Scalix Forums

Sorry to have to ask about this, but I've been over all the past posts, tech notes (including "External Authentication Using LDAP") and other material I can find, and am still stuck.

We are evaluating Scalix 10 as a possible replacement for our aging Exchange 5.5 server. We operate a company LDAP server, which we use for employee authentication on in-house applications, and are hoping to use this to authenticate employees for access to Scalix web-mail. We installed Scalix 10 on a Fedora Core 4 test box for evaluation.

The Fedora Core 4 server is using our company LDAP server for user authentication. That works fine.

We've been able to establish a test user account in Scalix, and change it's authid to match its counterpart in our company LDAP server. We also followed the advice in file /var/opt/scalix/sys/pam.d/ual.remote, commenting out "auth required om_auth nullok" at the top, and uncommenting the lines under "LDAP authentication 1". Then we created file /var/opt/scalix/sys/om_ldap.conf, specifying host, search, base, and filter values appropriate to our company LDAP server.

Then we rebooted the system and tested. We can log in to Scalix webmail under the test account using the authid for it that we supplied, but only if we do not supply a password. This implies that the Scalix server is looking at the local registry (where no password is set), not our company server, for the password.

However, we've had to extrapolate quite a bit on the instructions we found in "External Authentication using LDAP", where:

- the path to the ual.remote and ual.local files is not specified (in fact, complete paths aren't specified for anything)
- the instructions regarding modifications don't match what we found in our deployed ual.remote and ual.local files, assuming we are looking in the right place
- it is implied that the sysadmin should be editing an existing om_ldap.conf file, but we couldn't find one and so just created one from scratch

Is there documentation on this topic that be a little more current, and/or more applicable to our situation? If not, how should we proceed?

We did, by the way, get LDAP integration to our company LDAP server to work just fine for a Zimbra server that's under evaluation in parallel (on another test box). They have a GUI in their admin tool for this function, so it's quite a bit simpler to do, but this does imply that the issue isn't with our company LDAP server.

Thanks - Dave W.

HI Dave

Could you please supply copies of your ual.remote and om_ldap.conf files.

Thanks
Darrell Sturdivant

I don't see a file attach feature here, so I'll paste the contents in:

------ /var/opt/scalix/sys/pam.d/ual.remote -----------

# Standard Scalix Authentication
#
# Comment this out if you want to use one of the alternative authentication
# schemes below.
#auth required om_auth nullok

#
# Kerberos authentication 1
#
# With this scheme we attempt local authentication first and, if that
# fails, we try kerberos authentication. Note that if we do it the other
# way around we run the risk of the KDC locking a principal account for
# users that are known to both Kerberos and Scalix. See om_krb5(8) for more
# information.
#
# auth sufficient om_auth nullok
# auth sufficient om_krb5 use_first_pass
# auth required pam_deny

# Kerberos authentication 2
#
# With this scheme, users that are known to the kerberos KDC, must
# authenticate using kerberos. Users not known to the kerberos KDC can log
# in using their Scalix password. See om_krb5(8) for more information.
#
# auth required om_krb5 user_unknown=ignore
# auth optional om_auth nullok use_first_pass

# LDAP Authentication.
# There are two possible schemes corresponding to the two Kerberos schemes.
# above See om_ldap(8) for more information.
#
# LDAP authentication 1
auth sufficient om_auth nullok
auth sufficient om_ldap use_first_pass
auth required pam_deny
#
# LDAP authentication 2
# auth required om_ldap user_unknown=ignore
# auth optional om_auth nullok use_first_pass


# Combined authentication
#
# It is possible to combine Kerberos authentication 1 and LDAP
# authentication 1, although there is no good way to escape false negative
# authentication attempts with one or the other scheme. If users are known
# to either Kerberos or LDAP then we can extend scheme 2 for combined
# authentication:
#
# auth required om_krb5 user_unknown=ignore
# auth required om_ldap user_unknown=ignore
# auth optional om_auth nullok use_first_pass


account required om_auth
password required om_auth nullok

-------------- end of ual.remote ------------

--- /var/opt/scalix/sys/om_ldap.conf ------

host = ldap.gsdl.com
search = subtree
base = ou=People,o=gsdl.com
filter = uid=%s

-------------- end of om_ldap.conf --------

- Dave W.

Dave..

I want to verify that the baseDN is correct. Can you please execute:

ldapsearch -xh ldap.gsdl.com -b "" -s base objectclass=* namingContexts

paste the results in here. It should only be a couple of lines. less than 10.

Just to veryify, what kind of ldap server is ldap.gsdl.com?? OpenLdap?

Thanks
Darrell Sturdivant

Thanks, Darrell. You're right - the base DN value we'd put in Scalix' om_ldap.conf was one that worked with another product, but did not match the one reported by the ldapsearch command you specified (which came back with o=gsdl.com). We changed that, and the integration appears to be working now.

Your tip would make an excellent addition to page 5 of the "External Authentication Using LDAP" tech note.

Thanks again for your help!