Add page for Admin login to SOGo
Dieser Commit ist enthalten in:
Ursprung
9d70d25673
Commit
4a1edc4d0f
2 geänderte Dateien mit 44 neuen und 0 gelöschten Zeilen
43
docs/debug-admin_login_sogo.md
Normale Datei
43
docs/debug-admin_login_sogo.md
Normale Datei
|
@ -0,0 +1,43 @@
|
||||||
|
This is an experimental feature that allows admins and domain admins to directly
|
||||||
|
log into SOGo as a mailbox user, without knowing the users password.
|
||||||
|
|
||||||
|
For this, an additional link to SOGo is displayed in the mailbox list.
|
||||||
|
|
||||||
|
Multiple concurrent admin-logins to different mailboxes are also possible when using this feature.
|
||||||
|
|
||||||
|
## Enabling the feature
|
||||||
|
|
||||||
|
The feature is disabled by default. It can be enabled in the `mailcow.conf` by setting:
|
||||||
|
```
|
||||||
|
ALLOW_ADMIN_EMAIL_LOGIN=y
|
||||||
|
```
|
||||||
|
and restarting the affected containers with
|
||||||
|
```
|
||||||
|
docker-compose up -d
|
||||||
|
```
|
||||||
|
|
||||||
|
## Drawbacks when enabled
|
||||||
|
|
||||||
|
- Each SOGo page-load and each Active-Sync request will cause an additional execution of an internal PHP script.
|
||||||
|
This might impact load-times of SOGo / EAS.
|
||||||
|
In most cases, this should not be noticeable but should be kept in mind if you face any performance issues.
|
||||||
|
- SOGo will not display a logout link for admin-logins, to login normally one has to logout from the mailcow UI so the PHP session is destroyed.
|
||||||
|
|
||||||
|
## Technical details
|
||||||
|
|
||||||
|
SOGoTrustProxyAuthentication option is set to YES which makes SOGo trust the x-webobjects-remote-user header.
|
||||||
|
|
||||||
|
Dovecot will receive a random master-password which is valid for all mailboxes when used by the SOGo container.
|
||||||
|
|
||||||
|
Clicking on the SOGo button in the mailbox list will open sogo-auth.php which checks permissions, sets session variables and redirects to the SOGo mailbox.
|
||||||
|
|
||||||
|
Each SOGo, CardDAV, CalDAV and EAS http request will cause an additional, nginx internal auth_request call to sogo-auth.php with the following behavior:
|
||||||
|
|
||||||
|
- If a basic_auth header is present, the script will validate the credentials in place of SOGo and provide the following headers:
|
||||||
|
`x-webobjects-remote-user`, `Authorization` and `x-webobjects-auth-type`.
|
||||||
|
|
||||||
|
- If no basic_auth header is present, the script will check for an active mailcow admin session for the requested email user and provide the same headers but with the dovecot master password used in the `Authorization` header.
|
||||||
|
|
||||||
|
- If both fails the headers will be set empty, which makes SOGo use its standard authentication methods.
|
||||||
|
|
||||||
|
All of these options / behaviors are disabled if the `ALLOW_ADMIN_EMAIL_LOGIN` is not enabled in the config.
|
|
@ -48,6 +48,7 @@ nav:
|
||||||
- 'Reset Passwords': 'debug-reset_pw.md'
|
- 'Reset Passwords': 'debug-reset_pw.md'
|
||||||
- 'Remove Persistent Data': 'debug-rm_volumes.md'
|
- 'Remove Persistent Data': 'debug-rm_volumes.md'
|
||||||
- 'Common Problems': 'debug-common_problems.md'
|
- 'Common Problems': 'debug-common_problems.md'
|
||||||
|
- 'Admin login to SOGo': 'debug-admin_login_sogo.md'
|
||||||
- 'Backup & Restore':
|
- 'Backup & Restore':
|
||||||
- 'Helper script':
|
- 'Helper script':
|
||||||
- 'Backup': 'b_n_r_backup.md'
|
- 'Backup': 'b_n_r_backup.md'
|
||||||
|
|
Laden …
In neuem Issue referenzieren