1 Topic by aris.dizdarevic

  • aris.dizdarevic
  • Member
  • Offline
  • Registered: 2020-01-31
  • Posts: 10

Topic: Option to disable SOGo 2FA-Auth of specific user in web-iredadmin

First iRedMail+iRedAdmin PRO product is great one and we have been using it for 6 years without problems.

We know our request is not directly iRedMail-related but we stumbled upon SOGo webmail 2FA-Auth that is a little bit tricky - users can enable it in webmail, but for user without access disabling is possible only on 2 ways:

1. sogo-tool
sogo-tool user-preferences set defaults name.surname@domain.com SOGoGoogleAuthenticatorEnabled '{"SOGoGoogleAuthenticatorEnabled":0}'

2. mySQL query
USE sogo;
UPDATE sogo_user_profile SET c_defaults = REPLACE(c_defaults,"\"SOGoGoogleAuthenticatorEnabled\": 1","\"SOGoGoogleAuthenticatorEnabled\": 0") WHERE c_uid = "name.surname@domain.com";

Since our 2000 mail-users are going on Sogo-webmail-2FA we know we will have problem administering and disabling 2FA if users looses/deletes/brokes a phone...

Is there any option to include lets-say in User settings - advanced an option "Clear Sogo-Webmail 2FA  Authentication" and upon posting "Save" iredAdmin in background would execute one of 2 options for this?

If this option can not be available in iRedAdmin-Pro is it possible for me in iRedAdmin-pro to add custom button or option so we could add this option by ourselves? If so are there any instructions how-to? I wouldn't like to brake future iRedAdmin-pro upgrades or allways deploy this addon-change upon upgrade.

Thanks for answers and keep up the good work!

Br, Aris.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 907

Re: Option to disable SOGo 2FA-Auth of specific user in web-iredadmin

you have the sourcecode when you use iredadmin pro and are free to do any improvements/changes to it like you wish

since i don't have access to it, i can't take a look at it sadly

3 Reply by aris.dizdarevic (edited by aris.dizdarevic 2024-08-28 22:55:13)

  • aris.dizdarevic
  • Member
  • Offline
  • Registered: 2020-01-31
  • Posts: 10

Re: Option to disable SOGo 2FA-Auth of specific user in web-iredadmin

Cthulhu wrote:

you have the sourcecode when you use iredadmin pro and are free to do any improvements/changes to it like you wish

since i don't have access to it, i can't take a look at it sadly

Cthulhu Thank you for quick response.

Yes I have source code of iRedAdmin, but any manual "tempering" will be deleted upon next release of iRedAdmin (after installing update files are overwritten).

Is there any safe and permanent way for me to do it? Also adding options should mean corrections to language files and adding variables for translations etc...

At first glance we could edit "templates/default/sql/user/profile.html" and add checkbox and option to reset Sogo-2FA:
                    {% if session.get('is_global_admin') %}
                        {# Maildir path #}
                        <div class="form-field clear">
                            <h4 class="size-250 fl-space">{{ _('Path to mailbox') }}</h4>
                            <input type="text" name="storageBaseDirectory" value="{{ profile.storagebasedirectory |default('') |e }}" size="{{ storageBaseDirectory |length}}" class="fl-space text" />
                            <span class="vcenter">/</span>
                            <input type="text" name="storageNode" value="{{ profile.storagenode |default('') |e }}" />
                            <span class="vcenter">/</span>
                            <input type="text" name="mailMessageStore" value="{{ profile.maildir |default('') }}" size="{{ profile.maildir |length }}" class="text" />
                        </div>

                           <div class="form-field clear">
                                <h4 class="size-250 fl-space">{{ _('Clear SOGo-2FA') }}</h4>
                                <div class="clear">
                                    <input type="checkbox"
                                           name="clearsogo2fa"
                                           class="checkbox"
                                           rel="checkboxhorizont"
                                           />
                                </div>
                            </div>
                    {% endif %}

...than upon submitting form edit py-script to execute this change (execute sogo-tool or do anSQL-call do clear MFA for the user) file I believe functions are in "controllers/sql/user.py"

...I don't believe this is the right way and there must be a better (cleaner) way to do it - but out of my reach...

Besides everything - this could be integrated as "core-function" and all iRedAdminPro users would benefit from it...

Thanks,
Aris

4 Reply by Cthulhu (edited by Cthulhu 2024-08-29 01:23:54)

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 907

Re: Option to disable SOGo 2FA-Auth of specific user in web-iredadmin

i agree, but you must aswell consider that

1. sogo is an optional component, which doesn't even work by default on every distro, so adding this option without any conditions could break stuff when sogo isn't installed

2. it needs to work on all available backends (LDAP, PG, SQL)

3. if you manage to implement that and get it working, i am pretty sure ZhangHuangbin s willing to add this feature if you provide the working diff/pull request for this

5 Reply by aris.dizdarevic

  • aris.dizdarevic
  • Member
  • Offline
  • Registered: 2020-01-31
  • Posts: 10

Re: Option to disable SOGo 2FA-Auth of specific user in web-iredadmin

You are right and I agree with you.

There are some important notes I believe should be written:
1. iRedAdminPRO for us is payed product and upon changing the code we will also lose support
2. I'm not farmiliar with Python and structure of iRedAdminPRO If I do changes to code I can not guarantee it will work as expected and if I made corrections "by-the-book" on git
3. As subscribed PRO user (regulary paying for PRO product and support) It wouldn't be wrong of me to expect product to cover as many options as possible
4. I politely-asked for option and also posted 2 solutions to doing it - I'm sure it would not take much of time for ZhangHuangbin to implement solution. Good working solution that checks if sogo is installed (There is allready checkbox for selecting if user can use sogo-webmail). If sogo-tool is used there is no need to worry about LDAP, SQL, PG. Just run the command and that is it.
5. I'm not the first nor the only one to ask for this option
6. Whole IT-world went/is-going to 2FA so this is becoming a "must-have" option

So we will (and for sure many other SogoAdminPRO users) continue waiting for developer/owner ZhangHuangbin to help us with upgrade.

Thanks again.

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,081

Re: Option to disable SOGo 2FA-Auth of specific user in web-iredadmin

aris.dizdarevic wrote:

1. iRedAdminPRO for us is payed product and upon changing the code we will also lose support

You still get support from iRedMail team with unmodified parts, and you need to maintain modified parts as, e.g. a patch, so that you can easily get this feature after upgrading iRedAdmin-Pro.

aris.dizdarevic wrote:

3. As subscribed PRO user (regulary paying for PRO product and support) It wouldn't be wrong of me to expect product to cover as many options as possible

Frankly, it's impossible to implement all features customers ask for. We have to balance.
If requested feature benefits all / most customers, then we're more than happy to implement it in future release. The last problem is time.
We're now busy working on iRedMail Enterprise Edition[1] (EE. It's 95% done and close to v1.0.0 final release), so iRedAdmin-Pro development is a little delayed. We may first implement this 2FA reset in EE.

aris.dizdarevic wrote:

4. I politely-asked for option and also posted 2 solutions to doing it - I'm sure it would not take much of time for ZhangHuangbin to implement solution.

Thank you very much for sharing. smile

[1] https://www.iredmail.org/ee.html

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,081

Re: Option to disable SOGo 2FA-Auth of specific user in web-iredadmin

Update: This has been implemented in iRedMail Enterprise Edition.