My first server. Problems and advice needed

[markrich]

Okay I took a look in the file /tomcat/logs/scalix-caa.log and this info was at the end.

2009-06-18 12:24:37,265 ERROR [LDAPHelperUtils.findUser:374] javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
2009-06-18 12:24:37,285 ERROR [LDAPHelperUtils.findUser:374] javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
2009-06-18 12:24:37,285 INFO [RESService.authenticateUser:421] ERROR: Unable to find user = sxadmin
2009-06-18 12:25:10,239 INFO [RESMonitor.run:115] Server snotra.mirifice.com up 1 hrs, 15 mins, 58 secs
2009-06-18 12:25:18,101 INFO [NotificationEventListener$WorkerThread.run:51] Event Notification: heartbeat|http://snotra.mirifice.com/res/RESDispatcher|LISTEN|300|snotra|snotra.mirifice.com|11.4.4 from host:snotra.mirifice.com

It would suggest an LDAP issue. I have added the user sxadmin in the LDAP and Kerberos with the correct details but it does not seem to have helped.

If I disable the Kerberos authentication settings in the pam files then I can log in. Very weird. I thought it was supposed to fall back upon the local user when the Kerberos/LDAP one wasn't found. It certainly was before this morning. Odd.

Looking at other threads on this board I can see others have had the same problem but the suggested fixes to a) run the install program and re-enter the password for the Admin Console and b) 'unlock' the sxadmin and sxqueryadmin hasn't helped me.

Any clues? I am keen to start sucking over mailboxes from our POSTFIX/IMAP system but can't get into the admin console to manage them.

[markrich]

Okay...fresh day, fresh mind.

This morning I took another look at this problem. It seemed to me that the pam files must be at fault somehow, so I amended them and where the documentation suggests using only these two lines in the first Kerberos authentication:

auth sufficient om_krb5 use_first_pass
auth required pam_deny

I decided to use all three:

auth sufficient om_auth nullok
auth sufficient om_krb5 use_first_pass
auth required pam_deny

I was then able to log into the SAC as sxadmin, webmail, and my users can log into their webmail/imap sessions too.

I would appreciate a better understanding of what these lines do. Can someone help me there?

Marky

[Valerion]

Auth sufficient means that if the module works, it's sufficient to authenticate the user. auth required means the module will fail if nothing else has succeeded.

om_krb5 authenticates against Kerberos, om_auth authenticates against the local password database. Authentication is done in sequence, so in your case the local password will take precedence over the Kerberos password. I suggest you have a look again at the example I posted on the previous page, and take the om_debug out of that.

Have a look here: http://www.snow.nl/dist/xhtmlc/ch10s04.html

[markrich]

But as the only local user is sxadmin, does it really matter if the local users take precidence over the IMAP/Kerberos ones?

[Valerion]

Yes, it does If you set a local password it won't even check the Kerberos one. And with null_ok, it will accept blank passwords if none is specified.

[markrich]

But if I remove the first line then I cannot log in with sxadmin anymore and omldapsync ceases to work. I am very confused now.
Could I move the first line below the second so that it checks Kerberos and if sxadmin cannot be found falls back to the local account?

[Valerion]

Yes, you can. That is the Kerberos 2 scheme in the default ual.remote file.

[markrich]

Okay. All now seems fine.

I appreciate and thank you for all your helpful suggestions.

Server is now working; users and admin can log in. Now all I need to do is secure IMAP, POP and SMTP with SSL and we're away.

Thank you for your help!

Marky