Re: [SOGo] Different authentication for CalDAV/CardDAV accesses possible?

2023-06-30 Thread andr...@andreasvoegele.com

Frank Richter writes:
Just one additional question: When you authenticate users for 
sogo-webmail in Apache, how do you log in users to the IMAP server then?


If you use Basic access authentication, you can set 
"x-webobjects-auth-type" to "Basic". SOGo will then get the password 
from the Authorization header.


Re: [SOGo] Different authentication for CalDAV/CardDAV accesses possible?

2023-06-29 Thread Kees van Vloten



Op 29-06-2023 om 15:27 schreef Frank Richter 
(frank.rich...@hrz.tu-chemnitz.de):

Am 28.06.23 um 15:02 schrieb Kees van Vloten (keesvanvlo...@gmail.com):


On 28-06-2023 13:13, Frank Richter (frank.rich...@hrz.tu-chemnitz.de) 
wrote:

Hello,

for Web access to our SOGo server we use LDAP authentication. This 
works for CalDAV/CardDAV as well.
We’d like to have another authentication method for CalDAV/CardDAV: 
same username, but different password (as users store those 
passwords in their apps, we’d like to have different password just 
for DAV accesses). Any hints how to achieve this are welcome.


We’ve Apache as reverse proxy in front of SOGo.
I have authentication delegated to the apache reverse proxy. With 
this I am able to achieve exactly what you describe but for 
sogo-webmail and sogo-activesync.


I have not tried to make caldav/carddav available for mobile devices 
since activesync includes that information. But I see no reason why 
apache cannot do this for *dav.
Thanks! And indeed, 
https://www.sogo.nu/support/faq/how-to-configure-apache-as-frontend.html 
contains the configuration for this already.
Just one additional question: When you authenticate users for 
sogo-webmail in Apache, how do you log in users to the IMAP server then?


In that case you have the user-name only, not the password. The only way 
to be able to access imap is passwordless access. I have setup a 
separate (dovecot-) imap-listener for sogo that allows this and is not 
accessible on localhost only. For that reason I run sogo and dovecot on 
the same server, but it is possible to host them on different servers 
and use a tunnel (e.g. ha-proxy) to get a similar setup.


Btw. with Apache as authenticator you can also distinguish on source 
location, e.g. internet vs. lan and get different authentication for 
each: mfa vs. ldap or kerberos.


- Kees.



Frank



Re: [SOGo] Different authentication for CalDAV/CardDAV accesses possible?

2023-06-29 Thread Frank Richter

Am 28.06.23 um 15:02 schrieb Kees van Vloten (keesvanvlo...@gmail.com):


On 28-06-2023 13:13, Frank Richter (frank.rich...@hrz.tu-chemnitz.de) wrote:

Hello,

for Web access to our SOGo server we use LDAP authentication. This works 
for CalDAV/CardDAV as well.
We’d like to have another authentication method for CalDAV/CardDAV: same 
username, but different password (as users store those passwords in their 
apps, we’d like to have different password just for DAV accesses). Any 
hints how to achieve this are welcome.


We’ve Apache as reverse proxy in front of SOGo.
I have authentication delegated to the apache reverse proxy. With this I 
am able to achieve exactly what you describe but for sogo-webmail and 
sogo-activesync.


I have not tried to make caldav/carddav available for mobile devices since 
activesync includes that information. But I see no reason why apache 
cannot do this for *dav.
Thanks! And indeed, 
https://www.sogo.nu/support/faq/how-to-configure-apache-as-frontend.html 
contains the configuration for this already.
Just one additional question: When you authenticate users for sogo-webmail 
in Apache, how do you log in users to the IMAP server then?


Frank

--
Frank Richter
Chemnitz University of Technology, Germany




smime.p7s
Description: S/MIME Cryptographic Signature


Re: [SOGo] Different authentication for CalDAV/CardDAV accesses possible?

2023-06-28 Thread Kees van Vloten



On 28-06-2023 13:13, Frank Richter (frank.rich...@hrz.tu-chemnitz.de) wrote:

Hello,

for Web access to our SOGo server we use LDAP authentication. This 
works for CalDAV/CardDAV as well.
We’d like to have another authentication method for CalDAV/CardDAV: 
same username, but different password (as users store those passwords 
in their apps, we’d like to have different password just for DAV 
accesses). Any hints how to achieve this are welcome.


We’ve Apache as reverse proxy in front of SOGo.
I have authentication delegated to the apache reverse proxy. With this I 
am able to achieve exactly what you describe but for sogo-webmail and 
sogo-activesync.


I have not tried to make caldav/carddav available for mobile devices 
since activesync includes that information. But I see no reason why 
apache cannot do this for *dav.


- Kees.



Thanks
Frank



[SOGo] Different authentication for CalDAV/CardDAV accesses possible?

2023-06-28 Thread Frank Richter

Hello,

for Web access to our SOGo server we use LDAP authentication. This works for 
CalDAV/CardDAV as well.
We’d like to have another authentication method for CalDAV/CardDAV: same 
username, but different password (as users store those passwords in their 
apps, we’d like to have different password just for DAV accesses). Any hints 
how to achieve this are welcome.


We’ve Apache as reverse proxy in front of SOGo.

Thanks
Frank

--
Frank Richter
Facharbeitsgruppe Datenkommunikation
Universitätsrechenzentrum

Technische Universität Chemnitz
Straße der Nationen 62 | R. B302A
09111 Chemnitz
Germany

Tel: +49 371 531 31879
frank.rich...@hrz.tu-chemnitz.de
www.tu-chemnitz.de/urz



smime.p7s
Description: S/MIME Cryptographic Signature