Web Access with Active Directory Authentication

Pete · Postby **Pete** » Thu Nov 04, 2004 3:32 pm

I have set up active directory integration and it appears to work for the Outlook connector. However, when I try to use the web client, the only was can log in is using the internal scalix password. Is this normal or am I missing something?

Thanks

Postby **ScalixSupport** » Fri Nov 05, 2004 5:44 am

Can you give some details as to how you set up your AD integration ?

SWA uses our IMAP server which, in turn, uses the same connection to the Scalix server as our MAPI providers. The configuration file is the same so I would expect to see the same behaviour from both clients.

Cheers

Dave.

Pete · Postby **Pete** » Fri Nov 05, 2004 12:33 pm

Sure:

Basically I just followed the directions in the Administrators guide.

My AD master server is us.us.domain.com. This is providing DNS services as well.
My Scalix server is mta.us.domain.com - RHAS 3

On the AD server I setup a scalix-ual user
Generated the kerberos validation export file -
ktpass -princ scalix-ual/mta.us.domain.comt@US.DOMAIN.COM -mapuser scalix-ual -pass password -out scalix-ual.keytab -kvno 3

copy scalix-ual.keytab to the scalix server
import the kerberos keytab
modify /etc/krb5.conf
omkrbconf -r US.DOMAIN.COM -s us.us.domain.com

configure user to use kerberos
ommodu -o "Peter Rifkin" --authid prifkin@US.DOMAIN.COM

I can now login using Outlook with no prompt for passwords, but when I use the web interface, I must use my Scalix password, not my AD password.

Does this help?

/P

Postby **ScalixSupport** » Fri Nov 05, 2004 12:35 pm

What you need to do is to edit /var/opt/scalix/sys/pam.d/ual.remote to allow Kerberos authentication.

There should be detailed instructions in the file.

Cheers

Dave.

Pete · Postby **Pete** » Fri Nov 05, 2004 12:47 pm

Thanks! That did it.

/P

Pete · Postby **Pete** » Sun Nov 07, 2004 6:46 pm

I've got the same issue for POP3 access (have not tried IMAP, yet....)
Any more secret files to edit :)

Thanks guys!

/P

Postby **ScalixSupport** » Mon Nov 08, 2004 6:03 am

IMAP and Outlook share the same configuration file (/var/opt/scalix/sys/pam.d/ual.remote). The POP3 server does not use UAL for communication so it has its own file (/var/opt/scalix/sys/pam.d/pop3)

Cheers

Dave.

Pete · Postby **Pete** » Mon Nov 08, 2004 12:42 pm

OK - sorry but pam is not my strong suit - what should the file look like to enable AD password validation but first check the local password?

Thanks

/P

Postby **ScalixSupport** » Mon Nov 08, 2004 12:49 pm

Your file should contain:

auth sufficient om_auth nullok
auth sufficient om_krb5 use_first_pass
auth required pam_deny

Be careful here. If you get the password wrong for both Scalix and AD, you could lock yourself out of AD.

Cheers

Dave.

Pete · Postby **Pete** » Tue Nov 09, 2004 3:35 pm

This does not appear to work. I cannot use the AD password, only the Scalix password. I restarted Scalix after applying the change to the pop3 file.

Thanks

Postby **ScalixSupport** » Wed Nov 10, 2004 3:13 pm

Hi,

Try modifying the pop3 file so that it appears as follows:

#auth required om_auth
account required om_auth
password required om_auth
auth sufficient om_krb5 use_first_pass
auth required pam_deny

Regards,

Scalix Support

pete · Postby **pete** » Wed Nov 10, 2004 4:10 pm

OK, now I can use AD for authentication, but cannot use my local Scalix password...

/P

Postby **ScalixSupport** » Wed Nov 10, 2004 4:53 pm

As far as I know, you can oly use one or the other (AD password or Scalix password). You could try uncommenting the #auth required om_auth line to see what happens.

Support

Scalix Forums