I am about to allow users connect via SWA over SSL from the www. I would like users to handle one username and the AD password only.
The reason is that some users have very poor scalix local passwords, while I have enforced complexity requirements in AD Group Policies.
The normal user also hates multiple usernames and hates complex passwords, let alone managing two complex passwords.
The way I would like authentication to work in my environment (Outlook Connect and SWA only) is that users are always prompted to type their AD username and password, and the local scalix passwords are invalid unless the scalix user is not in AD, (ie: other users created locally in the Scalix server and not synced from AD).
So far I have had success with setting up the keytab and the krb5.conf, all tests good doing kinit for AD users. I am stuck with what pam.d files and in which way would I modify them to achieve what I want .
At the moment the pam.d files have the default authentication method setup:
auth required om_auth nullok
account required om_auth
password required om_auth nullok
I would appreciate some feedback.
Cheers,
Alvaro
[/b]
Kerberos Non Single-Sign-On issue
Moderator: ScalixSupport
-
alvaro
- Posts: 24
- Joined: Mon Apr 21, 2008 6:14 pm
- Location: Australia
Kerberos Non Single-Sign-On issue
Alvaro Lozano
Rous Water
Rous Water
-
schmoe90
- Scalix
- Posts: 900
- Joined: Mon May 07, 2007 11:51 am
Did you look at http://www.scalix.com/wiki/index.php?ti ... s/Kerberos
-
alvaro
- Posts: 24
- Joined: Mon Apr 21, 2008 6:14 pm
- Location: Australia
Neither the How to's nor the documentation includes the syntax to be used in the pam.d Scalix Authentication scripts for the authentication requirement I am setting up:
Active Directory username and password necessary unless username not in AD, in which case scalix local auth is to be accepted. As I mentioned before kinit username test works fine.
I have a proposed syntax for the scenario, but am not sure. Could it be:
account required om_auth
password required om_auth
auth sufficient om_krb5 use_first_pass user_unknown=ignore
auth sufficient om_auth nullok
auth required pam_deny
Thanks.
Active Directory username and password necessary unless username not in AD, in which case scalix local auth is to be accepted. As I mentioned before kinit username test works fine.
I have a proposed syntax for the scenario, but am not sure. Could it be:
account required om_auth
password required om_auth
auth sufficient om_krb5 use_first_pass user_unknown=ignore
auth sufficient om_auth nullok
auth required pam_deny
Thanks.
Alvaro Lozano
Rous Water
Rous Water
-
deyjvu
- Posts: 175
- Joined: Tue Oct 25, 2005 6:48 am
- Location: Australia
HAve you tried this Alvaro:
As an aside, for other people doing troubleshooting, is to use sxpamauth. Create a file in ~/sys/pam.d called pamcheck, containing your rules (copy ual.remote to this file). Right at the top add
auth required om_debug
then run
sxpamauth "User Name"
I managed to trace a Kerberos authentication failure to a clock skew issue this way. Useful if you're not sure where the exact problem is.
As an aside, for other people doing troubleshooting, is to use sxpamauth. Create a file in ~/sys/pam.d called pamcheck, containing your rules (copy ual.remote to this file). Right at the top add
auth required om_debug
then run
sxpamauth "User Name"
I managed to trace a Kerberos authentication failure to a clock skew issue this way. Useful if you're not sure where the exact problem is.
Return to “Third Party Integration”
Who is online
Users browsing this forum: No registered users and 2 guests