Hello, so I have never contributed code to an official project before, but Mail In A Box looks like it’s made with very easy-to-follow code, and I would like to be able to have users authenticate via my Keycloak (which allows for Single-Sign-On and other authentication jazz, see: https://www.keycloak.org/ ) server. Keycloaker supports Kerbose, LDAP, OpenID Connect and SAML all out-of-the-box. I am hopefully going to fork your repo and code my own feature where I (and others) are able to ditch the overly-simplified (and extremely lacking–especially in password policy security and user maintenance) interface for mail user management.
I am not at all someone who has ever screwed around with authentication/authorization programs, but I have a few ideas here and there regarding security (like hashing passwords), but I would greatly appreciate it if you guys could look into my code and possibly helping me out with creating this feature. I want this feature to be added to Mail-in-a-box’s official repository, so I’m willing to bend if you guys have constructive criticism on how I code this.
Here is my repository: https://github.com/EliterScripts/mailinabox/ . FWI: I don’t plan to maintain it outside the scope of getting authentication to freaking work with Mail In A Box.
As for the security, I am positive MIAB already hashes user passwords, so don’t worry about that, for external authentication, the different services MIAB uses (Nextcloud, Postfix, and Dovecot specifically) need to be configured to do external auth, once that is done, then everything else will fall in line (I am sure Keycloak has scripts for Dovecot and Postfix or at least general linux scripts that do this alread)
I realized there is a branch for Ubuntu bionic, so I should do a commit for changing it back, and start working on the branch.
The Dovecot that gets installed with the 14.04 version of mail in a box is old as hell, so Oaurh2 isn’t even available for Dovecot.
I am attempting to get Dovecot to use Oauth2, which would then pull from Keycloak’s OpenID thing. It appears that Dovecot creates an SQLlite file for the users and passwords, and all the other services piggyback off Dovecot using the IMAP protocol.
However, I can’t seem to get Dovecot to freaking work with Keycloak. I tried Oauth, and spent all night getting it to not work, so I’ll have to try SAML. I want to use SAML or OpenID because that seems to be the one that works easiest with Keycloak, because it’s allrigbt there.
Any help with getting Dovecot to pull user authentication from Keycloak would be super appreciated!!!
Yes, that is exactly what I tried. I looked at the mail.log along with roudcube log, and I can’t seem to find anything that would point out what the issue is.
I should give you my configuration edits (stripping away private info) when I am done with my college classes today.
EDIT: So the keycloak server is running on portal.example.com and the dovecot/mailinabox is running on test3.example.com. The keycloak server should accept everything through 443. I know it works because I have used it with MediaWiki (PHP application) with the OpenID Connect extension and it worked. I am trying to use the same credentials for the OpenID client that I configured on my keycloak server, so I would think that the problem is not Keycloak here.
I tried logging into roundcube and it said “Connection to storage server failed.”, and so that is another indicator of things not working.
Okay, so it looks like I was able to figure out how to get LDAP working with Keycloak (sort of). The thing is, I cannot seem to figure out how to get Keycloak to upload passwords to LDAP, since I will be managing my users with Keycloak directly.
I have looked through the LDAP objects, and I don’t see anything for passwords, so I know it sure the hell won’t work with Dovecot if LDAP doesn’t have the password.
Okay, so I took a break from this and now want to revisit this issue. I found out that using LDAP is super easy with phpldapadmin, but phpldapadmin is now comming shipped with an error you have to correct yourself with a few lines of code. See here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890127
Anyway, I want to LDAP working with Keycloak, then get LDAP working with Dovecot, then Dovecot should be able to authenticate the rest of the box. Once I have that, I want to work on my fork of the project to add LDAP external authentication. I might get around to adding other external authentication mechanisms, but I feel like adding LDAP to Mail in a Box is a big leap already.
Anyway, I am having issues with hooking up Keycloak with LDAP. I created a user using this tutorial, and here is what is looked like: https://i.imgur.com/fIhdNIg.png from phpldapadmin. I added an extra attribute for the user, email afterthefact, and it seemed to have successfully added my email to the user.
But I can’t seem to figure out how to get Keycloak to hookup to LDAP. I’m kinda lost on what I should put for the configuration: https://i.imgur.com/59YFGao.png
