Homepage | Products | OX Knowledge Base | Support | Try Now | Contact | Company
OX Logo
Results 1 to 10 of 10
  1. #1
    floeschie Guest

    Default OX6 & LDAP (oxldapsync) & MD5

    Hi all,

    I have set up an Open-Xchange 6 Community Edition Server on Ubuntu 8.04 LTS Server. I have Postfix and Courier IMAP running on other machines (XEN DomUs) authenticating their users agains an OpenLDAP server. In OpenLDAP passwords are saved as MD5 hash.

    There came some config files with the oxldapsync plugin, one named "ldapsync.conf" and another one "mapping.openldap.conf". I changed them to my needs and did a first sync, however login as LDAP user fails.

    In "mapping.openldap.conf" there's a directive called "passwordmech", and I don't know which value I should set this one to. I looked into the OX6 database (table "user") and found a field calls "passwordMech" set to "{SHA}" for all the (currently synced) Users. So I edited my "mapping.ldap.conf" an set the "passwordmech" directive to "{MD5}", yet without success. When syncing again I get this errror:

    "user foobar in context 1 could not be changed:
    Server response: Invalid PasswordMech: {MD5}, Valid Mechs: {CRYPT}:{SHA}"
    Well, at least now I know which values the "passwordmech" directive can be set to, but do I have to change all my LDAP passwords to make them saved as an SHA hash?

  2. #2
    Carsten Hoeger is offline Open-Xchange Professional Services
    Join Date
    Mar 2007
    Posts
    703

    Default

    You need to authenticate against your ldapserver using the open-xchange-authentication-ldap bundle (instead of open-xchange-authentication-database).

    Syncing passwords is not supported, AFAIK. At least ox only supports SHA and Crypt (as the error message states).
    OXpedia.org - the answer to almost all questions.

  3. #3
    floeschie Guest

    Default

    I used this HOWTO which works - except for MD5 support - quite well:

    http://www.open-xchange.com/wiki/ind...LDAPSync_Guide

    Isn't this the "recommended" way to connect Open-Xchange 6 CE to an OpenLDAP server?

  4. #4
    Carsten Hoeger is offline Open-Xchange Professional Services
    Join Date
    Mar 2007
    Posts
    703

    Default

    You need to authenticate against your ldapserver using the open-xchange-authentication-ldap bundle (instead of open-xchange-authentication-database).
    That bundle (package) must be installed instead of the open-xchange-authentication-database bundle (package) and configured to fit into your ldap environment.
    OXpedia.org - the answer to almost all questions.

  5. #5
    floeschie Guest

    Default

    Okay, now I understand - sorry for the thick-weakness...

    Now I can see OX6 trying to authenticate users against the OpenLDAP server, yet the bindDN used by OX6 is the users DN and for me it looks like this DN may not read the userPassword value.

    My ACL to the userPassword looks like this:

    Code:
    access to attrs=userPassword,shadowLastChange
            by dn="cn=myldapadminuser,dc=mydomain,dc=de" write
            by anonymous auth
            by self write
            by * none
    In the slapd logfile appears:

    Code:
    Nov 13 11:43:49 localhost slapd[4360]: conn=28 fd=16 ACCEPT from IP=192.168.0.132:55189 (IP=0.0.0.0:389)
    Nov 13 11:43:49 localhost slapd[4360]: conn=28 fd=16 closed (connection lost)
    Nov 13 11:44:42 localhost slapd[4360]: conn=29 fd=16 ACCEPT from IP=192.168.0.132:55191 (IP=0.0.0.0:389)
    Nov 13 11:44:42 localhost slapd[4360]: conn=29 op=0 BIND dn="" method=128
    Nov 13 11:44:42 localhost slapd[4360]: conn=29 op=0 RESULT tag=97 err=0 text=
    Nov 13 11:44:42 localhost slapd[4360]: conn=29 op=1 BIND dn="uid=myusername,ou=people,dc=mydomain,dc=de" method=128
    Nov 13 11:44:42 localhost slapd[4360]: conn=29 op=1 BIND dn="uid=myusername,ou=people,dc=mydomain,dc=de" mech=SIMPLE ssf=0
    Nov 13 11:44:42 localhost slapd[4360]: conn=29 op=1 RESULT tag=97 err=0 text=
    Nov 13 11:44:42 localhost slapd[4360]: conn=29 op=2 UNBIND
    Nov 13 11:44:42 localhost slapd[4360]: conn=29 fd=16 closed
    I couldn't find a way to tell OX6 which bindDN (and password) to use... Any hints?

    Thanks in advance,

    Florian

  6. #6
    Carsten Hoeger is offline Open-Xchange Professional Services
    Join Date
    Mar 2007
    Posts
    703

    Default

    According to your slapd log, it uses

    BIND dn="uid=myusername,ou=people,dc=mydomain,dc=de" mech=SIMPLE ssf=0
    The password attribute should be userPassword (which is predetermined by the ldap schema).

    And if I understand the slapd log, the bind did succeed?
    So what's the problem?
    OXpedia.org - the answer to almost all questions.

  7. #7
    floeschie Guest

    Default

    Quote Originally Posted by Carsten Hoeger View Post
    According to your slapd log, it uses
    The password attribute should be userPassword (which is predetermined by the ldap schema).

    And if I understand the slapd log, the bind did succeed?
    So what's the problem?
    The problem is that I still get the message:

    "Anmeldevorgang ist fehlgeschlagen. Überprüfen Sie Ihren Benutzernamen und das Passwort und versuchen Sie es erneut."

    and no additional info in the logs...

    Any hints very appreciated!

    Regards,
    Florian

  8. #8
    floeschie Guest

    Default

    Additional Info:

    Using LDAP-Tools from the command line on the very same machine works without any problems:

    Code:
    $ ldapsearch -D uid=myusername,ou=people,dc=mydomain,dc=de -W -x -b "uid=myusername,ou=people,dc=mydomain,dc=de"
    Enter LDAP Password: xxxxxxxxx
    # extended LDIF
    #
    # LDAPv3
    # base <uid=fauer,ou=people,dc=mydomain,dc=de> with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL
    #
    
    # myusername, people, mydomain.de
    dn: myusername,ou=people,dc=mydomain,dc=de
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: top
    objectClass: CourierMailAccount
    objectClass: postfixMailUser
    givenName: <MyFirstName>
    sn: <MyLastName>
    cn: <MyFullName>
    uid: <myusername>
    homeDirectory: /home/<myusername>
    loginShell: /bin/bash
    uidNumber: 1001
    gidNumber: 2000
    gecos: <MyFullName>
    mail: <myemail1>
    mail: <myemail2>
    rewMailAddress: <myemail1>
    userPassword:: 1324567890abcdefghijklmnopqrstuvwxyz
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 2
    # numEntries: 1

  9. #9
    floeschie Guest

    Default

    As this discussion is not about OX LDAP sync anymore but LDAP Auth plugin, I moved to the OX CE Installation forum.

  10. #10
    JulietteKlonk Guest

    Default

    Thank you for the informative post and keep up the good work!

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •