|
Size: 3555
Comment:
|
Size: 3741
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
#language en |
|
| Line 11: | Line 9: |
| there are a server (called SOGOSERVER ) who sogo is already configurated and running. Internal users access directly on this server without restriction. In this study case Sogo's database is Postgresql but could be adapted to another Database. The authentication is made to an LDAP server (in this study case openldap) but could be ported on another ldap server, even Microsoft Active Directory. The users who are in the public side will access to Sogo by a Proxy Frontend (called PROXYSOGO).This proxy will verify if the user belongs to a group, if yes the user could connect, if not it couldn't. PROXYSOGO could be in a DMZ and SERVERSOGO in the trusted network. | there are a server (called SOGOSERVER ) who sogo is already configurated and running. Internal users access directly on this server without restriction. In this study case Sogo's database is Postgresql but could be adapted to another Database. The authentication is made to an LDAP server (in this study case openldap) but could be ported on another ldap server, even Microsoft Active Directory. The users who are in the public side will access to Sogo by a Proxy Frontend (called SOGOPROXY).This proxy will verify if the user belongs to a group, if yes the user could connect, if not it couldn't. SOGOPROXY could be in a DMZ and SOGOSERVER in the trusted network. |
| Line 13: | Line 11: |
| users coming from the internal zone will log on SOGOSERVER and who come from the public side will be redirected on PROXYSOGO | users coming from the internal zone will log on SOGOSERVER and who come from the public side will be redirected on SOGOPROXY |
| Line 15: | Line 13: |
| In this study case the Proxy is set on a debian 7.x and there are already a Sogo server who is set with LDAP as authentication. | In this study case the SOGOPROXY server is set on a debian 7.x and there are already a Sogo server who is set with LDAP as authentication. |
| Line 17: | Line 15: |
| {{drawing:proxyarchitecture.adraw}} | |
| Line 46: | Line 44: |
| cn=external access,dc=example,dc=com cn=external member: uid=alain dupont,dc=example,dc=com objectclass: groupOfNames |
{{{#!wiki yellow/solid cn=external access,dc=example,dc=com <<BR>> cn=external access <<BR>> member: uid=alain dupont,dc=example,dc=com <<BR>> objectclass: groupOfNames <<BR>> }}} |
| Line 59: | Line 56: |
| service postgresql { socket_type =stream wait =no user = root redirect = SOGOSERVER 5432 bind = 127.0.0.1 } |
service postgresql <<BR>> { <<BR>> socket_type =stream <<BR>> wait =no <<BR>> user = root <<BR>> redirect = SOGOSERVER 5432 <<BR>> bind = 127.0.0.1 <<BR>> } <<BR>> |
| Line 90: | Line 80: |
| [[ nginxSettings ]] | [[ nginxSettings| See the configuration file ]] |
| Line 106: | Line 96: |
| Restart ALL You should be able to access to SOGo web interface if you are in the group |
Proxy for controlling user acces to Sogo
Contents
Introduction
Often companies want to restrict the access to their groupware from the external (public side) and allow just few users or named users. We will do that by setting a proxy who will check if the user who try to access to the groupware is in a specific group.
Architecture Overview
there are a server (called SOGOSERVER ) who sogo is already configurated and running. Internal users access directly on this server without restriction. In this study case Sogo's database is Postgresql but could be adapted to another Database. The authentication is made to an LDAP server (in this study case openldap) but could be ported on another ldap server, even Microsoft Active Directory. The users who are in the public side will access to Sogo by a Proxy Frontend (called SOGOPROXY).This proxy will verify if the user belongs to a group, if yes the user could connect, if not it couldn't. SOGOPROXY could be in a DMZ and SOGOSERVER in the trusted network.
users coming from the internal zone will log on SOGOSERVER and who come from the public side will be redirected on SOGOPROXY
In this study case the SOGOPROXY server is set on a debian 7.x and there are already a Sogo server who is set with LDAP as authentication.
Installation of the needed packages
First we must to install Sogo in the proxy (SOGOPROXY) but without the database
1. Install Sogo (only sogo not the database part)
apt-get install sogo
apt-get install sope4.9-gdl1-postgresql ( in case of postgresql as database)
2. Install Xinetd ( Sogo don t know to access other another IP than the loopback to the database) it will serve at forwarder
apt-get install xinetd
3. Install Nginx (or Apache)
apt-get install nginx
Sogo's Settings
1. Create a LDAP group in your LDAP server
In this documentation the LDAP group who will filter the user will be called cn=external access,dc=example,dc=com
LDIF entry :
cn=external access,dc=example,dc=com
cn=external access
member: uid=alain dupont,dc=example,dc=com
objectclass: groupOfNames
2 Settings for Xinetd
create a file in /etc/xinetd.d called postgres (change SOGOSERVER by the IP or the hostname of your sogoserver)
service postgresql
{
socket_type =stream
wait =no
user = root
redirect = SOGOSERVER 5432
bind = 127.0.0.1
}
3 Copy /etc/sogo/sogo.conf from SOGOSERVER
add in the soho.conf the restrition by group in the source section
filter="memberOf='cn=external access,dc=example,dc=com'";
Modify the values of the hosts to reflect the configuration (ldap server, Imap server, Sieve Server) must set to SOGOSERVER.
In this way we will redirect all request made for the loopback to the SOGOSERVER
4 Nginx configuration on SOGOPROXY
This is the same as a server see :
5 On SOGOSERVER set the ACL on the database for allowing SOGOPROXY to connect
Modify the file : /etc/postgresql/8.4/main/postgresql.conf
replace isten_addresses = 'localhost' by listen_addresses = '*'
Modify file : /etc/postgresql/8.4/main/pg_hba.conf
Add the line : host sogo sogo SOGOPROXY/32 md5
Restart postgres
Restart ALL
You should be able to access to SOGo web interface if you are in the group
More far by restricting external access to the Imap and Smtp services
Coming soon ...