External Authentication Repo?


#1

Hello, so I have never contributed code to an official project before, but Mail In A Box looks like it’s made with very easy-to-follow code, and I would like to be able to have users authenticate via my Keycloak (which allows for Single-Sign-On and other authentication jazz, see: https://www.keycloak.org/ ) server. Keycloaker supports Kerbose, LDAP, OpenID Connect and SAML all out-of-the-box. I am hopefully going to fork your repo and code my own feature where I (and others) are able to ditch the overly-simplified (and extremely lacking–especially in password policy security and user maintenance) interface for mail user management.

I am not at all someone who has ever screwed around with authentication/authorization programs, but I have a few ideas here and there regarding security (like hashing passwords), but I would greatly appreciate it if you guys could look into my code and possibly helping me out with creating this feature. I want this feature to be added to Mail-in-a-box’s official repository, so I’m willing to bend if you guys have constructive criticism on how I code this.

Here is my repository: https://github.com/EliterScripts/mailinabox/ . FWI: I don’t plan to maintain it outside the scope of getting authentication to freaking work with Mail In A Box.


Quotas Implementation
#2

You would need to do a pull request.

Also you latest commit (as of this comment) https://github.com/EliterScripts/mailinabox/commit/81cc1cf6e699132e36a60156a069ec35b086850f will NEVER work as the packages changed in 18.04 from 14.04 - The installer will start and then fail mid-way. Sorry to say, but that bit is in there to protect the user installing with bad packages.

As for the security, I am positive MIAB already hashes user passwords, so don’t worry about that, for external authentication, the different services MIAB uses (Nextcloud, Postfix, and Dovecot specifically) need to be configured to do external auth, once that is done, then everything else will fall in line (I am sure Keycloak has scripts for Dovecot and Postfix or at least general linux scripts that do this alread)


#3

I realized there is a branch for Ubuntu bionic, so I should do a commit for changing it back, and start working on the branch.

The Dovecot that gets installed with the 14.04 version of mail in a box is old as hell, so Oaurh2 isn’t even available for Dovecot.

I am attempting to get Dovecot to use Oauth2, which would then pull from Keycloak’s OpenID thing. It appears that Dovecot creates an SQLlite file for the users and passwords, and all the other services piggyback off Dovecot using the IMAP protocol.

However, I can’t seem to get Dovecot to freaking work with Keycloak. I tried Oauth, and spent all night getting it to not work, so I’ll have to try SAML. I want to use SAML or OpenID because that seems to be the one that works easiest with Keycloak, because it’s allrigbt there.

Any help with getting Dovecot to pull user authentication from Keycloak would be super appreciated!!!


#4

you tried this?

https://wiki.dovecot.org/PasswordDatabase/oauth2


#5

Yes, that is exactly what I tried. I looked at the mail.log along with roudcube log, and I can’t seem to find anything that would point out what the issue is.

I should give you my configuration edits (stripping away private info) when I am done with my college classes today.


#6

Okay, so I have created pastes for the configurations that I have changed. Here they are (file path followed by the paste link):
/etc/dovecot/conf.d/10-auth.conf
http://paste.ubuntu.com/p/xdSKjtCvWB/
/etc/dovecot/conf.d/auth-sql.conf.ext
http://paste.ubuntu.com/p/JRfdMDK8cZ/
/etc/dovecot/dovecot-sql.conf.ext
http://paste.ubuntu.com/p/TqtyJK9VgT/
/var/log/mail.log
http://paste.ubuntu.com/p/kmcMYsgZC3/
/var/log/roundcubemail/errors
http://paste.ubuntu.com/p/9W3w4wcdFp/

EDIT: So the keycloak server is running on portal.example.com and the dovecot/mailinabox is running on test3.example.com. The keycloak server should accept everything through 443. I know it works because I have used it with MediaWiki (PHP application) with the OpenID Connect extension and it worked. I am trying to use the same credentials for the OpenID client that I configured on my keycloak server, so I would think that the problem is not Keycloak here.

I tried logging into roundcube and it said “Connection to storage server failed.”, and so that is another indicator of things not working.


#7

Okay, so I am now looking at LDAP, which is a massive pain in the butt. I had finally gone through and looked at half this page: http://www.zytrax.com/books/ldap/ch3/ and looked at https://help.ubuntu.com/lts/serverguide/openldap-server.html.en#openldap-server-populate but still not understanding how to input a user into the slapd/ldap-utils server for Ubuntu. I have tried inputting a user into the database using:
ldapadd -x -D cn=admin,dc=test2,dc=example,dc=com -W -f me.ldif

(I have tried many things in me.ldif with this command, but I think I should ask a better question)

and it did not work. I have no idea how to input the information into LDAP, and which objectClass to use (or custom schema, should I need to).

How would I create a user (for example):
firstname: John
lastname: Doe
email: john.doe@example.com
username: john.doe
password: Password1234
?


#8

Okay, so it looks like I was able to figure out how to get LDAP working with Keycloak (sort of). The thing is, I cannot seem to figure out how to get Keycloak to upload passwords to LDAP, since I will be managing my users with Keycloak directly.

I have looked through the LDAP objects, and I don’t see anything for passwords, so I know it sure the hell won’t work with Dovecot if LDAP doesn’t have the password.


#9

Keycloak will need an Administrator account in LDAP in order to update passwords.

Could not connect to ssl://localhost:993: Connection refused in /usr/local/lib/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 196

Is also an issue - looks like dovecot was not running on port 993 at the time of authentication with Roundcube.


#10

Okay, so I took a break from this and now want to revisit this issue. I found out that using LDAP is super easy with phpldapadmin, but phpldapadmin is now comming shipped with an error you have to correct yourself with a few lines of code. See here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890127

Anyway, I want to LDAP working with Keycloak, then get LDAP working with Dovecot, then Dovecot should be able to authenticate the rest of the box. Once I have that, I want to work on my fork of the project to add LDAP external authentication. I might get around to adding other external authentication mechanisms, but I feel like adding LDAP to Mail in a Box is a big leap already.

Anyway, I am having issues with hooking up Keycloak with LDAP. I created a user using this tutorial, and here is what is looked like: https://i.imgur.com/fIhdNIg.png from phpldapadmin. I added an extra attribute for the user, email afterthefact, and it seemed to have successfully added my email to the user.

But I can’t seem to figure out how to get Keycloak to hookup to LDAP. I’m kinda lost on what I should put for the configuration: https://i.imgur.com/59YFGao.png

Any help would be greatly appreciated!


closed #11

This topic was automatically closed after 61 days. New replies are no longer allowed.