Announcement

Collapse
No announcement yet.

What does LDAP/IMAP authentication really mean ?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • What does LDAP/IMAP authentication really mean ?

    Dear OX-Forum,

    I am kind of new to OX6 and I am trying to install proper authentication (i.e. via LDAP or IMAP) at a customers.

    I am quite puzzled by the fact that things simply do not seem to work properly and I think it might have to do with me not understanding "authenitication" in the sense of OX6.

    I am using OX6.18.0 on Ubuntu Server 10.4.1 LTS.

    To me, when I install the open-xchange-authentication-[imap|ldap] modules, then I should _remove_ the open-...authentication-database module, if I read the instructions corectly.

    I have verified that both my LDAP server and IMAP Sevrer (cyrus) have proper user accounts for my OX6 user, I have also made accounts for oxadmin, oxadminmaster as well as my own user. I think that I have also set up imapauth.properties and ldap property files correctly.

    All of the relevant bundles start up correctly in the logfiles.

    To me, authentication means, that ALL of the user information should ONLY be taken from the configured mechanism.

    However for example when I try to log in with my account, in this case usng IMAP auth, then I get the message, that the account is not in the database.

    This is obvious as I have removed the database auth and there is no such account. So I can use Peters Admin GUI to create the account, HOWEVER this requires me to enter a password.

    But I want the ONLY source of account and password info to be either in IMAP or LDAP and NEVER in the database.

    Therefore I feel it's strange that all the guides for LDAP auth also specify to run oxldapsync to get all LDAP entries into OX6? Surely this should be unecessary ? Any login query etc. should simply be sent to the corresponding server for validation ?

    It also kind of bothers me, that the example oxldapsync config files specify the users password to be set to "secret" intially as a default! this is not acceptable: I want people to be able to get onto the groupware immediately without any new passwords or password change ? That is the real reason to use LDAP/IMAP?

    So where am I wrong ? A lot of people seem to be happy using these modules and I am not...:-) So I guess I am not understanding the "underlying" concepts properly?

    Any pointers, philosophical or otherwise, :-) would be greatly appreciated.

    Love,
    Snoopy a.k.a. Bluesnoop

  • #2
    Hi,

    those authentication bundles check the user/password combination against different backends. It does not mean, that all user data is stored at a specific location. User information like name, phone number etc. are still stored at the database. Note that you can/need configure those authentication plugins, e.g. imapauth.properties. You probably have to change to way the username is sent to the authentication backend in order to make it work correctly. sniffing the network traffic helps a lot with that. Its a typical tripwire that the IMAP server expects other username formats than OX sends. "john.doe" vs. "john.doe@domain.tld".

    Greetings

    Comment


    • #3
      Dear Martin,

      thanks a lot for your QUICK reply. Very kind!

      I did ask the imap bundle to use only "user" and not "user@domain..." etc. And when I create my "local" OX6 database user, I can actually get at my IMAP mailbox (on the remote IMAP server). I can read and delte messages etc. So I think this is not my problem.

      From your answer it appears that I need user data in TWO locations ? Once in the OX database - which then enquires either the LDAP or IMAP backend?

      I am aware the DB needs to store some OX-specfic user stuff, etc. which is not stored in the LDAP or of course IMAP.

      However if the *authentication* is done against a backend, then why bother with the account & password etc. stored in the DB?

      I would have thought, that I login with my "known" IMAP account and password and then on first login, OX6 will create it's own database record for "me", which says: OX6 specifics "in here" and authentication "over there" (which may be IMAP or LDAP). In a similar thought: when I use LDAP then I can use it in two ways: either als "contacts only" or "authentication" (or in fact both).

      Now: I can of course import LDAP accounts using oxldapsync. But: what if I ONLY wish to use IMAP ? Is there an "oximapsync" ?

      The LDAP on the remote server is ancient (2.4.1)and hence I really only want to authenticate against IMAP. I cannot upgrade the old remote LDAP/IMAP server.

      So is the simple answer -> import all accounts from LDAP and set password to empty string (in the oxldapsync.conf file) and then enable IMAP authentication ?

      Then I need to tweak the IMAP password script to allow "write-through" to the remote IMAP server, no ?

      I am very sorry if these are stupid questions, but while I find a lot of documentation on the different bundles, there is very little explaining the actual data model ?

      Thank you so much for all your patience and help!

      Love,
      Snoopy

      Comment


      • #4
        Originally posted by bluesnoop View Post
        I did ask the imap bundle to use only "user" and not "user@domain..." etc. And when I create my "local" OX6 database user, I can actually get at my IMAP mailbox (on the remote IMAP server). I can read and delte messages etc. So I think this is not my problem.
        Sure - but those settings are defined by --imaplogin, which is a static setting stored at the database for each mail account, the authentication mechanism uses the data provided by the login itself (as one option). So even if IMAP access works, authentication against IMAP can be broken.

        Originally posted by bluesnoop View Post
        However if the *authentication* is done against a backend, then why bother with the account & password etc. stored in the DB?
        Well, when creating the user, its password is written to the database only. IMAP and LDAP are typically read-only authentication backends, so we cannot write the username and password there automatically. Usually those authentication systems and their users exist before OX is introduced to the infrastructure. Furthermore, the authentication can be switched. So if you switch it back to the database, you wont have any password which would be less than optimal.

        Originally posted by bluesnoop View Post
        I would have thought, that I login with my "known" IMAP account and password and then on first login, OX6 will create it's own database record for "me".
        This is not the case. Even if authentication is handled against an external system, the user still needs to be created within OX and within the database before he or she can actually log in.

        Originally posted by bluesnoop View Post
        Now: I can of course import LDAP accounts using oxldapsync. But: what if I ONLY wish to use IMAP ? Is there an "oximapsync" ?
        I'm afraid there is no such tool, at least i don't know one.

        Originally posted by bluesnoop View Post
        So is the simple answer -> import all accounts from LDAP and set password to empty string (in the oxldapsync.conf file) and then enable IMAP authentication?
        The password you chose when creating the users at OX does not really matter if IMAP is used for authentication, however you should use a random one in case you, or someone else, switches the authentication back to database. So you can use ldapsync or - for one-time use - some scripts that read ldap and fire the command line tools to create users.

        Originally posted by bluesnoop View Post
        Then I need to tweak the IMAP password script to allow "write-through" to the remote IMAP server, no ?
        I am not exactly sure what you mean by this. In terms of documentation, please check the configuration file for those authentication plugins, they contain pretty much documentation. For the IMAP auth plugin, see this page at oxpedia: http://oxpedia.org/wiki/index.php?ti...in_description

        Greetings

        Comment


        • #5
          Dear Martin,

          thank you so much! Your comments have rerally cleared some of my underastanding problems!

          I have now successfully imported LDAP accounts using oxldapsync. I have set the password to be the same for all accounts but then the IMAP authentication works...!

          HOORAY!

          Thank you!

          Love,
          Snoopy

          Comment

          Working...
          X