Personal Contacts

[florian]

I assume you use KRB or LDAP authentication against ad?

Have you setup your omslapdeng PAM config file to be the same as your ual.remote?

Cheers,
Florian.

[carlPjohnson]

Florian,

I have setup all the files to point to and use kerberos and om_auth as a backup. But everytime I setup omslapdeng to use krb5 SAC will not work using a Scalix local account and it does not fix the SWA contacts issue. Any ideas?

I use the following in ual.remote, pop3, smtpd.auth

auth required om_krb5 user_unknown=ignore
auth optional om_auth use_first_pass
account required om_auth
password required om_auth

I use the following in omsldapeng

auth sufficient om_krb5
auth sufficient om_auth
om_auth password required
om_auth session required om_auth

[florian]

Hi,

copying from the ual template I believe we're thinking of the same thing:

Code: Select all

# Kerberos authentication 2
#
# With this scheme, users that are known to the kerberos KDC, must
# authenticate using kerberos. Users not known to the kerberos KDC can log
# in using their Scalix password. See om_krb5(8) for more information.
#
# auth  required om_krb5 user_unknown=ignore
# auth  optional om_auth nullok use_first_pass


Now, I'm always using the same file for ual.remote, ual.local, pop3 and omslapdeng and so far it has worked for me. Your second block does not contain any account lines - is this on purpose or not? also, the last line seems garbled.

Can you play around with the sxpamauth tool and see that this does?

Thx,
Florian.

[carlPjohnson]

.. ok now the contacts work, but SAC is broken for local user auth.

2006-11-02 08:19:52,966 ERROR [LDAPHelperUtils.getTargetHost:362] javax.naming.A
uthenticationException: [LDAP: error code 49 - Invalid Credentials]
2006-11-02 08:19:52,974 ERROR [RbacAuthorizationHelper.authenticateUser:87] Exce
ption:
javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials
]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
.. cont

cat /var/opt/scalix/sys/pam.d/omslapdeng
auth required om_krb5 user_unknown=ignore
auth optional om_auth use_first_pass
account required om_auth
password required om_auth

Also, what is ual.local used for vs ual.remote?

[carlPjohnson]

# cp /var/opt/scalix/sys/pam.d/omslapdeng /var/opt/scalix/sys/pam.d/pamcheck
# sxpamauth -vvv 'sxadmin@scalix.rcp.local'
pam_start_om("pamcheck", "sxadmin@scalix.rcp.local")
pam_start_om: User not known to the underlying authentication module

Not authenticated: User not known to the underlying authentication module

# cat /var/opt/scalix/sys/pam.d/omslapdeng
auth required om_krb5 user_unknown=ignore
auth optional om_auth use_first_pass
account required om_auth
password required om_auth

# cat /var/opt/scalix/sys/pam.d/pamcheck
auth required om_krb5 user_unknown=ignore
auth optional om_auth use_first_pass
account required om_auth
password required om_auth

[florian]

due to a known issue in sxpamcheck in 10.x, you will need to use the last name as the username on that command line.

cheers,
Florian.

[carlPjohnson]

sxpamauth -vvv 'sxadmin'
pam_start_om("pamcheck", "sxadmin")
pam_authenticate()
Kerberos Password:

Scalix password:
pam_authenticate: Conversation error

Not authenticated: Conversation error

[florian]

what does your pamcheck pam config file look like?

-- f.

[carlPjohnson]

# cat /var/opt/scalix/sys/pam.d/pamcheck
auth required om_krb5 user_unknown=ignore
auth optional om_auth use_first_pass
account required om_auth
password required om_auth

[florian]

can you recheck if this works if you comment out the om_krb5 line and make the om_auth line a required one?

Thx,
Florian.

[carlPjohnson]

Well, that works, what now?

# cat /var/opt/scalix/sys/pam.d/pamcheck
#auth required om_krb5 user_unknown=ignore
#auth optional om_auth use_first_pass
auth required om_auth use_first_pass
account required om_auth
password required om_auth

# sxpamauth -vvv 'sxadmin'
pam_start_om("pamcheck", "sxadmin")
pam_authenticate()
Scalix password:
pam_acct_mgmt()

Authenticated

[florian]

so the user that you're using is a locally defined user and is not in kerberos??

cheers,
Florian.

[carlPjohnson]

That is correct that is a local user, not a kerberos user. Per the config I thought we could use both types.

[florian]

can you try

auth sufficient om_krb5 user_unknown=ignore
auth sufficient om_auth use_first_pass
auth required pam_deny

with sxpamauth?

Thanks,
Florian

[carlPjohnson]

auth sufficient om_krb5 user_unknown=ignore
auth sufficient om_auth use_first_pass
auth required pam_deny
account required om_auth
password required om_auth

works!!!