ./SoObjects/SOGo/SOGoSAML2Session.m:272 #2 0x77f40f2c in -[SOGoSAML2Session processAuthnResponse:] (self=0x55705c40, _cmd=0x725e99b0 <_OBJC_SELECTOR_TABLE+720>, authnResponse=0x55e26970) at ./SoObjects/SOGo/SOGoSAML2Session.m:466 #3 0x725deb3b in -[SOGoSAML2Actions saml2SignOnPOSTAction] (self=0x55e07820, _cmd=0x558769c0) at ./UI/MainUI/SOGoSAML2Actions.m:175 #4 0x7794cd31 in -[WODirectAction performActionNamed:] (self=0x55e07820, _cmd=0x77b28ca0 <_OBJC_SELECTOR_TABLE+928>, _actionName=0x55dc9590) at ./sope-appserver/NGObjWeb/WODirectAction.m:97 #5 0x779ea252 in -[SoActionInvocation callOnObject:withPositionalParametersWhenNotNil:inContext:] (self=0x55752f70, _cmd=0x77b28cd0 <_OBJC_SELECTOR_TABLE+976>, _client=0x55998c80, _positionalArgs=0x0, _ctx=0x5578e790) at ./sope-appserver/NGObjWeb/SoObjects/SoActionInvocation.m:300 #6 0x779ea39b in -[SoActionInvocation callOnObject:inContext:] (self=0x55752f70, _cmd=0x77b229a0 <_OBJC_SELECTOR_TABLE+672>, _client=0x55998c80, _ctx=0x5578e790) at ./sope-appserver/NGObjWeb/SoObjects/SoActionInvocation.m:318 #7 0x779e4031 in -[SoObjectMethodDispatcher dispatchInContext:] (self=0x55de1e60, _cmd=0x77b24e40 <_OBJC_SELECTOR_TABLE+1536>, _ctx=0x5578e790) at ./sope-appserver/NGObjWeb/SoObjects/SoObjectMethodDispatcher.m:192 #8 0x779e685c in -[SoObjectRequestHandler handleRequest:inContext:session:application:] (self=0x55a978b0, _cmd=0x77aaec10 <_OBJC_SELECTOR_TABLE+848>, _rq=0x555e9f30, _ctx=0x5578e790, _sn=0x0, app=0x55998c80) at ./sope-appserver/NGObjWeb/SoObjects/SoObjectRequestHandler.m:584 #9 0x779605cd in -[WORequestHandler handleRequest:] (self=0x55a978b0, _cmd=0x77a77190 <_OBJC_SELECTOR_TABLE+1616>, _request=0x555e9f30) at ./sope-appserver/NGObjWeb/WORequestHandler.m:240 #10 0x7791aa2b in -[WOCoreApplication dispatchRequest:usingHandler:] (self=0x55998c80, _cmd=0x77a771e0 <_OBJC_SELECTOR_TABLE+1696>, _request=0x555e9f30, handler=0x55a978b0) at ./sope-appserver/NGObjWeb/WOCoreApplication.m:712 #11 0x7791ad96 in -[WOCoreApplication dispatchRequest:] (self=0x55998c80, _cmd=0x55567520 <_OBJC_SELECTOR_TABLE+1664>, _request=0x555e9f30) at ./sope-appserver/NGObjWeb/WOCoreApplication.m:752 #12 0xd9b5 in -[SOGo dispatchRequest:] (self=0x55998c80, _cmd=0x77b14d00 <_OBJC_SELECTOR_TABLE+1760>, _request=0x555e9f30) at ./Main/SOGo.m:584 #13 0x779d2c28 in -[WOHttpTransaction _run] (self=0x558f2470, _cmd=0x77b14d30 <_OBJC_SELECTOR_TABLE+1808>) at ./sope-appserver/NGObjWeb/WOHttpAdaptor/WOHttpTransaction.m:566 #14 0x779d2fee in -[WOHttpTransaction run] (self=0x558f2470, _cmd=0x77b11250 <_OBJC_SELECTOR_TABLE+1168>) at ./sope-appserver/NGObjWeb/WOHttpAdaptor/WOHttpTransaction.m:619 #15 0x779ce5e6 in -[WOHttpAdaptor runConnection:] (self=0x558f1fd0, _cmd=0x77b112f0 <_OBJC_SELECTOR_TABLE+1328>, _socket=0x55a7df70) at ./sope-appserver/NGObjWeb/WOHttpAdaptor/WOHttpAdaptor.m:373 #16 0x779ce83d in -[WOHttpAdaptor _handleAcceptedConnection:] (self=0x558f1fd0, _cmd=0x77b11300 <_OBJC_SELECTOR_TABLE+1344>, _connection=0x55a7df70) at ./sope-appserver/NGObjWeb/WOHttpAdaptor/WOHttpAdaptor.m:407 #17 0x779cecb6 in -[WOHttpAdaptor _handleConnection:] (self=0x558f1fd0, _cmd=0x77b113a0 <_OBJC_SELECTOR_TABLE+1504>, connection=0x55a7df70) at ./sope-appserver/NGObjWeb/WOHttpAdaptor/WOHttpAdaptor.m:466 #18 0x779cf1c7 in -[WOHttpAdaptor acceptConnection:] (self=0x558f1fd0, _cmd=0x77b11210 <_OBJC_SELECTOR_TABLE+1104>, _notification=0x5574f650) at ./sope-appserver/NGObjWeb/WOHttpAdaptor/WOHttpAdaptor.m:527 --Type for more, q to quit, c to
[SOGo] SAML login not working / Keycloak 21.1.1 / Debian bookworm
Hi,
I try to get a SAML login working and failed. I read a lot in this
list and think I'm pretty close towards a working setup. I managed to
get redirected to the IDP login screen and while I get redirected back
to SOGo I get this error message:
---
Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request
Reason: Error reading from remote server
---
The sogo.log to this request is:
---
Jun 24 11:16:38 sogod [2131]: |SOGo| starting method 'GET' on uri '/SOGo'
Jun 24 11:16:38 sogod [2131]: <0x0x5572c15faaa0[SOGoCache]> Cache
cleanup interval set every 3600.00 seconds
Jun 24 11:16:38 sogod [2131]: <0x0x5572c15faaa0[SOGoCache]> Using
host(s) '127.0.0.1' as server(s)
Jun 24 11:16:38 sogod [2131]: [WARN]
<0x0x7fc5bc4d8a80[WOxElemBuilder]> could not locate builders:
WOxExtElemBuilder,WOxExtElemBuilder
Jun 24 11:16:38 sogod [2131]: [ERROR]
<0x0x5572c19e0770[SOGoUserManager]> No authentication sources defined
- nobody will be able to login. Check your defaults.
2023-06-24 11:16:38.057 sogod[2131:2131]
SQL:
SELECT c_defaults FROM sogo_user_profile WHERE c_uid = 'anonymous';
2023-06-24 11:16:38.058 sogod[2131:2131]
query
has results, entering fetch-mode.
Jun 24 11:16:38 sogod [2131]: |SOGo| request took 0.152470 seconds to execute
Jun 24 11:16:38 sogod [2131]: 79.140.187.148, 172.27.11.107 "GET /SOGo
HTTP/1.1" 302 0/0 0.155 - - 6M - 12
Jun 24 11:16:44 sogod [2131]: |SOGo| starting method 'POST' on uri
'/SOGo/saml2-signon-post'
Jun 24 11:16:44 sogod [2128]: <0x0x5572c1604cf0[WOWatchDogChild]>
child 2131 exited
Jun 24 11:16:44 sogod [2128]: <0x0x5572c1604cf0[WOWatchDogChild]>
(terminated due to signal 11)
Jun 24 11:16:44 sogod [2128]: <0x0x5572c1543c80[WOWatchDog]> child
spawned with pid 2135
2023-06-24 11:16:44.602 sogod[2135:2135] MySQL4 connection established
0x0x5572c168a150
2023-06-24 11:16:44.602 sogod[2135:2135] -- -[MySQL4Channel
openChannel]: connection=0x0x5572c168a150> opens channel count[0]
2023-06-24 11:16:44.602 sogod[2135:2135] MySQL4 channel
0x0x5572c155ae80 opened (connection=0x0x5572c168a150,sogo)
2023-06-24 11:16:44.602 sogod[2135:2135]
SQL:
SELECT 1 FROM sogo_user_profile WHERE 1 = 2;
2023-06-24 11:16:44.603 sogod[2135:2135]
query
has results, entering fetch-mode.
2023-06-24 11:16:44.603 sogod[2135:2135]
SQL:
SELECT 1 FROM sogo_folder_info WHERE 1 = 2;
2023-06-24 11:16:44.603 sogod[2135:2135]
query
has results, entering fetch-mode.
2023-06-24 11:16:44.605 sogod[2135:2135]
SQL:
SELECT 1 FROM sogo_sessions_folder WHERE 1 = 2;
2023-06-24 11:16:44.605 sogod[2135:2135]
query
has results, entering fetch-mode.
Jun 24 11:16:44 sogod [2135]: <0x0x5572c176b150[WOHttpAdaptor]>
notified the watchdog that we are ready
---
I think the WOWatchDogChild kills for whatever reason the login
process... Previously I got a this error:
---
sogo.log.1:2023-06-22 19:10:31.616 sogod[4831:4831] EXCEPTION:
NAME:NSInvalidArgumentException
REASON:Tried to add nil value for key 'login' to dictionary INFO:{}
---
But after adding a login key (as a AttributeStatement Mapper/User
Property) to the SAML answer the above error message is thrown.
I try to get the SAML login working with Debian bookworm and Keykoack 21.1.1.
---
dpkg -l | grep -e 'sogo\|sope'
ii libsope15.8.0-1
amd64SKYRiX Object Publishing Environment (shared libraries)
ii sogo5.8.0-1
amd64Scalable groupware server
ii sogo-activesync 5.8.0-1
amd64Scalable groupware server - ActiveSync module
ii sogo-common 5.8.0-1all
Scalable groupware server - common files
---
My sogo.conf looks like this:
---
{
SOGoDebugRequests = YES;
SoDebugBaseURL = YES;
SOGoEASDebugEnabled = YES;
ImapDebugEnabled= YES;
LDAPDebugEnabled= YES;
MySQL4DebugEnabled = YES;
PGDebugEnabled = YES;
SOGoUIxDebugEnabled = YES;
WODontZipResponse = YES;
/* Authentication */
SOGoPasswordChangeEnabled = NO;
/* Web Interface */
SOGoPageTitle = SOGo;
//SOGoVacationEnabled = YES;
//SOGoForwardEnabled = YES;
//SOGoSieveScriptsEnabled = YES;
//SOGoMailAuxiliaryUserAccountsEnabled = YES;
//SOGoTrustProxyAuthentication = NO;
//SOGoXSRFValidationEnabled = YES;
MySQL4Encoding = "utf8mb4";
SOGoProfileURL =
"mysql://user:password@127.0.0.1:3306/sogo/sogo_user_profile";
OCSFolderInfoURL=
"mysql://user:password@127.0.0.1:3306/sogo/sogo_folder_info";
OCSSessionsFolderURL=
"mysql://user:password@127.0.0.1:3306/sogo/sogo_sessions_folder";
OCSEMailAlarmsFolderURL =
"mysql://user:password@127.0.0.1:3306/sogo/sogo_alarms_folder";
SOGoLanguage = English;
SOGoAppointmentSendEMailNotifications = YES;
SO
