Homepage | Products | OX Knowledge Base | Support | Try Now | Contact | Company
OX Logo
Results 1 to 2 of 2
  1. #1
    Join Date
    Sep 2013

    Default Open-Xchange authentication (Kerberos, LDAP, and IMAP plugins)

    I am not successful getting authentication to work with the open-xchange-authentication-ldap, open-xchange-authentication-kerberos, or open-xchange-authentication-imap plugins. I need to get Open-Xchange authentication working for my LinuxHA.sh script (please see https://launchpad.net/linuxha for more information). The only plugin I can get to work is open-xchange-authentication-database. This database plugin only works with the /opt/open-xchange/sbin/createuser command, but I want to use GOsa as the GUI to manage network user authentication. For some reason, my configuration files do not interface correctly with Open-Xchange.

    I have attached my ldapauth.properties, imapauth.properties, kerberosLogin.conf, and dovecot-ldap.conf.ext configuration files, slapd.ldif OpenLDAP database dump, and syslog error message.

    Any help with fixing this authentication problem is appreciated.
    Attached Files Attached Files

  2. #2
    Join Date
    Sep 2013


    After further testing, I have the following results:

    When testing the open-xchange-authentication-imap plugin, I finally achieved success and was able to login! The following two patches solved the login problem:

    sed -i "/IMAP_PORT/ c\IMAP_PORT=993

    sed -i "/mail.loginSource/ c\com.openxchange.mail.loginSource=mail" \

    I submitted a patch to configure this plugin automatically.

    The only problem lies with my Oxldapsync cronjob (this does not update for some reason and needs to be fixed):

    echo "*/5 * * * * root /opt/oxldapsync/sbin/oxldapsync.pl -c 1 -A admin \
    -P ${ADMIN_PASSWD}" > /etc/cron.d/oxldapsync

    When testing the open-xchange-authentication-ldap plugin, there appears to be syntax errors in the mapping.openldap.conf configuration file. The options (access-forum, access-pinboard-write, access-projects, access-rss-bookmarks, and access-rss-portal) cause the oxldapsync.pl Perl module to error out, even if they are set to "off". The only way to get Oxldapsync to run is commenting out these above mentioned options. The following patch resolves this problem:

    sed -i "s|displayName|cn|
    /access-forum/ s|^|#|
    /access-pinboard-write/ s|^|#|
    /access-projects/ s|^|#|
    /access-rss-bookmarks/ s|^|#|
    /access-rss-portal/ s|^|#|" /opt/oxldapsync/etc/mapping.openldap.conf

    I can only authenticate with Open-Xchange when testing Oxldapsync with "clear" plaintext passwords. Does Oxldapsync have any support for an encrypted password scheme (sha, crypt, blowfish, etc)?

    I ideally want Dovecot's dovecot-ldap.conf.ext configured for "sasl_bind = yes" and "sasl_mech = GSSAPI" to eliminate the need for plaintext passwords. My Dovecot configuration does not yet work with SASL and needs to be fixed.

    I tried to use the "useFullLoginInfo" attribute in /opt/open-xchange/etc/ldapauth.properties to allow virtual user access. I tried to use this attribute along with "uidAttribute=mail" and "bindOnly=false" to search the LDAP tree and authenticate based on the full email account, but all I get is the following error message:

    "The account "example.com" was not found. (CTX-0010)".

    When testing the open-xchange-authentication-kerberos plugin, I get the following results:

    Error message at login screen: "The user name or password is incorrect. (LGI-0006)".

    The open-xchange-console-log displays the following:

    Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
    [Krb5LoginModule] user entered username: testuser

    Using builtin default etypes for default_tkt_enctypes
    default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
    >>> KrbAsReq creating message
    >>> KrbKdcReq send: kdc= UDP:88, timeout=30000, number of retries =3, #bytes=154
    >>> KDCCommunication: kdc= UDP:88, timeout=30000,Attempt =1, #bytes=154
    >>> KrbKdcReq send: #bytes read=667
    >>> KdcAccessibility: remove
    >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha 1EType
    >>> KrbAsRep cons in KrbAsReq.getReply testuser
    principal is testuser@EXAMPLE.CORP
    Commit Succeeded

    After configuring GOsa's password storage to not use Kerberos's "Pre-authentication required", this open-xchange-console-log appears to indicate the authentication was successful, but unfortunately Open-Xchange does not login successfully.

    Any help at patching these problems is appreciated.
    Last edited by Travis Bean; 01-13-2016 at 08:03 AM.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts