Hi,
I´ve implemented radius and one time password auth with aladdin token on our linux boxes.
Now i want to use it for webmail, I configured ual.remote in the way documented in "Scalix Pluggable Authentication Modules"
# ual.remote
auth sufficient pam_if -- pam_radius_auth conf=/etc/raddb/server client_id=scalix
don´t know why but it is not working
I could not see any requests in the log of my radius server and I don´´t see anything local in /var/log/messages or omshowlog.
Then I tried florians tip http://www.scalix.com/community/viewtop ... ght=radius
auth required om_om2authid
auth sufficient /lib/security/pam_radius_auth.so conf=/etc/raddb/server client_id=scalix
now I can see the authentication, but it is comming twice from webmail and with "one time password" this will not work because password is not longer valid.
Error from webmail:
methodName=getFolderTree
Are ther additional configurations or actions required or is it a bug?
os is SuSE SLES 9
guido
radius authentication with otp token
Moderators: ScalixSupport, admin
-
Valerion
- Scalix Star
- Posts: 2730
- Joined: Thu Feb 26, 2004 7:40 am
- Location: Johannesburg, South Africa
- Contact:
I know SWA opens up multiple connections to the server, so it can speed up access. If it needs to authenticate for every connection (very likely) this would explain what you are seeing.
Just monitored a client login and I got 2 logins with datestamps 1155899676 and 1155899677 (1s apart) and a third at 1155899683 (5s later). The third connection kept on dropping and re-opening for a while, and all the open connections closed when the browser was closed.
I am not sure if OTP's will work in this scenario at all, unless there's a way to restrict SWA to only use a single connection. I can't see anything relevant in the config file, and I doubt this is user-changable at this point.
Just monitored a client login and I got 2 logins with datestamps 1155899676 and 1155899677 (1s apart) and a third at 1155899683 (5s later). The third connection kept on dropping and re-opening for a while, and all the open connections closed when the browser was closed.
I am not sure if OTP's will work in this scenario at all, unless there's a way to restrict SWA to only use a single connection. I can't see anything relevant in the config file, and I doubt this is user-changable at this point.
-
florian
- Scalix
- Posts: 3852
- Joined: Fri Dec 24, 2004 8:16 am
- Location: Frankfurt, Germany
- Contact:
Unfortunately I believe that's exactly what you see here. The SWA server needs to cache user credentials so that it is able to open multiple IMAP connections.
We are thinking about changing the authentication mechanism in a future release to address this, but I believe at this point there is no solid workaround for OTP mechanisms.
Cheers,
Florian.
We are thinking about changing the authentication mechanism in a future release to address this, but I believe at this point there is no solid workaround for OTP mechanisms.
Cheers,
Florian.
Florian von Kurnatowski, Die Harder!
Who is online
Users browsing this forum: Bing [Bot] and 2 guests