I have a odd problem with outlook authentication agaist PAM LDAP. Scenario: I have set up Scalix and it works fine, I additional run SAMBA and a OpenLDAP at port 3890 to become a single password logon system. Scalix synchronizes users from OpenLDAP and authenticates fine using pam_ldap.
SAC, Webmail, IMAP auths fine to LDAP passwords BUT Outlook only auths to the Scalix passwords.
Heres my ual.remote, smtpd.auth, pop3, pamcheck ...
Code: Select all
auth required om_om2authid
auth sufficient om_auth
auth required /lib/security/pam_ldap.so use_first_pass
account required om_om2authid
account sufficient om_auth
account required /lib/security/pam_ldap.so
password required om_om2authid
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.soFrom my knowledge to PAM this order is correct, it first checks om_auth then LDAP. I desynchronized the passwords of LDAP and Scalix to check what stage succedes. This works fine in all modules EXCEPT outlook connector.
Outlook only authenticates against Scalix but never LDAP password. Outlook briefly reports "Wrong Password". I debugged the LDAP access while trying to auth, and PAM query the user correctly from directory. Theres no error on the LDAP side.
- no log in /var/log reveals a error
- neither the scalix-logs or scalix-tomcat logs do
- PAM does not protocol anything
- "sxpamauth" works fine like everything else
******************
As a second attempt I tried to replace the "pam_ldap" stages with "om_ldap" stages. This change allowed me to authenticate outlook against LDAP, but:
LDAP authentication only works when having the ACL ...
Code: Select all
access to *
by anonymous read... in slapd.conf, but thats a security nightmare because it allows everyone to read out the entire tree including PW hashes. I got this ACL from your knowledgebase HowTo.
Of course I tried to limit the access by changing om_ldap.conf
Code: Select all
host=127.0.0.1:3890
search=none
tls=off
dn=uid=%s,ou=Users,dc=myldapserver,dc=comand slapd.conf
Code: Select all
access to *
by dn="uid=*,ou=Users,dc=myldapserver,dc=com" read
by anonymous auth
by self write
by * authWith LDAP Admin tools I am able to authenticate my user and query (and edit) the own entry. When testing with "sxpamauth" I get:
Code: Select all
pam_start_om("pamcheck", "realexistingusername")
pam_start_om: User not known to the underlying authentication module
Not authenticated: User not known to the underlying authentication moduleNow I am out of ideas to get one of the two ways above working. Having full anonymous read on the LDAP tree is not an option!
Anyone got hints?