Announcement

Collapse
No announcement yet.

OX6 & LDAP (oxldapsync) & MD5

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • OX6 & LDAP (oxldapsync) & MD5

    Hi all,

    I have set up an Open-Xchange 6 Community Edition Server on Ubuntu 8.04 LTS Server. I have Postfix and Courier IMAP running on other machines (XEN DomUs) authenticating their users agains an OpenLDAP server. In OpenLDAP passwords are saved as MD5 hash.

    There came some config files with the oxldapsync plugin, one named "ldapsync.conf" and another one "mapping.openldap.conf". I changed them to my needs and did a first sync, however login as LDAP user fails.

    In "mapping.openldap.conf" there's a directive called "passwordmech", and I don't know which value I should set this one to. I looked into the OX6 database (table "user") and found a field calls "passwordMech" set to "{SHA}" for all the (currently synced) Users. So I edited my "mapping.ldap.conf" an set the "passwordmech" directive to "{MD5}", yet without success. When syncing again I get this errror:

    "user foobar in context 1 could not be changed:
    Server response: Invalid PasswordMech: {MD5}, Valid Mechs: {CRYPT}:{SHA}"
    Well, at least now I know which values the "passwordmech" directive can be set to, but do I have to change all my LDAP passwords to make them saved as an SHA hash?

  • #2
    You need to authenticate against your ldapserver using the open-xchange-authentication-ldap bundle (instead of open-xchange-authentication-database).

    Syncing passwords is not supported, AFAIK. At least ox only supports SHA and Crypt (as the error message states).

    Comment


    • #3
      I used this HOWTO which works - except for MD5 support - quite well:

      http://www.open-xchange.com/wiki/ind...LDAPSync_Guide

      Isn't this the "recommended" way to connect Open-Xchange 6 CE to an OpenLDAP server?

      Comment


      • #4
        You need to authenticate against your ldapserver using the open-xchange-authentication-ldap bundle (instead of open-xchange-authentication-database).
        That bundle (package) must be installed instead of the open-xchange-authentication-database bundle (package) and configured to fit into your ldap environment.

        Comment


        • #5
          Okay, now I understand - sorry for the thick-weakness...

          Now I can see OX6 trying to authenticate users against the OpenLDAP server, yet the bindDN used by OX6 is the users DN and for me it looks like this DN may not read the userPassword value.

          My ACL to the userPassword looks like this:

          Code:
          access to attrs=userPassword,shadowLastChange
                  by dn="cn=myldapadminuser,dc=mydomain,dc=de" write
                  by anonymous auth
                  by self write
                  by * none
          In the slapd logfile appears:

          Code:
          Nov 13 11:43:49 localhost slapd[4360]: conn=28 fd=16 ACCEPT from IP=192.168.0.132:55189 (IP=0.0.0.0:389)
          Nov 13 11:43:49 localhost slapd[4360]: conn=28 fd=16 closed (connection lost)
          Nov 13 11:44:42 localhost slapd[4360]: conn=29 fd=16 ACCEPT from IP=192.168.0.132:55191 (IP=0.0.0.0:389)
          Nov 13 11:44:42 localhost slapd[4360]: conn=29 op=0 BIND dn="" method=128
          Nov 13 11:44:42 localhost slapd[4360]: conn=29 op=0 RESULT tag=97 err=0 text=
          Nov 13 11:44:42 localhost slapd[4360]: conn=29 op=1 BIND dn="uid=myusername,ou=people,dc=mydomain,dc=de" method=128
          Nov 13 11:44:42 localhost slapd[4360]: conn=29 op=1 BIND dn="uid=myusername,ou=people,dc=mydomain,dc=de" mech=SIMPLE ssf=0
          Nov 13 11:44:42 localhost slapd[4360]: conn=29 op=1 RESULT tag=97 err=0 text=
          Nov 13 11:44:42 localhost slapd[4360]: conn=29 op=2 UNBIND
          Nov 13 11:44:42 localhost slapd[4360]: conn=29 fd=16 closed
          I couldn't find a way to tell OX6 which bindDN (and password) to use... Any hints?

          Thanks in advance,

          Florian

          Comment


          • #6
            According to your slapd log, it uses

            BIND dn="uid=myusername,ou=people,dc=mydomain,dc=de" mech=SIMPLE ssf=0
            The password attribute should be userPassword (which is predetermined by the ldap schema).

            And if I understand the slapd log, the bind did succeed?
            So what's the problem?

            Comment


            • #7
              Originally posted by Carsten Hoeger View Post
              According to your slapd log, it uses
              The password attribute should be userPassword (which is predetermined by the ldap schema).

              And if I understand the slapd log, the bind did succeed?
              So what's the problem?
              The problem is that I still get the message:

              "Anmeldevorgang ist fehlgeschlagen. Überprüfen Sie Ihren Benutzernamen und das Passwort und versuchen Sie es erneut."

              and no additional info in the logs...

              Any hints very appreciated!

              Regards,
              Florian

              Comment


              • #8
                Additional Info:

                Using LDAP-Tools from the command line on the very same machine works without any problems:

                Code:
                $ ldapsearch -D uid=myusername,ou=people,dc=mydomain,dc=de -W -x -b "uid=myusername,ou=people,dc=mydomain,dc=de"
                Enter LDAP Password: xxxxxxxxx
                # extended LDIF
                #
                # LDAPv3
                # base <uid=fauer,ou=people,dc=mydomain,dc=de> with scope subtree
                # filter: (objectclass=*)
                # requesting: ALL
                #
                
                # myusername, people, mydomain.de
                dn: myusername,ou=people,dc=mydomain,dc=de
                objectClass: inetOrgPerson
                objectClass: posixAccount
                objectClass: top
                objectClass: CourierMailAccount
                objectClass: postfixMailUser
                givenName: <MyFirstName>
                sn: <MyLastName>
                cn: <MyFullName>
                uid: <myusername>
                homeDirectory: /home/<myusername>
                loginShell: /bin/bash
                uidNumber: 1001
                gidNumber: 2000
                gecos: <MyFullName>
                mail: <myemail1>
                mail: <myemail2>
                rewMailAddress: <myemail1>
                userPassword:: 1324567890abcdefghijklmnopqrstuvwxyz
                
                # search result
                search: 2
                result: 0 Success
                
                # numResponses: 2
                # numEntries: 1

                Comment


                • #9
                  As this discussion is not about OX LDAP sync anymore but LDAP Auth plugin, I moved to the OX CE Installation forum.

                  Comment


                  • #10
                    Thank you for the informative post and keep up the good work!

                    Comment

                    Working...
                    X