Op 29-06-2023 om 15:27 schreef Frank Richter
(frank.rich...@hrz.tu-chemnitz.de):
Am 28.06.23 um 15:02 schrieb Kees van Vloten (keesvanvlo...@gmail.com):
On 28-06-2023 13:13, Frank Richter (frank.rich...@hrz.tu-chemnitz.de)
wrote:
Hello,
for Web access to our SOGo server we use LDAP authentication. This
works for CalDAV/CardDAV as well.
We’d like to have another authentication method for CalDAV/CardDAV:
same username, but different password (as users store those
passwords in their apps, we’d like to have different password just
for DAV accesses). Any hints how to achieve this are welcome.
We’ve Apache as reverse proxy in front of SOGo.
I have authentication delegated to the apache reverse proxy. With
this I am able to achieve exactly what you describe but for
sogo-webmail and sogo-activesync.
I have not tried to make caldav/carddav available for mobile devices
since activesync includes that information. But I see no reason why
apache cannot do this for *dav.
Thanks! And indeed,
https://www.sogo.nu/support/faq/how-to-configure-apache-as-frontend.html
contains the configuration for this already.
Just one additional question: When you authenticate users for
sogo-webmail in Apache, how do you log in users to the IMAP server then?
In that case you have the user-name only, not the password. The only way
to be able to access imap is passwordless access. I have setup a
separate (dovecot-) imap-listener for sogo that allows this and is not
accessible on localhost only. For that reason I run sogo and dovecot on
the same server, but it is possible to host them on different servers
and use a tunnel (e.g. ha-proxy) to get a similar setup.
Btw. with Apache as authenticator you can also distinguish on source
location, e.g. internet vs. lan and get different authentication for
each: mfa vs. ldap or kerberos.
- Kees.
Frank
