dear readers,
I'm having a BIG problem authenticating my users against an ldap directory. Basically: I always get the error "The username or password in incorrect", even though I KNOW that the password is in fact correct.
I've followed instructions from the Scalix technical note.
My authentication id is uid, and has been set for the users in sac. Below my config files:
ual.remote:
auth sufficient om_ldap
auth sufficient om_auth
auth required pam_deny
account required om_auth
password optional om_ldap
password required om_auth
session required om_auth
and om_ldap.conf:
host=my ldap server dns name
search=subtree
base=dc=intech,dc=unu,dc=edu
filter=uid=%s
What could be wrong here? Any ideas? (dns resolution works, I've also tried ip address)
We would like to start using scalix on monday, so a fast reply would be VERY MUCH appreciated... :)
ldap authentication problem
Moderators: ScalixSupport, admin
-
heupink
- Posts: 146
- Joined: Thu Jul 15, 2004 9:36 am
- Location: netherlands
- Contact:
-
ScalixSupport
- Scalix
- Posts: 5503
- Joined: Thu Mar 25, 2004 8:15 pm
Are you using SSL on the LDAP side ?
If not, it's worth adding the following line to ~scalix/sys/om_ldap.conf:
Cheers
Dave
If not, it's worth adding the following line to ~scalix/sys/om_ldap.conf:
Code: Select all
tls=offCheers
Dave
-
heupink
- Posts: 146
- Joined: Thu Jul 15, 2004 9:36 am
- Location: netherlands
- Contact:
-
ink
- Posts: 67
- Joined: Mon May 23, 2005 3:53 pm
Also, does Scalix accept a valid bind as authentication, or does it do some sort of string comparison in the LDAP directory? For example, our OpenLDAP directory has this as a userPassword entry:
userPassword:: e1NTSEF9NlRzRzlsR2dkQnJtN1BkckVjUU9CelBLZUc2YlJVV0c=
Which does not have the '{SSHA}' prefix, as described on page 5 of "OpenLDAP in a Scalix Environment" document. The OpenLDAP 'ldappasswd' program actually sets this password, not any program (or perl script) on our side. I have users binding correctly, according to the OpenLDAP log files, but I still get "The username or password in incorrect" in Scalix webmail. It's working fine with bind-style authentication via Apache, Courier, Exim, Coldfusion and PHP.
userPassword:: e1NTSEF9NlRzRzlsR2dkQnJtN1BkckVjUU9CelBLZUc2YlJVV0c=
Which does not have the '{SSHA}' prefix, as described on page 5 of "OpenLDAP in a Scalix Environment" document. The OpenLDAP 'ldappasswd' program actually sets this password, not any program (or perl script) on our side. I have users binding correctly, according to the OpenLDAP log files, but I still get "The username or password in incorrect" in Scalix webmail. It's working fine with bind-style authentication via Apache, Courier, Exim, Coldfusion and PHP.
-
ink
- Posts: 67
- Joined: Mon May 23, 2005 3:53 pm
For those that may follow, here is the answer to the question: Scalix can use LDAP binds-only (search = none), or an LDAP bind with a subtree search (search = subtree or one). You can use the Scalix authentication data to construct the bind DN, or you can explicitly name it. The reason it wasn't working for me is because I had
At the top of my ual.remote file. It should look like this instead:
Code: Select all
auth required om_auth nullokAt the top of my ual.remote file. It should look like this instead:
Code: Select all
auth sufficient om_ldap
auth sufficient om_auth
auth required pam_deny
account required om_auth
password optional om_ldap
password optional om_auth
session required om_authWho is online
Users browsing this forum: No registered users and 1 guest