Auth Policy Server/wforce/weakforced

Teemu Huovila teemu.huovila at dovecot.fi
Tue Aug 8 11:51:58 EEST 2017 


On 04.08.2017 23:10, Daniel Miller wrote:
> On 8/4/2017 12:48 PM, Daniel Miller wrote:
>> On 8/3/2017 6:11 AM, Teemu Huovila wrote:
>>>
>>> On 02.08.2017 23:35, Daniel Miller wrote:
>>>> Is there explicit documentation available for the (probably trivial) configuration needed for Dovecot and Wforce?  I'm probably missing something that should be perfectly obvious...
>>>>
>>>> Wforce appears to start without errors.  I added a file to dovecot's conf.d:
>>>>
>>>> 95-policy.conf:
>>>> auth_policy_server_url = http://localhost:8084/
>>>> auth_policy_hash_nonce = this_is_my_super_secret_something
>>>>
>>>> Looking at the Wforce console I see:
>>>>
>>>> WforceWebserver: HTTP Request "/" from 127.0.0.1:45108: Web Authentication failed
>>>>
>>>> In wforce.conf I have the (default):
>>>>
>>>> webserver("0.0.0.0:8084", "--WEBPWD")
>>>>
>>>> Do I need to change the "--WEBPWD"?  Do I need to specify something in the Dovecot config?
>>> You could try putting an actual password, in plain text, where --WEBPWD is. Then add that base64 encoded to dovecot setting auth_policy_server_api_header.
>>>
>> I knew it would be something like that.  I've made some changes but I'm still not there.  I presently have:
>>
>> webserver("0.0.0.0:8084", "--WEBPWD ultra-secret-secure-safe")
>> in wforce.conf (and I've tried with and without the --WEBPWD)
>>
>> and
>>
>> auth_policy_server_api_header = Authorization: Basic dWx0cmEtc2VjcmV0LXNlY3VyZS1zYWZl
>> in 95-policy.conf for dovecot
>>
>> Obviously I'm still formatting something wrong.
>>
> I think I've got something working a little better.  I'm using:
> webserver("0.0.0.0:8084", "ultra-secret-secure-safe")
> (so I remove the --WEBPWD - that's a placeholder, not a argument declaration)
> 
> and for dovecot, the base64 encoding needs to be "wforce:password" instead of just the password.
> 
> Now I have to see what else needs to be tweaked.
> 
> Daniel
Glad you got it working. Lua comments, prefixed with "--" can indeed be a bit misleading. My sloppy answer omitting HTTP Basic auth hash contents did not help either.

br,
Teemu

More information about the dovecot mailing list