Scalix Forums

I found the following in the docs:

http://www.scalix.com/wiki/index.php?ti ... management

and

Page 94 of the Scalix Server Setup and Configuration Guide " where the chapter entitled "Integrating with an LDAP Directory" starts.

The two sets of docs are somewhat inconsistent in the configuration presented, so I went with the latest date. When that didn't work, I tried to see where the two agreed and then tried variations. So far, I have not been able to get authentication of any kind.

An example of the inconsistency is the absence of any mention of the pamcheck file in the newer docs...is this no longer required? Is the default okay? Since the file did not seem to exist in my 11.0.3 installation, I am guessing the former, but I don't know.

Of more concern is when I roll out the LDAP authentication based configuration, my understanding is that its supposed to fail over to the native Scalix auth scheme. I am getting no auth at all, getting "Bad user and/or password" errors when I try to login to the webmail client, and similar errors in Outlook 2003.

The log shows repeated messages like this:

ERROR LDAP Daemon (LDAP Engine ) 04.11.07 18:06:21
ERROR LDAP Daemon (LDAP Engine ) 04.11.07 18:06:21
ERROR LDAP Daemon (LDAP Engine ) 04.11.07 18:06:31
ERROR LDAP Daemon (LDAP Engine ) 04.11.07 18:06:31
ERROR LDAP Daemon (LDAP Engine ) 04.11.07 18:06:43
ERROR LDAP Daemon (LDAP Engine ) 04.13.07 06:11:03
ERROR LDAP Daemon (LDAP Engine ) 04.13.07 06:11:03
ERROR LDAP Daemon (LDAP Engine ) 04.13.07 06:11:03
ERROR LDAP Daemon (LDAP Engine ) 04.13.07 06:11:03


which seem to be related, but I am not skilled in the parsing exactly what the log
is trying to tell me.

Any pointers to a definitive document or example would be greatly appreciated.

After some more testing, I tumbled to the fact that the authid in Scalix did not correspond to the uid being reported by the LDAP server. I made the two of them agree, and I began to get good authentication from the LDAP server.

I am still uncertain as to why there was no fall back to Scalix authentication as advertised in the documentation (see pp 60-61 in the Setup and Configuration Guide), but that's a different problem.

Okay. I found a tech note that mentions the authid issue (see http://portal.knowledgebase.net/display ... =0.2343561)

Armed with all of this new knowledge, I approached my production server with some confidence (all of this was done on a small test network). I applied the same changes that worked in the test environment. Now, when I try to login to the web interface, I get the message "The time-limited.....etc" that others have received, or I get "Bad user/password..etc on some users. I switch back to the original configuration, problem goes away.

What am I missing?

When I make the change to ual.remote to this content:

auth suffcient om_ldap
auth suffcient om_auth
auth required pam_deny
account required om_auth
password required om_auth
session required om_auth


Outllook fails with an error saying "User mail account is locked --signon refused"


smtpd.auth contains the same lines and user logins to SWA fail with the
notice that "this time-limted product has expired..."

I noticed something about the latter error in the Version 11 Faq. I therefore restarted scalix-tomcat, which had no discernible effect.

So, there's something not quite right about my production server or the LDAP (which authenticates Linux logons, Wildfire logons, and TWiki access just fine)

Omshowlog doesn't seem to really show me much, but I am getting this error:

ERROR Remote Client (U/I Access ) 04.20.07 18:07:51
[OM 29260] PAM pam_parse: expecting return value; [...suffcient]
User Name: User Name / server/CN=User Name

which I am finding not much information about.....

Any thoughts would be appreciated.

pwf

Here's some more information:

sxpamauth seems to work.

Here's a sample dialog:

sxpamauth -vvvv username
pam_start_om("pamcheck", "username")
pam_authenticate()
LDAP Password:
pam_acct_mgmt()

Authenticated


So, if this works, what has been overlooked?

Looks like you've achieved most of it already. If the only issue is that its saying the account is locked, without insulting you, could the accounts actually be locked? I had the same issue when I was trying to get OpenLDAP working, and it wasnt. Basically, even if the reason is because the auth layer is broken, Scalix still counts unsuccessful logon attempts and locks the account after 3 (default) attempts.

Try running

omshowu username |grep "Mail Account:"

It will either say

Mail Account: Unlocked

or

Mail Account: Locked


To Unlock an account from the CLI, run:

ommodu username -k

To Lock an account from the CLI, run:

ommodu username -K


I realise this is quite an obvious thing to point out, but its somewhere to start. I'll watch this topic now, and help as much as I can.

Regards

Graham

Thank you for the suggestion. I followed your suggestion, and the accounts that I am testing were showing as "Unlocked". The question that springs to mind, is that if the accounts were locked under one regime, do they unlock under a different regime? That is, I test the account, get no authentication, then switch back to the original ual.remote, pop3, smtpd.auth, etc. files. Then I can login again. Any thoughts you might have would be gratefully received.

When I attempt to login using the webmail client I see the following in the slapd.log file (note: the output has been anonymized):

Apr 27 14:21:52 localldap slapd[5448]: conn=12 fd=10 ACCEPT from IP=192.168.200.13:38184 (IP=0.0.0.0:389)
Apr 27 14:21:52 localldap slapd[5448]: conn=12 op=0 SRCH base="dc=makotolife,dc=com" scope=2 deref=0 filter="(uid=username)"
Apr 27 14:21:52 localldap slapd[5448]: conn=12 op=0 SRCH attr=1.1
Apr 27 14:21:52 localldap slapd[5448]: conn=12 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 27 14:21:52 localldap slapd[5448]: conn=12 op=1 BIND dn="uid=username,ou=People,dc=localdomain,dc=com" method=128
Apr 27 14:21:52 localldap slapd[5448]: conn=12 op=1 RESULT tag=97 err=49 text=
Apr 27 14:21:52 localldap slapd[5448]: conn=12 op=2 UNBIND
Apr 27 14:21:52 localldap slapd[5448]: conn=12 fd=10 closed
Apr 27 14:21:52 localldap slapd[5448]: conn=13 fd=10 ACCEPT from IP=192.168.200.13:38185 (IP=0.0.0.0:389)
Apr 27 14:21:52 localldap slapd[5448]: conn=13 op=0 BIND dn="" method=128
Apr 27 14:21:52 localldap slapd[5448]: conn=13 op=0 RESULT tag=97 err=0 text=
Apr 27 14:21:52 localldap slapd[5448]: conn=13 op=1 SRCH base="dc=localdomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=60536))"
Apr 27 14:21:52 localldap slapd[5448]: conn=13 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Apr 27 14:21:52 localldap slapd[5448]: conn=13 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
Apr 27 14:21:52 localldap slapd[5448]: conn=13 fd=10 closed

From this it appears that the OpenLDAP server is returning an appropriate value.
Maybe something on the Scalix side? Where would I look to be sure? omshowlog doesn't seem to be much help.

I'm sorry, but I have no idea...

Hopefully someone else with more Scalix experience will be able to help :-/

You would think after all this time, I would know that its the simple things that trip you up. After I looked more closely at the LDAP output, it occurred to me that the missing step was the authentication request. I went back to the configuration files, and to my enduring embarassment, I found that I had used "suffcient" for "sufficient" (note the missing "i"). And, since I had cut and pasted the same lines everywhere, that mistake was propagated everywhere. So, the problem is now solved. Thanks so much for simply taking the time to suggest things. Simply having to go over things "one more time" proved to be invaluable and without your questions to make me question, that would not have happened.

Hi pwfoster,


Just wondering which article among the two did you follow that led to the successful configuration? i also realised the two articles was inconsistent, anyway i tried both had no luck getting in work, i will try again.
Did you follow the one with pamcheck or the one without?

thanks friend,

Hi,

Finally got openldap password management working. I followed the instruction exactly same from http://www.scalix.com/wiki/index.php?ti ... management

Thanks for the helpful instruction provided.
I think if i am not mistaken i entered the wrong bindpw password in /etc/ldap.conf

thanks

I too still cant make scalix authenticate to openldap. Follow exactly everything in the scalix openldap wiki. the sxpamauth failed with message "pam_authenticate: Authentication failure". The uid and authid are the same. Most configurations are 'copy paste' from the wiki.

I have enabled the openldap log. Logging in to scalix webmail shows nothing in the slapd.log... And yet it still can login.

Any idea how to proceed from here? what log files to check (there r so many log files..).

I am using FC5 Scalix 11.04 distro btw...

Hi,

What error did you get when you used sxpamauth to test authentication from command line?
At my site here, when i try sxpamauth it first authenticates me with the scalix password, if i get the scalix password ok, the authentication success. If i get it wrong, then comes the LDAP password request. See below:

# sxpamauth -vvv kttho
pam_start_om("pamcheck", "kttho")
pam_authenticate()
om_auth: authenticate:
nullok: no
recordbad: no
Scalix password:
om_auth: save non-empty password in PAM_AUTHTOK
om_auth: Authentication failure
LDAP Password:
pam_acct_mgmt()
om_auth: acct_mgmt
max_age=-1
exclude=<default>
nocheck=<default>
expiry

Authenticated

Following are the contents of my configuration, try check if you have any difference:
On the scalix server:
1) /etc/ldap.conf
host yourldapserver.scalix.com (this is the host name of your ldap server)
base dc=scalix,dc=com (the base of your ldap, must match your slapd.conf at your ldap server)
ldap_version 3
binddn cn=manager,dc=scalix,dc=com (must match your ldap server slapd.conf too)
bindpw password (must match your ldap server too)
# ssl start_tls
# ssl on

2) ual.remote
auth required om_debug
account required om_debug
session required om_debug
password required om_debug
auth required om_om2authid
auth sufficient om_auth
auth required /lib/security/pam_ldap.so
account sufficient om_auth
account required /lib/security/pam_ldap.so
password required om_om2authid
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so

3) pamcheck (same as above)
auth required om_debug
account required om_debug
session required om_debug
password required om_debug
auth required om_om2authid
auth sufficient om_auth
auth required /lib/security/pam_ldap.so
account sufficient om_auth
account required /lib/security/pam_ldap.so
password required om_om2authid
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so

4) smtpd.auth
auth required om_om2authid
auth sufficient om_auth
auth required /lib/security/pam_ldap.so
account sufficient om_auth
account required /lib/security/pam_ldap.so
password required om_om2authid
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so

5) pop3
auth required om_auth
account required om_auth
password required om_auth
auth required om_om2authid
auth sufficient om_auth
auth required /lib/security/pam_ldap.so
account sufficient om_auth
account required /lib/security/pam_ldap.so
password required om_om2authid
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so

6) omslapdeng

auth required om_auth nullok (note: this line was there by default)
account required om_auth
auth required om_om2authid
auth sufficient om_auth
auth required /lib/security/pam_ldap.so
account sufficient om_auth
account required /lib/security/pam_ldap.so
password required om_om2authid
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so

7) om_ldap.conf
host=yourldapserver.scalix.com
search=subtree
base=ou=people,dc=scalix,dc=com
filter=uid=%s
tls=off

I am not an expert, actually all these things i am not entirely sure what it means, but i got it work with these configuration. If you still can't get it, try uninstall and do it step by step as instructed from the wilki. I did that after i messed everything up.

I read from one of the threads that one guy couldn't get it work because he accidentally typed account suficient rather than account sufficient. Check if you have such careless mistake too.

Hope to hear good news from you, good luck!

Dear Potatoinmiri,

Still no joy... Mr Helmut Kohl is still invisible to scalix openldap. I have 'copy paste' all your settings into mine. Except the ldap domain n server name, it is an exact identical setting as yours. I am really running out of ideas now.

Below is the result of sxpamauth.

[root@scalix etc]# sxpamauth -vvv kohl
pam_start_om("pamcheck", "kohl")
pam_authenticate()
pam_authenticate: Authentication failure

Not authenticated: Authentication failure

ldapsearch test shows:

[root@scalix etc]# ldapsearch -x -h ldap.mydomain.com -b dc=mydomain,dc=com

~~~~ bla bla bla ~~~~~~~~~~
# hkohl, people, mydomain.com
dn: uid=hkohl,ou=people,dc=mydomain,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: hkohl
userPassword:: cGFzc3dvcmQ=
cn: Helmut Kohl
sn: Kohl
givenName: Helmut
~~~~~bla bla bla~~~~~~~~

ldapsearch from the scalix server to ldap server works, and
Scalix from the scalix server to ldap server failed.

There is one more thing i havent mentioned. There exist only /var/opt/scalix/sx directory. I had to create the /var/opt/scalix/sys, /var/opt/scalix/pam.d and all the config files mentioned in the scalix wiki n your postings. In fact, i am quite surprised and doubtful on the wiki since two whole directory+ config files are missing from the Scalix 11.04 FC 5 distro.

Is this normal? Am i missing anything?