Scalix & AD Authentication

[bpasdar]

Hello,

We have gotten beyond some of our initial issues and gotten Scalix to Sync with AD. The users are imported from AD fine, however when anyone tries to login, authentication fails.

In the admin console it has the user authentication ID as: fLast@BIZ.COMPANY.COM.

I have tried all combinations in upper and lower case including without the domain info to no avail. Can anyone point me in the right direction to troubleshoot what is happening.

Thanks

Babak

[bpasdar]

Here is what I get when I do a omshowu for a user that needs to be authenticated via AD. Is the user password supposed to be unset? A protocol analyzer shows that the Scalix system is querying the right context, but not getting a response from the AD server.

I would appreciate someone's response here. Scalix Forum admins -- I'm counting on you to I want to get rid of exchange badly!!!


omshowu -n "john doe"
Authentication ID: jdoe@BIZ.EXAMPLE.COM
Globally Unique ID: cVIuJPCrl0mi+2QYTvWQNg==
User Name : John Doe /CN=John Doe
MailNode : example-1
Internet Address : "John Doe" <jdoe@example.com>
System Login : 60536
Password : unset
Admin Capabilities : NO
Mailbox Admin Capabilities : NO
Language : C
Mail Account: Unlocked
Last Signon : Never.
Receipt of mail : ENABLED
Service level : 0
Excluded from Tidying : NO
Recovery Folder visible : NO
User Class : Full
SIS URL : sxidx://example-1.example.com/0f1000004 ... 01.01.0.01

[Valerion]

First a question - you did follow the instructions in the administration guide on Kerberos integration (it's a few chapters before the AD integration section)? Did any errors occur when you configured it for Single Sign-on?

You need to specify the realm name in UPPERCASE after the @ sign. The AD Kerberos realm should match the domain name.

[bpasdar]

Actually No. I am not looking to get single sign-on working, I just want to get the Scalix system to query the AD system for password. Am I obligated to use single sign-on / Kerberos?

As an update I used a protocol analyzer and saw that we get a TLS request from Scalix. Though I want to set it up I realized that in the om_ldap.conf file I had:

tls=no

rather than:

tls=off

However when I tried to logon again, it seems that scalix did not send an LDAP bind request. At least that is my assumption based on the error message response from AD.

Documentation points to chapter 20 of users guide for troubleshooting, however I did not see any such chapter.

Babak

[Valerion]

As far as I know AD uses LDAP for the data storage and Kerberos for the password authentcation, so even if you query the LDAP server it may not give you the correct password to use. I would strongly suggest going the SSO route for this.

Alternatively you can try the pam_smb module, or a similar PAM module that can authenticate against an AD. You can then integrate that into Scalix.