Scalix Forums

Hello!

So I'm trying to setup Scalix Community to connect to our external LDAP server and running into problems. I only have one scalix user to test with (me) and I'm in the external ldap and my authid in scalix matches my UID in the external ldap. I can query the external ldap from the command line using ldapsearch and can find me no problem.

I modified /var/opt/scalix/sys/pam.d/ual.remote and ual.local to:
auth required om_ldap user_unknown=ignore
auth optional om_auth nullok use_first_pass
auth required pam_deny
account required om_auth
password optional om_ldap
password required om_auth nullok
session required om_auth

I've created a /var/opt/scalix/sys/om_ldap.conf with:
host=ldap.wildbrain.com
search=subtree
base=ou=people,dc=wildbrain,dc=com
filter=uid=%s

I've restarted scalix. I don't see any errors in either my tomcat logs or my scalix fatal logs. but when I try to login with my username and password, I get "unknown username". :(

Is there some step I've missed? Is there anything i can do to help me debug where the problem lies?

Thanks in advance for any help you can give!

You should also add

tls=off

to om_ldap.conf and try again.

Cheers

Dave

That seemed like it could've been it too!

I added it to the om_ldap.conf file, I restarted scalix, and tried again. I still get the "The username or password is incorrect. Note that passwords are case sensitive. Try again." error.

The only thing in the log I see is in the tomcat/logs/scalix-swa_log.2005-09-23.txt:


:(

Ethereal is your friend. Now TLS is turned off, ethereal will be able to show you what's going on. Run it on the scalix server machine so you can see the LDAP conversation and not have switches and whatnot hiding the packets from you.

Dave's advice is good. There appears to be a bug in OpenLDAP in that if TLS can't be negotiated, the connection falls apart.

Oh, and you don't need to restart anything if you change the ldap.conf or pam.d configuration files -- they're read afresh by a newly created process when you start authentication.

jch

The other thing to check is that you have updated all the correct pam.d files.

For client and SAC authentication, there are 4 files which you need to ensure are the same (we're working on making this a single point of administration in a future version).

pam.d/ual.remote is required for IMAP and Outlook logins.
pam.d/pop3 is, obviously, for POP3 clients
pam.d/smtpd.auth is for SMTP authentication through the SMTP Relay
pam.d/omslapdeng is for LDAP authenticated binds.

Because SAC uses LDAP to retrieve information you could test, at a minimum, pam.d/omslapdeng.

Cheers

Dave

You gave this as your PAM configuration:



I believe there is an error here.

You have two lines reading "required" and one additional optional one; when specifying required in a PAM stack, all required lines will have to work. As one of your required lines has pam_deny, this will *never* work.

If you want users to be able to sign on through either their Scalix or their LDAP password (even users that exist on both sides) you should be using



If you want only user's unknown to LDAP to be able to authenticate against Scalix, you should be using

[code]auth required om_ldap user_unknown=ignore
auth required om_auth use_first_pass

I believe some examples of this are documented in our ual.remote PAM config file.

BTW, for the time being we do not support password changes for external authentication systems through Scalix. This will, however, be changed in one of our next releases.

Hope this helps,
Florian.

Doh! If I'd read the original post properly...

The om_ldap(8) and om_krb5(8) man pages describe the various ways that you can use those two modules. Pretty much the same description can be found in the larger pam.d files as well. My personal preference is for what is described as scheme 2 in the config files:

As Florian says, LDAP password changing isn't supported at the moment, but, with luck, it might work soon.

It was that pesky pam deny line!

I didn't originally have it.. I had copied and pasted my original pam lines from PDF documentation.. but I think then the tls problem was hitting me.. so I had tried various things.. and then when I fixed the tls, I still wasn't being let in because of the pam_deny.. I was mixing the two schemas.


Thanks so much. You guys rock!!

JCH,

as you're the one working on getting external password changes to work, I have NO doubt whatsoever that it's going to happen soon! No hope needed here! :-)

Florian

LDAP and Kerberos password changing work just fine for me now. The rest of you, including Florian, will have to wait :-)

jch