Hi MJ, I’m probably one of the few that got it working. I’m using it on Debian 8, what is your OS?
crudesaml was not working for me, since it needs at least a patched liblasso (you find more on that in the archive, I’ve posted all my findings some weeks ago). My solution was relatively fast developed using PHP (I tried a shell script first, but parsing XML etc. would have been hell): https://github.com/ck-ws/pam-script-saml <https://github.com/ck-ws/pam-script-saml> Of course it would also be possible to just accept any password on the dovecot side from localhost. I would try it as it’s documented for OpenChange. Your problem isn’t really one: For Dovecot you can specify several passdb lookups, I’ve done that also (one for localhost with the normal LDAP userdb, one with PAM for SAML, and one using MySQL for Google-like app passwords), see below: # application specific passwords passdb { driver = sql args = /etc/dovecot/dovecot-sql-asp.conf.ext } # PAM (for SOGo SAML SSO login) passdb { driver = pam } # normal login passdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext override_fields = allow_nets=local,127.0.0.1/32,::1 } userdb { driver = prefetch } userdb { driver = ldap args = /etc/dovecot/dovecot-ldap-userdb.conf.ext } Of course you would need to apply your passwordless config in there. But I don’t really like the thought of a passwordless mail access… Also there is currently a problem with CAS/SAML authentication. See #3884: https://sogo.nu/bugs/view.php?id=3884 <https://sogo.nu/bugs/view.php?id=3884> Best regards, Christoph > Am 25.11.2016 um 09:08 schrieb mj (li...@merit.unu.edu) <users@sogo.nu>: > > Hi, > > We have just started experimenting with saml, and trying it with the various > applications we use. > > From the docs and list posts, it seems that we can use SAML with sogo, the > only difficulty being the dovecot authentication. (with crudesaml, pam, etc) > > So I wonder: for the SOGo openchange/outlook compatibility it is already > required to allow imap from localhost without a password. Could we somehow > use this for SAML auth as well? > > Is anyone doing that? What would the required config be like? > > The problem, I imagine: we need a 'regular' config, for regular password > authentication, and a 'localhost-passwordless' config, specific for saml, > right? > > Or am I talking nonsense now? > > MJ > -- > users@sogo.nu > https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists
