Page 1 of 1
Web Access with Active Directory Authentication
Posted: Thu Nov 04, 2004 3:32 pm
by Pete
I have set up active directory integration and it appears to work for the Outlook connector. However, when I try to use the web client, the only was can log in is using the internal scalix password. Is this normal or am I missing something?
Thanks
Posted: Fri Nov 05, 2004 5:44 am
by ScalixSupport
Can you give some details as to how you set up your AD integration ?
SWA uses our IMAP server which, in turn, uses the same connection to the Scalix server as our MAPI providers. The configuration file is the same so I would expect to see the same behaviour from both clients.
Cheers
Dave.
Web Access with Active Directory Authentication
Posted: Fri Nov 05, 2004 12:33 pm
by Pete
Sure:
Basically I just followed the directions in the Administrators guide.
My AD master server is us.us.domain.com. This is providing DNS services as well.
My Scalix server is mta.us.domain.com - RHAS 3
On the AD server I setup a scalix-ual user
Generated the kerberos validation export file -
ktpass -princ scalix-ual/mta.us.domain.comt@US.DOMAIN.COM -mapuser scalix-ual -pass password -out scalix-ual.keytab -kvno 3
copy scalix-ual.keytab to the scalix server
import the kerberos keytab
modify /etc/krb5.conf
omkrbconf -r US.DOMAIN.COM -s us.us.domain.com
configure user to use kerberos
ommodu -o "Peter Rifkin" --authid prifkin@US.DOMAIN.COM
I can now login using Outlook with no prompt for passwords, but when I use the web interface, I must use my Scalix password, not my AD password.
Does this help?
/P
Posted: Fri Nov 05, 2004 12:35 pm
by ScalixSupport
What you need to do is to edit /var/opt/scalix/sys/pam.d/ual.remote to allow Kerberos authentication.
There should be detailed instructions in the file.
Cheers
Dave.
Posted: Fri Nov 05, 2004 12:47 pm
by Pete
Thanks! That did it.
/P
POP3 Access/AD Authentication
Posted: Sun Nov 07, 2004 6:46 pm
by Pete
I've got the same issue for POP3 access (have not tried IMAP, yet....)
Any more secret files to edit :)
Thanks guys!
/P
Posted: Mon Nov 08, 2004 6:03 am
by ScalixSupport
IMAP and Outlook share the same configuration file (/var/opt/scalix/sys/pam.d/ual.remote). The POP3 server does not use UAL for communication so it has its own file (/var/opt/scalix/sys/pam.d/pop3)
Cheers
Dave.
POP3/AD
Posted: Mon Nov 08, 2004 12:42 pm
by Pete
OK - sorry but pam is not my strong suit - what should the file look like to enable AD password validation but first check the local password?
Thanks
/P
Posted: Mon Nov 08, 2004 12:49 pm
by ScalixSupport
Your file should contain:
auth sufficient om_auth nullok
auth sufficient om_krb5 use_first_pass
auth required pam_deny
Be careful here. If you get the password wrong for both Scalix and AD, you could lock yourself out of AD.
Cheers
Dave.
POP3/AD
Posted: Tue Nov 09, 2004 3:35 pm
by Pete
This does not appear to work. I cannot use the AD password, only the Scalix password. I restarted Scalix after applying the change to the pop3 file.
Thanks
Posted: Wed Nov 10, 2004 3:13 pm
by ScalixSupport
Hi,
Try modifying the pop3 file so that it appears as follows:
#auth required om_auth
account required om_auth
password required om_auth
auth sufficient om_krb5 use_first_pass
auth required pam_deny
Regards,
Scalix Support
Posted: Wed Nov 10, 2004 4:10 pm
by pete
OK, now I can use AD for authentication, but cannot use my local Scalix password...
/P
Posted: Wed Nov 10, 2004 4:53 pm
by ScalixSupport
As far as I know, you can oly use one or the other (AD password or Scalix password). You could try uncommenting the #auth required om_auth line to see what happens.
Support