0001454: SOGo, CAS JASIG, IMAP and Sieve - SOGo | BTS

ID	Project	Category	View Status	Date Submitted	Last Update

0001454	SOGo	Web Preferences	public	2011-10-06 08:58	2013-06-18 21:59

Reporter	Orchal	Assigned To	~~jraby~~
Priority	normal	Severity	feature	Reproducibility	always
Status	closed	Resolution	won't fix
Product Version	1.3.8a

Summary	0001454: SOGo, CAS JASIG, IMAP and Sieve
Description	Hi, I've successfully configured CAS authentication for SOGo/IMAP. Now I want to use Sieve scripts for Vacation, so I configured Sieve to accept CAS authentication. It's ok for Sieve but there's a problem. SOGo doesn't seem to act like a proxy, so it presents the same Service Ticket as IMAP, so my CAS server reject the request as the Service Ticket is for IMAP, not Sieve. Thank you ! Regards, Jean-Philippe.
Tags	No tags attached.

Orchal 2011-12-16 11:28 reporter ~0003178	Hi, Is there anybody who uses CAS, IMAP and Sieve ? It's an important issue since I just can't use Sieve with SOGo. Yes we have a specific website to manage Sieve scripts but I'd prefer only use SOGo. Do you need more information ? Regards, Jean-Philippe.

Orchal 2011-12-16 11:30 reporter ~0003179 Last edited: 2011-12-16 11:33	Here are the output on my SOGo server. failure. Attempting with a renewed password (no authname supported) Could not login 'me' on Sieve server: <0x0x1404cf0c[NGSieveClient]: socket=<NGActiveSocket[0x0x17d9d724]: mode=rw address=<0x0x178c1b24[NGInternetSocketAddress]: host=mysogoserver port=40563> connectedTo=<0x0x112aae9c[NGInternetSocketAddress]: host=mysieveserver port=2000>>>: {RawResponse = "{ok = 0; reason = \"Authentication Error\"; }"; result = 0; } Here the output on my CAS JASIG server : Granted service ticket [ST-31740-hoV1brhhwMNfnBkSMVUw-ocas] for service [imap://myimapserver] for user [https://mysogoserver/SOGo/casProxy] 2011-12-16 12:29:32,872 ERROR [org.jasig.cas.CentralAuthenticationServiceImpl] - ServiceTicket [ST-31740-hoV1brhhwMNfnBkSMVUw-ocas] with service [imap://myimapserver does not match supplied service [sieve://mysieveserver:2000]

Orchal 2013-06-09 01:46 reporter ~0005645	Hi, I found the solution. It's not related to SOGo. Sorry for the ticket. You can close this one. Problem was on my Cyrus server (php_cas), sieve was using sieve://myimapserver. I've changed for imaps://myimapserver just like imap and it's ok.

Orchal 2013-06-09 03:24 reporter ~0005646	In fact, it's kind of a workaround. My SSO Server is authenticating Sieve thinkink it's IMAP, but it works, and it's not unacceptable. Thank you ! Jean-Philippe.

Orchal 2013-06-09 12:32 reporter ~0005647	Hmm not php_cas but pam_cas.

~~jraby~~ 2013-06-18 21:50 viewer ~0005657	Hi Jean-Philipe, thanks for reporting this. I've investigated this CAS issue and I think you'll have to keep your current configuration as-is. SOGo currently requests a single PGT from the the CAS server for the imap service. So the cas server will alway refuse to grant a service ticket for the sieve service using this PGT since the service names don't match. The solution you posted above: Using the same url as the -s parameter for pam_cas for both IMAP and Sieve is the only solution at the moment. Modifying sogo to request another PGT solely for sieve would be possible, but it would require some overhaul in the code and since we have a good workaround, it is not so high on the todo list. I'll update the docs to make this requirement clearer. Thanks.

~~jraby~~ 2013-06-18 21:59 viewer ~0005659	Closed for now, please reopen if you think the workaround is not appropriate.

Date Modified	Username	Field	Change
2011-10-06 08:58	Orchal	New Issue
2011-12-16 11:28	Orchal	Note Added: 0003178
2011-12-16 11:30	Orchal	Note Added: 0003179
2011-12-16 11:33	Orchal	Note Edited: 0003179
2013-06-09 01:46	Orchal	Note Added: 0005645
2013-06-09 03:24	Orchal	Note Added: 0005646
2013-06-09 12:32	Orchal	Note Added: 0005647
2013-06-18 21:50	~~jraby~~	Note Added: 0005657
2013-06-18 21:59	~~jraby~~	Note Added: 0005659
2013-06-18 21:59	~~jraby~~	Assigned To	=> jraby
2013-06-18 21:59	~~jraby~~	Status	new => closed
2013-06-18 21:59	~~jraby~~	Resolution	open => won't fix