Scalix Forums


http://www.scalix.com/forums/

ldap authentication problem

http://www.scalix.com/forums/viewtopic.php?f=5&t=227

Page 1 of 1

ldap authentication problem

Posted: Fri Mar 11, 2005 5:38 pm
by heupink
dear readers,

I'm having a BIG problem authenticating my users against an ldap directory. Basically: I always get the error "The username or password in incorrect", even though I KNOW that the password is in fact correct.

I've followed instructions from the Scalix technical note.

My authentication id is uid, and has been set for the users in sac. Below my config files:

ual.remote:
auth sufficient om_ldap
auth sufficient om_auth
auth required pam_deny
account required om_auth
password optional om_ldap
password required om_auth
session required om_auth

and om_ldap.conf:
host=my ldap server dns name
search=subtree
base=dc=intech,dc=unu,dc=edu
filter=uid=%s

What could be wrong here? Any ideas? (dns resolution works, I've also tried ip address)

We would like to start using scalix on monday, so a fast reply would be VERY MUCH appreciated... :)

Posted: Sat Mar 12, 2005 6:19 am
by ScalixSupport
Are you using SSL on the LDAP side ?

If not, it's worth adding the following line to ~scalix/sys/om_ldap.conf:

Code: Select all

tls=off


Cheers

Dave

Posted: Sat Mar 12, 2005 6:35 am
by heupink
You just saved my day!!

This worked!

Thanks SO much!
(if I didn't get this working this weekend, we'd have to go back to ms exchange...)

Thanks again! (specially considering it's weekend!)

Posted: Wed May 25, 2005 5:19 pm
by ink
Which PAM configuration is used by webmail? pop3?

Posted: Wed May 25, 2005 5:33 pm
by ink
Also, does Scalix accept a valid bind as authentication, or does it do some sort of string comparison in the LDAP directory? For example, our OpenLDAP directory has this as a userPassword entry:

userPassword:: e1NTSEF9NlRzRzlsR2dkQnJtN1BkckVjUU9CelBLZUc2YlJVV0c=

Which does not have the '{SSHA}' prefix, as described on page 5 of "OpenLDAP in a Scalix Environment" document. The OpenLDAP 'ldappasswd' program actually sets this password, not any program (or perl script) on our side. I have users binding correctly, according to the OpenLDAP log files, but I still get "The username or password in incorrect" in Scalix webmail. It's working fine with bind-style authentication via Apache, Courier, Exim, Coldfusion and PHP.

Posted: Tue May 31, 2005 5:14 pm
by ink
For those that may follow, here is the answer to the question: Scalix can use LDAP binds-only (search = none), or an LDAP bind with a subtree search (search = subtree or one). You can use the Scalix authentication data to construct the bind DN, or you can explicitly name it. The reason it wasn't working for me is because I had

Code: Select all

auth     required om_auth nullok

At the top of my ual.remote file. It should look like this instead:

Code: Select all

auth sufficient om_ldap
auth sufficient om_auth
auth required pam_deny
account required om_auth
password optional om_ldap
password optional om_auth
session required om_auth
All times are UTC-04:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/