Hello!
So I'm trying to setup Scalix Community to connect to our external LDAP server and running into problems. I only have one scalix user to test with (me) and I'm in the external ldap and my authid in scalix matches my UID in the external ldap. I can query the external ldap from the command line using ldapsearch and can find me no problem.
I modified /var/opt/scalix/sys/pam.d/ual.remote and ual.local to:
auth required om_ldap user_unknown=ignore
auth optional om_auth nullok use_first_pass
auth required pam_deny
account required om_auth
password optional om_ldap
password required om_auth nullok
session required om_auth
I've created a /var/opt/scalix/sys/om_ldap.conf with:
host=ldap.wildbrain.com
search=subtree
base=ou=people,dc=wildbrain,dc=com
filter=uid=%s
I've restarted scalix. I don't see any errors in either my tomcat logs or my scalix fatal logs. but when I try to login with my username and password, I get "unknown username". :(
Is there some step I've missed? Is there anything i can do to help me debug where the problem lies?
Thanks in advance for any help you can give!
External LDAP Authentication Problem
Moderators: ScalixSupport, admin
-
Sneeper
- Posts: 28
- Joined: Fri Sep 23, 2005 6:35 pm
- Location: San Francisco
-
ScalixSupport
- Scalix
- Posts: 5503
- Joined: Thu Mar 25, 2004 8:15 pm
-
Sneeper
- Posts: 28
- Joined: Fri Sep 23, 2005 6:35 pm
- Location: San Francisco
That seemed like it could've been it too!
I added it to the om_ldap.conf file, I restarted scalix, and tried again. I still get the "The username or password is incorrect. Note that passwords are case sensitive. Try again." error.
The only thing in the log I see is in the tomcat/logs/scalix-swa_log.2005-09-23.txt:
:(
I added it to the om_ldap.conf file, I restarted scalix, and tried again. I still get the "The username or password is incorrect. Note that passwords are case sensitive. Try again." error.
The only thing in the log I see is in the tomcat/logs/scalix-swa_log.2005-09-23.txt:
Code: Select all
XML:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:xsd="http://www.w3.org/1999/XMLSchema" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Header><credentials xmlns="http://scalix.com/schemas/gofish" SOAP-ENV:mustUnderstand="1"><username>andy</username><emailDomain>wildbrain.com</emailDomain><fugu>Ox5f42466968693d3023322b2b23352e31292f3407</fugu><ts>0</ts><rand>93F6EB059EAFA0BA5B74FB005A7A4A31</rand><rand2>fa5101f58c27799c40e96e29e77ee237c0de8832</rand2></credentials></SOAP-ENV:Header><SOAP-ENV:Body><m:login xmlns:m="http://scalix.com/methods"/></SOAP-ENV:Body></SOAP-ENV:Envelope></debug></e:BadUserName></detail></SOAP-ENV:Fault>
2005-09-23 19:17:13 StandardContext[/webmail]ip: 10.1.30.2; username: andy; message: <SOAP-ENV:Fault><faultcode>SOAP-ENV:CLIENT.BadUserName</faultcode><faultstring>The username or password is incorrect. Note that passwords are case sensitive. Try again.</faultstring><detail><e:BadUserName xmlns:e="http://scalix.com/errors"><message>The username or password is incorrect. Note that passwords are case sensitive. Try again.</message><debug>user: andy
request method(s): login
:(
-
jch
- Scalix
- Posts: 202
- Joined: Thu Mar 25, 2004 10:25 am
Ethereal is your friend. Now TLS is turned off, ethereal will be able to show you what's going on. Run it on the scalix server machine so you can see the LDAP conversation and not have switches and whatnot hiding the packets from you.
Dave's advice is good. There appears to be a bug in OpenLDAP in that if TLS can't be negotiated, the connection falls apart.
Oh, and you don't need to restart anything if you change the ldap.conf or pam.d configuration files -- they're read afresh by a newly created process when you start authentication.
jch
Dave's advice is good. There appears to be a bug in OpenLDAP in that if TLS can't be negotiated, the connection falls apart.
Oh, and you don't need to restart anything if you change the ldap.conf or pam.d configuration files -- they're read afresh by a newly created process when you start authentication.
jch
-
ScalixSupport
- Scalix
- Posts: 5503
- Joined: Thu Mar 25, 2004 8:15 pm
The other thing to check is that you have updated all the correct pam.d files.
For client and SAC authentication, there are 4 files which you need to ensure are the same (we're working on making this a single point of administration in a future version).
pam.d/ual.remote is required for IMAP and Outlook logins.
pam.d/pop3 is, obviously, for POP3 clients
pam.d/smtpd.auth is for SMTP authentication through the SMTP Relay
pam.d/omslapdeng is for LDAP authenticated binds.
Because SAC uses LDAP to retrieve information you could test, at a minimum, pam.d/omslapdeng.
Cheers
Dave
For client and SAC authentication, there are 4 files which you need to ensure are the same (we're working on making this a single point of administration in a future version).
pam.d/ual.remote is required for IMAP and Outlook logins.
pam.d/pop3 is, obviously, for POP3 clients
pam.d/smtpd.auth is for SMTP authentication through the SMTP Relay
pam.d/omslapdeng is for LDAP authenticated binds.
Because SAC uses LDAP to retrieve information you could test, at a minimum, pam.d/omslapdeng.
Cheers
Dave
-
florian
- Scalix
- Posts: 3852
- Joined: Fri Dec 24, 2004 8:16 am
- Location: Frankfurt, Germany
- Contact:
You gave this as your PAM configuration:
I believe there is an error here.
You have two lines reading "required" and one additional optional one; when specifying required in a PAM stack, all required lines will have to work. As one of your required lines has pam_deny, this will *never* work.
If you want users to be able to sign on through either their Scalix or their LDAP password (even users that exist on both sides) you should be using
If you want only user's unknown to LDAP to be able to authenticate against Scalix, you should be using
[code]auth required om_ldap user_unknown=ignore
auth required om_auth use_first_pass
I believe some examples of this are documented in our ual.remote PAM config file.
BTW, for the time being we do not support password changes for external authentication systems through Scalix. This will, however, be changed in one of our next releases.
Hope this helps,
Florian.
Code: Select all
I modified /var/opt/scalix/sys/pam.d/ual.remote and ual.local to:
auth required om_ldap user_unknown=ignore
auth optional om_auth nullok use_first_pass
auth required pam_deny
account required om_auth
password optional om_ldap
password required om_auth nullok
session required om_auth
I believe there is an error here.
You have two lines reading "required" and one additional optional one; when specifying required in a PAM stack, all required lines will have to work. As one of your required lines has pam_deny, this will *never* work.
If you want users to be able to sign on through either their Scalix or their LDAP password (even users that exist on both sides) you should be using
Code: Select all
auth sufficient om_ldap
auth sufficient om_auth use_first_pass
auth required pam_denyIf you want only user's unknown to LDAP to be able to authenticate against Scalix, you should be using
[code]auth required om_ldap user_unknown=ignore
auth required om_auth use_first_pass
I believe some examples of this are documented in our ual.remote PAM config file.
BTW, for the time being we do not support password changes for external authentication systems through Scalix. This will, however, be changed in one of our next releases.
Hope this helps,
Florian.
Florian von Kurnatowski, Die Harder!
-
jch
- Scalix
- Posts: 202
- Joined: Thu Mar 25, 2004 10:25 am
Doh! If I'd read the original post properly...
The om_ldap(8) and om_krb5(8) man pages describe the various ways that you can use those two modules. Pretty much the same description can be found in the larger pam.d files as well. My personal preference is for what is described as scheme 2 in the config files:
As Florian says, LDAP password changing isn't supported at the moment, but, with luck, it might work soon.
The om_ldap(8) and om_krb5(8) man pages describe the various ways that you can use those two modules. Pretty much the same description can be found in the larger pam.d files as well. My personal preference is for what is described as scheme 2 in the config files:
Code: Select all
auth required om_ldap user_unknown=ignore
auth optional om_auth nullok use_first_passAs Florian says, LDAP password changing isn't supported at the moment, but, with luck, it might work soon.
-
Sneeper
- Posts: 28
- Joined: Fri Sep 23, 2005 6:35 pm
- Location: San Francisco
Yay that was it!
It was that pesky pam deny line!
I didn't originally have it.. I had copied and pasted my original pam lines from PDF documentation.. but I think then the tls problem was hitting me.. so I had tried various things.. and then when I fixed the tls, I still wasn't being let in because of the pam_deny.. I was mixing the two schemas.
Thanks so much. You guys rock!!
I didn't originally have it.. I had copied and pasted my original pam lines from PDF documentation.. but I think then the tls problem was hitting me.. so I had tried various things.. and then when I fixed the tls, I still wasn't being let in because of the pam_deny.. I was mixing the two schemas.
Thanks so much. You guys rock!!
-
florian
- Scalix
- Posts: 3852
- Joined: Fri Dec 24, 2004 8:16 am
- Location: Frankfurt, Germany
- Contact:
Who is online
Users browsing this forum: No registered users and 4 guests