Re: [SOGo] Different authentication for CalDAV/CardDAV accesses possible?
Frank Richter writes: Just one additional question: When you authenticate users for sogo-webmail in Apache, how do you log in users to the IMAP server then? If you use Basic access authentication, you can set "x-webobjects-auth-type" to "Basic". SOGo will then get the password from the Authorization header.
Re: [SOGo] Different authentication for CalDAV/CardDAV accesses possible?
Op 29-06-2023 om 15:27 schreef Frank Richter (frank.rich...@hrz.tu-chemnitz.de): Am 28.06.23 um 15:02 schrieb Kees van Vloten (keesvanvlo...@gmail.com): On 28-06-2023 13:13, Frank Richter (frank.rich...@hrz.tu-chemnitz.de) wrote: Hello, for Web access to our SOGo server we use LDAP authentication. This works for CalDAV/CardDAV as well. We’d like to have another authentication method for CalDAV/CardDAV: same username, but different password (as users store those passwords in their apps, we’d like to have different password just for DAV accesses). Any hints how to achieve this are welcome. We’ve Apache as reverse proxy in front of SOGo. I have authentication delegated to the apache reverse proxy. With this I am able to achieve exactly what you describe but for sogo-webmail and sogo-activesync. I have not tried to make caldav/carddav available for mobile devices since activesync includes that information. But I see no reason why apache cannot do this for *dav. Thanks! And indeed, https://www.sogo.nu/support/faq/how-to-configure-apache-as-frontend.html contains the configuration for this already. Just one additional question: When you authenticate users for sogo-webmail in Apache, how do you log in users to the IMAP server then? In that case you have the user-name only, not the password. The only way to be able to access imap is passwordless access. I have setup a separate (dovecot-) imap-listener for sogo that allows this and is not accessible on localhost only. For that reason I run sogo and dovecot on the same server, but it is possible to host them on different servers and use a tunnel (e.g. ha-proxy) to get a similar setup. Btw. with Apache as authenticator you can also distinguish on source location, e.g. internet vs. lan and get different authentication for each: mfa vs. ldap or kerberos. - Kees. Frank
Re: [SOGo] Different authentication for CalDAV/CardDAV accesses possible?
Am 28.06.23 um 15:02 schrieb Kees van Vloten (keesvanvlo...@gmail.com): On 28-06-2023 13:13, Frank Richter (frank.rich...@hrz.tu-chemnitz.de) wrote: Hello, for Web access to our SOGo server we use LDAP authentication. This works for CalDAV/CardDAV as well. We’d like to have another authentication method for CalDAV/CardDAV: same username, but different password (as users store those passwords in their apps, we’d like to have different password just for DAV accesses). Any hints how to achieve this are welcome. We’ve Apache as reverse proxy in front of SOGo. I have authentication delegated to the apache reverse proxy. With this I am able to achieve exactly what you describe but for sogo-webmail and sogo-activesync. I have not tried to make caldav/carddav available for mobile devices since activesync includes that information. But I see no reason why apache cannot do this for *dav. Thanks! And indeed, https://www.sogo.nu/support/faq/how-to-configure-apache-as-frontend.html contains the configuration for this already. Just one additional question: When you authenticate users for sogo-webmail in Apache, how do you log in users to the IMAP server then? Frank -- Frank Richter Chemnitz University of Technology, Germany smime.p7s Description: S/MIME Cryptographic Signature
Re: [SOGo] Different authentication for CalDAV/CardDAV accesses possible?
On 28-06-2023 13:13, Frank Richter (frank.rich...@hrz.tu-chemnitz.de) wrote: Hello, for Web access to our SOGo server we use LDAP authentication. This works for CalDAV/CardDAV as well. We’d like to have another authentication method for CalDAV/CardDAV: same username, but different password (as users store those passwords in their apps, we’d like to have different password just for DAV accesses). Any hints how to achieve this are welcome. We’ve Apache as reverse proxy in front of SOGo. I have authentication delegated to the apache reverse proxy. With this I am able to achieve exactly what you describe but for sogo-webmail and sogo-activesync. I have not tried to make caldav/carddav available for mobile devices since activesync includes that information. But I see no reason why apache cannot do this for *dav. - Kees. Thanks Frank
