Announcement

Collapse
No announcement yet.

Open-Xchange authentication (Kerberos, LDAP, and IMAP plugins)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Open-Xchange authentication (Kerberos, LDAP, and IMAP plugins)

    I am not successful getting authentication to work with the open-xchange-authentication-ldap, open-xchange-authentication-kerberos, or open-xchange-authentication-imap plugins. I need to get Open-Xchange authentication working for my LinuxHA.sh script (please see https://launchpad.net/linuxha for more information). The only plugin I can get to work is open-xchange-authentication-database. This database plugin only works with the /opt/open-xchange/sbin/createuser command, but I want to use GOsa as the GUI to manage network user authentication. For some reason, my configuration files do not interface correctly with Open-Xchange.

    I have attached my ldapauth.properties, imapauth.properties, kerberosLogin.conf, and dovecot-ldap.conf.ext configuration files, slapd.ldif OpenLDAP database dump, and syslog error message.

    Any help with fixing this authentication problem is appreciated.
    Attached Files

  • #2
    After further testing, I have the following results:

    When testing the open-xchange-authentication-imap plugin, I finally achieved success and was able to login! The following two patches solved the login problem:

    sed -i "/IMAP_PORT/ c\IMAP_PORT=993
    /USE_SECURE/ c\IMAP_USE_SECURE=true|
    /USE_FULL_LOGIN_INFO/ c\USE_FULL_LOGIN_INFO=false" \
    /opt/open-xchange/etc/imapauth.properties

    sed -i "/mail.loginSource/ c\com.openxchange.mail.loginSource=mail" \
    /opt/open-xchange/etc/mail.properties

    I submitted a patch to configure this plugin automatically.

    The only problem lies with my Oxldapsync cronjob (this does not update for some reason and needs to be fixed):

    echo "*/5 * * * * root /opt/oxldapsync/sbin/oxldapsync.pl -c 1 -A admin \
    -P ${ADMIN_PASSWD}" > /etc/cron.d/oxldapsync


    When testing the open-xchange-authentication-ldap plugin, there appears to be syntax errors in the mapping.openldap.conf configuration file. The options (access-forum, access-pinboard-write, access-projects, access-rss-bookmarks, and access-rss-portal) cause the oxldapsync.pl Perl module to error out, even if they are set to "off". The only way to get Oxldapsync to run is commenting out these above mentioned options. The following patch resolves this problem:

    sed -i "s|displayName|cn|
    s|\"secret\"|userPassword|
    /access-forum/ s|^|#|
    /access-pinboard-write/ s|^|#|
    /access-projects/ s|^|#|
    /access-rss-bookmarks/ s|^|#|
    /access-rss-portal/ s|^|#|" /opt/oxldapsync/etc/mapping.openldap.conf

    I can only authenticate with Open-Xchange when testing Oxldapsync with "clear" plaintext passwords. Does Oxldapsync have any support for an encrypted password scheme (sha, crypt, blowfish, etc)?

    I ideally want Dovecot's dovecot-ldap.conf.ext configured for "sasl_bind = yes" and "sasl_mech = GSSAPI" to eliminate the need for plaintext passwords. My Dovecot configuration does not yet work with SASL and needs to be fixed.

    I tried to use the "useFullLoginInfo" attribute in /opt/open-xchange/etc/ldapauth.properties to allow virtual user access. I tried to use this attribute along with "uidAttribute=mail" and "bindOnly=false" to search the LDAP tree and authenticate based on the full email account, but all I get is the following error message:

    "The account "example.com" was not found. (CTX-0010)".


    When testing the open-xchange-authentication-kerberos plugin, I get the following results:

    Error message at login screen: "The user name or password is incorrect. (LGI-0006)".

    The open-xchange-console-log displays the following:

    Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
    [Krb5LoginModule] user entered username: testuser

    Using builtin default etypes for default_tkt_enctypes
    default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
    >>> KrbAsReq creating message
    >>> KrbKdcReq send: kdc=192.168.1.1 UDP:88, timeout=30000, number of retries =3, #bytes=154
    >>> KDCCommunication: kdc=192.168.1.1 UDP:88, timeout=30000,Attempt =1, #bytes=154
    >>> KrbKdcReq send: #bytes read=667
    >>> KdcAccessibility: remove 192.168.1.1
    >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha 1EType
    >>> KrbAsRep cons in KrbAsReq.getReply testuser
    principal is testuser@EXAMPLE.CORP
    Commit Succeeded

    After configuring GOsa's password storage to not use Kerberos's "Pre-authentication required", this open-xchange-console-log appears to indicate the authentication was successful, but unfortunately Open-Xchange does not login successfully.

    Any help at patching these problems is appreciated.
    Last edited by Travis Bean; 01-13-2016, 08:03 AM.

    Comment

    Working...
    X