Miscellaneous > Roundcube Discussion

[SOLVED] Keycloak and Roundcube problem

(1/2) > >>

ewok2:
Hello
I have a keycloak runing in a vm on esxi => auth.mydomain.net
I have another vm with postfix dovecot ans roundcube

The roundcube mail server works fine
The keycloak works fine (with nextcloud ans grafana)

But I would like to connect roundcube on the keycloak
I have follow a howto and it's almost working...

When selecting the "connecting with keycloak" button on roundcube page I get the keycloak login page.
The keycloak login works (If I check with grafana and nextcloud it works)
But after the keycloak successfull auth I arrive on a "ugly round cube page"  (page with text only...)
And it is not connected...

I try to watch at mail.log dovecot.log or roundcube.log but I don't see any error message

Any idee to go further?

manythanks

ewok2:
Still trying to make it works...
I strat from a fresh unbuntu 22.04 install
add postfix / dovecot / roundcube
Configure roundcube to log in using a openldap
=> everything to this point work fine (with ssl or without)

then I add a client in keycloak called "roundcube"
 - with URL pointing to "https://round.mydomain.net/index.php/login/oauth"
 - with protocol openid-connect
 - with access type to confidential
 - and default for other option

I get  the secret from keycloak to put in the config.inc.php from roundcube conf with other set to :

--- Quote ---$config['oauth_provider'] = 'generic';
$config['oauth_provider_name'] = 'Keycloak mydomain';
$config['oauth_client_id'] = "roundcube";
$config['oauth_client_secret'] = "secret from keycloak";
$config['oauth_auth_uri'] = "https://auth.mydomain.net/realms/myrealms/protocol/openid-connect/auth";
$config['oauth_token_uri'] = "https://auth.mydomain.net/realms/myrealms/protocol/openid-connect/token";
$config['oauth_identity_uri'] = "https://auth.mydomain.net/realms/myrealms/protocol/openid-connect/userinfo";
$config['oauth_verify_peer'] = true;
$config['oauth_scope'] = "email profile openid";
$config['oauth_auth_parameters'] = [];
$config['oauth_identity_fields'] = ['preferred_username'];
$config['oauth_login_redirect'] = false;
$config['login_password_maxlen'] = 4096;
--- End quote ---

and that's all...

Did I miss something ?

In keycloak log I can see the "LOGIN" request working
I can see the answer of login going from keycloak to roundcube.
But I did not see the "CODE_TO_TOKEN" stage in keycloak...

What is supose toi do roundcube when receiving an url from keycloak like this ?

--- Quote ---https://round.mydomain.net/index.php/login/oauth?state=wewpDJttkEAw&session_state=21601475-f142-448f-bc0b-1eaf39ca2a57&code=0da14bae-cd8f-4566-b84c-faf20bb03f10.21601475-f142-448f-bc0b-1eaf39ca2a57.c9b27c45-74ae-42dc-948e-1701a37f2e9b
--- End quote ---

I thought roundcube will continue the protocol with keycloak to get the Token ?

any idea to debug will be appreciated (even if you don't have the solution :-) ) because i don't have any idea to continue further without any error log ...

PS : I also configure dovecot oauth connexion but I think dovecot did not receive anything (tcpdump on imaps port does not see any trafic) so the problem is between roundcube and keycloak...

ewok2:
Still trying to make it work...

I was wondering if the problem is not due to the fact that I connect to roundcube with a username/password and not with email/password ?
The user/password database is on a openldap base.
=> maybe keycloak send with the scope the email in stad of the username?

I try to connect to roundcube with email/password
The password check seem's to works but I get this

--- Code: ---PHP Error: Access denied for new user user@domain.net. 'auto_create_user' is disabled in....
--- End code ---
in the "/var/www/roundcube/logs/errors.log"

I try to change in dovecot the %u by %n but without effect...
($config['smtp_user'])

any idee ?

Thanks

SKaero:
Do you have "auto_create_user" set to false in your Roundcube config? By default its set to true and would need to be set to true for new users to login.

--- Code: ---// Automatically register user in Roundcube database on successful (IMAP) logon.
// Set to false if only registered users should be allowed to the webmail.
// Note: If disabled you have to create records in Roundcube users table by yourself.
// Note: Roundcube does not manage/create users on a mail server.
$config['auto_create_user'] = true;

--- End code ---

ewok2:
Yes "auto_create_user" is set on purpose to false
In my case user1 has is account created

When he log as "user1" he as access to his directory with all his mail send to user1@mydomain

but if he try to connect as "user1@mydomain" I get the error message because roundcube/dovecot try to log in a Maildir "user1@mydomain" in steadd of "user1".
=> I want if user1 connect with "user1@mydomain" that he be connected to "user1" maildir directory

Navigation

[0] Message Index

[#] Next page