ck-ws/pam-script-saml

Configuration & testing (for Sogo using Keycloak)

quenenni opened this issue · 0 comments

quenenni commented

Hello,

I'm trying to configure Sogo to use my keycloak Idp.
Like Umardraz in #3 , I also have troubles to understand some parts of the readme.

What I did is a bit different.
I'm on a Debian Buster with Dovecot & Postfix with Ldap.
Sogo is working when using directly Ldap.
Now trying the Sso part.

The "Installation" section of your Readme is done with success (git clone + composer + php extensions)

In the Configuration section:
I installed libpam-script package (apt install libpam-script) => a new line is added first in the pam.d/common-* files : auth sufficient pam_script.so

With point 3 ("Use the given pam_script_auth file (or create a symlink from pam_script_auth to pam-script-saml.php)")

From the readme of libpam script package, it says that the scripts are by default located in /etc/pam-script (on Debian), but I guess the dir parameter is there to adapt this if needed.

I created that folder and added 2 symlinks in /etc/libpam-script to your scripts:

lrwxrwxrwx 1 root root 40 Jun 29 15:26 pam_script_auth -> /var/www/pam-script-saml/pam_script_auth
lrwxrwxrwx 1 root root 44 Jun 29 15:29 pam-script-saml.php -> /var/www/pam-script-saml/pam-script-saml.php

Now that I have the 2 symlink in /etc/pam-script/, I adapted the file /etc/pam.d/common-auth to:

auth    sufficient                      pam_script.so dir=/etc/pam-script grace=900 only_from=127.0.0.1 userid=mail

Is this correct?
From what I saw in your pam_script_auth file, the file pam-script-saml.php must be in the same directory.
Can we choose where to put both files and just adapt the dir parameter?

  • Concerning the param 'idp', knowing I have the idp-metadata.xml file in /etc/sogo, is this the correct file to reference?
idp=/etc/sogo/idp-metadata.xml

* Concerning the param trusted_sp, I must put the "EntityID of SP".
Is this the client ID defined in the keycloak realm -> client?
The client ID defined in my keycloak realm is the address to my Sogo saml2 metadata.
[EDIT] It's indeed the right value a my tests showed up later

trusted_sp=https://my.sogo.host/SOGo/saml2-metadata
  • I also tried to use your test.sh script included in the repo, but I don't know how to fill the test.env file.
    Would this be the correct format? But what values to put there?
ITERATIONS=
IDP_METADATA=/etc/sogo/idp-metadata.xml
TRUSTED_SP=
PAM_AUTHTOK=
PAM_RHOST=
PAM_TYPE=
PAM_USER=

My problem is that I have an error with sogo when Keycloak send the user back to Sogo.

NSInvalidArgumentException REASON:Tried to add nil value for key 'login' to dictionary INFO:{}

I don't know if the error is in my Sogo or Keycloak configuration or because of the problem with authenticating in Dovecot from Sogo with a token (so the need for this auth script).

That's why I would like to try your test.sh script to be sure that part is working.

Thanks.