From users@opengroupware.org  Thu Mar  1 09:42:51 2007
From: users@opengroupware.org (Matt Johnson)
Date: Thu, 1 Mar 2007 01:42:51 -0800 (PST)
Subject: [OGo-Users] ogo Debian Sarge First install apach2 404
Message-ID: <156050.23104.qm@web50108.mail.yahoo.com>

----- Original Message ----=0AFrom: Martin Hasselmann <HisWeedness@gmx.net>=
=0ATo: users@opengroupware.org=0ASent: Wednesday, 28 February, 2007 5:39:50=
 PM=0ASubject: [OGo-Users] ogo Debian Sarge First install apach2 404=0A=0A>=
Let me repeat every step in detail.=0A=0A>1) Set up of apache2=0A>2) Enable=
 mod_rewrite and mod_include=0A>3) setup postgresql with default location=
=0A>4) installation via apt-get of opengroupware.org and=0A>opengroupware.o=
rg-environment without any errors=0A>5) restart of opengroupware=0A>6) atte=
mpted access via hostname/opengroupware=0A=0A-------------------------=0A=
=0AI've installed libapache2-mod-ngobjweb and it's solved!=0AHere's the exa=
ct order in case it makes a difference...=0A=0A1. Clean install Debian Sarg=
e=0A2. apt-get install postgresql=0A3. apt-get install apache2=0A4. enable =
mod_rewrite and mod_include=0A5. edit /etc/apt/sources.list and add the lin=
e=0Adeb http://download.opengroupware.org/nightly/packages/debian sarge tru=
nk=0A6. apt-get update=0A7. apt-get install opengroupware.org=0A8. apt-get =
install opengroupware.org-environment=0A9. apt-get install libapache2-mod-n=
gobjweb=0A10. Restart Apache2 and restart opengroupware.org=0A11. Point bro=
wser at http://server/OpenGroupware=0A=0AThis install the trunk version. I =
will *maybe* try again to see if I can get a released version... probably 1=
.1.6?=0A=0AThe only other thing I did was "passwd postgres" from the comman=
d line to add a password to the postgres user. I'm sure this is irrelevant =
to this discussion, but I've gievn up assuming such things :)=0A=0AAll the =
best.=0A=0AMartin, we should write this up. Or post something brief to the =
documentation site.=0A=0AI've been using VMware with a snapshot of a fresh =
installed debian sarge to get this going. It's saved time - everytime I mak=
e a blunder I just reset to fresh install state. I'll probably return to th=
e snapshot this afternoon and try to get a more stable version up and runni=
ng from scratch. If there's time... ;)=0A=0A--=0AMatt=0A=0A=0A

From users@opengroupware.org  Thu Mar  1 09:51:42 2007
From: users@opengroupware.org (Florian Reitmeir)
Date: Thu, 1 Mar 2007 10:51:42 +0100
Subject: [OGo-Users] ogo Debian Sarge First install apach2 404
In-Reply-To: <156050.23104.qm@web50108.mail.yahoo.com>
References: <156050.23104.qm@web50108.mail.yahoo.com>
Message-ID: <20070301095142.GT2819@squat.noreply.org>

On Don, 01 M=C3=A4r 2007, Matt Johnson wrote:

> The only other thing I did was "passwd postgres" from the command line to=
 add a password to the postgres user. I'm sure this is irrelevant to this d=
iscussion, but I've gievn up assuming such things :)

this is a bad idea. the root user can change to everyuser even if they do n=
ot
have any password or shell set.

so for your on security.. disable the password again, and if you need the
postgres user, just do:

<change to root>
su -
or
sudo bash

<if you are root>
su - postgres

and if you use sudo.. its a dirty but simple command ..
sudo su - postgres

--=20
Florian Reitmeir

From users@opengroupware.org  Thu Mar  1 10:50:03 2007
From: users@opengroupware.org (Matt Johnson)
Date: Thu, 1 Mar 2007 02:50:03 -0800 (PST)
Subject: [OGo-Users] ogo Debian Sarge First install apach2 404
Message-ID: <281557.76251.qm@web50114.mail.yahoo.com>

=0A=0A----- Original Message ----=0AFrom: Florian Reitmeir <florian@reitmei=
r.org>=0ATo: users@opengroupware.org=0ASent: Thursday, 1 March, 2007 9:51:4=
2 AM=0ASubject: Re: [OGo-Users] ogo Debian Sarge First install apach2 404=
=0A=0AOn Don, 01 M=E4r 2007, Matt Johnson wrote:=0A=0A> The only other thin=
g I did was "passwd postgres" from the command line to add a password to th=
e postgres user. I'm sure this is irrelevant to this discussion, but I've g=
ievn up assuming such things :)=0A=0Athis is a bad idea. the root user can =
change to everyuser even if they do not=0Ahave any password or shell set.=
=0A------------------=0A=0AThanks for this - I'll change it back. Don't som=
e installs ask for your postgres password? WHat do you do in that situation=
?=0A=0AThanks=0A=0A--=0AMatt=0A=0A=0A

From users@opengroupware.org  Thu Mar  1 11:17:56 2007
From: users@opengroupware.org (Florian Reitmeir)
Date: Thu, 1 Mar 2007 12:17:56 +0100
Subject: [OGo-Users] ogo Debian Sarge First install apach2 404
In-Reply-To: <281557.76251.qm@web50114.mail.yahoo.com>
References: <281557.76251.qm@web50114.mail.yahoo.com>
Message-ID: <20070301111756.GU2819@squat.noreply.org>

On Don, 01 M=C3=A4r 2007, Matt Johnson wrote:
> On Don, 01 M=C3=A4r 2007, Matt Johnson wrote:
>=20
> > The only other thing I did was "passwd postgres" from the command line =
to add a password to the postgres user. I'm sure this is irrelevant to this=
 discussion, but I've gievn up assuming such things :)
>=20
> this is a bad idea. the root user can change to everyuser even if they do=
 not
> have any password or shell set.
> ------------------
>=20
> Thanks for this - I'll change it back. Don't some installs ask for your p=
ostgres password? WHat do you do in that situation?

Normally every installation script works under to root user, so there is ne=
ver
a case where the postgres or apache or .. user needs a password. And of
course the root password is also never needed.


--=20
Florian Reitmeir

From users@opengroupware.org  Thu Mar  1 11:33:02 2007
From: users@opengroupware.org (Martin Hasselmann)
Date: Thu, 01 Mar 2007 12:33:02 +0100
Subject: [OGo-Users] ogo Debian Sarge First install apach2 404
In-Reply-To: <1172700046.4528.70.camel@aleph.whitemice.org>
References: <45E5BE66.9040106@gmx.net>	 <20070228130207.T5806@philodox.fenks.org>  <45E5E092.9050505@yahoo.com>	 <1172693767.4528.63.camel@aleph.whitemice.org>  <45E5EA76.3040802@gmx.net> <1172700046.4528.70.camel@aleph.whitemice.org>
Message-ID: <45E6B9EE.1050806@gmx.net>

Hi again!

> The ngobjweb module relays network requests between the front-end web
> server (Apache) and the SOPE application servers (OGo's WebUI,
> ZideStore, XML-RPC daemon, etc...)

OK, indeed I needed to install libapache2-mod-ngobjweb and now I the
redirect within apache works. Now I'm getting the well-known-error

The SKYRIX application server could not connect to the database server !

Please ensure that your database server is running and that the
LSConnectionDictionary default is correctly set.

So I wanted figure out if the problem could be the database itself.
Shame on me I've only worked with mysql so I even cannot access the DB.
I try it with

su - postgres
psql -u ogo

Then it tells my something about depricated but asks me for the pass. I
don't know why but I tried and tried again but the authentication fails.
Maybe there is the mistake. That is where I am now.

Let me continue now with your answers.

> There seems to be lots of documentation concerning Debian on OGo:
> http://docs.opengroupware.org/Members/Wile_E/copy_of_index_html/view
> http://docs.opengroupware.org/Members/estival/Debian-sarge-howto/view
> http://docs.opengroupware.org/Members/craig/Zidestore%20setup%20for%
> 20debian/view
> http://docs.opengroupware.org/Members/mkbrown/Misc/ExperimentalToOGoDebs/view
> http://docs.opengroupware.org/Members/helge/ports/debian/view?searchterm=debian
> 
> Have you looked in the docs site?

Just now ;) But unfortunately it did not help. Example:
http://docs.opengroupware.org/Members/lutz/Opengroupware%20install%20howto%20in%20german/view?searchterm=install%20AND%20debian

This HowTo was indeed helpful. But I really wonder why there is not even
one single HowTo concerning the latest build of OGo with at least a
little excursion regarding PostgreSQL.


Adam Tauno WIlliams wrote:

> Is OGo actually running? (ps ax | grep ogo-webui)

ps ax | grep ogo-webui returns:

15757 ?        Ss     0:00 /usr/bin/daemon -F
/var/lib/opengroupware.org/webui.pid -X /usr/sbin/ogo-webui-1.0 -WOPort
20000 -E /var/log/opengroupware.org/admin/webui.log
15758 ?        S      0:00 /usr/sbin/ogo-webui-1.0 -WOPort 20000
15763 ?        S      0:00 /usr/sbin/ogo-webui-1.0 -WOPort 20000

Is it normal that webui runs twice?

> On what port is it listening (netstat -ap | grep ogo-webui)?

Returns:
tcp        0      0 *:20000       *:*       LISTEN   15763/ogo-webui-1.0


> Does that correspond to the ngobjweb configuration in Apache?


Let me see. I added the following lines in apache2.conf:

<LocationMatch "^/opengroupware*">
      SetHandler ngobjweb-adaptor
      SetAppPort 20000
</LocationMatch>

But there are two thinks I really wonder about. First I can type both
hostname/OpenGroupware AND hostname/opengroupware. Have I messed
everything up completely now?
But comparing both netstat-return and configuration it seems to match.


Florian Reitmeir wrote:

> a common error occurs, if apache1 is installed (package "apache"),
>apt-get
> recommends apache. and if apache and apache2 are installed on the same
> system,
>
>apache is configured
>apache2 is started
>
>please checkout if this is the case, if its the case .. just purge >apache,
>and do the install again (or copy the symlinks from /etc/apache/conf.d
>to >/etc/apache2/conf.d and install the apache2 module from ogo).

Yes I figured this out formerly and purged apache after having moved
conf.d's content to apache2's conf.d


Matt Johnson wrote:

> 5. edit /etc/apt/sources.list and add the line
> deb http://download.opengroupware.org/nightly/packages/debian sarge trunk

But here is a difference. I used opengroupware-1.0.0-finally because
afaik or as far as i read finally is a stable release and trunk means
something like unstable. Or am I wrong with that? The problem is that I
must explain myself why I want to use something unstable. I am working
for a university and my collegues there must rely on my installation.

> Martin, we should write this up. Or post something brief to the
documentation site.

I still agree with that! But first of all I need to get OGo started ;)
Where do you come from, Matt? Maybe we should swap our mail-adresses to
write a good text...


Let me mention that I am of course not only waiting for and relaying on
your replys. I'm still working on that, too.

Really: Thank you for your help. Please don't stop, I think that the
solution is not so far away!

Kind regards,
Martin

From users@opengroupware.org  Thu Mar  1 12:16:03 2007
From: users@opengroupware.org (Adam Tauno Williams)
Date: Thu, 01 Mar 2007 07:16:03 -0500
Subject: [OGo-Users] ogo Debian Sarge First install apach2 404
In-Reply-To: <45E6B9EE.1050806@gmx.net>
References: <45E5BE66.9040106@gmx.net>
 <20070228130207.T5806@philodox.fenks.org>  <45E5E092.9050505@yahoo.com>
 <1172693767.4528.63.camel@aleph.whitemice.org>  <45E5EA76.3040802@gmx.net>
 <1172700046.4528.70.camel@aleph.whitemice.org>  <45E6B9EE.1050806@gmx.net>
Message-ID: <1172751363.4555.11.camel@aleph.whitemice.org>

> > The ngobjweb module relays network requests between the front-end web
> > server (Apache) and the SOPE application servers (OGo's WebUI,
> > ZideStore, XML-RPC daemon, etc...)
> OK, indeed I needed to install libapache2-mod-ngobjweb and now I the
> redirect within apache works. Now I'm getting the well-known-error
> The SKYRIX application server could not connect to the database server !
> Please ensure that your database server is running and that the
> LSConnectionDictionary default is correctly set.

> su - postgres
> psql -u ogo

psql -h localhost -U OGo OGo

If you don't specify a "-h" it assumes a domain socket connection with
uses different default authentication;  since OGo is using a TCP/IP
connection, to test you should use a TCP/IP connection.

> Then it tells my something about depricated but asks me for the pass. I

"-u" us depricated.  And role names are case sensitive.

>This HowTo was indeed helpful. But I really wonder why there is not
>even one single HowTo concerning the latest build of OGo with at least
>a little excursion regarding PostgreSQL.

Why?  PostgreSQL is well documented -
http://www.postgresql.org/docs/8.2/interactive/auth-pg-hba-conf.html
 - and in most cases "it just works".  On RPM distributions at least
I've never had to diddle pg_hba.conf in order for OGo to run;  although
it is possible to create a more secure configuration than the default.  

WMOGAG does touch on PostgreSQL configuration for OGo -
http://docs.opengroupware.org/Members/whitemice/wmogag/ - page 9 in the
current edition.

> don't know why but I tried and tried again but the authentication fails.
> Maybe there is the mistake. That is where I am now.
> ps ax | grep ogo-webui returns:
> 15757 ?        Ss     0:00 /usr/bin/daemon -F
> /var/lib/opengroupware.org/webui.pid -X /usr/sbin/ogo-webui-1.0 -WOPort
> 20000 -E /var/log/opengroupware.org/admin/webui.log
> 15758 ?        S      0:00 /usr/sbin/ogo-webui-1.0 -WOPort 20000
> 15763 ?        S      0:00 /usr/sbin/ogo-webui-1.0 -WOPort 20000
> Is it normal that webui runs twice?

The primary daemon has forked off a chiled;  it isn't possible to run
the webui twice on the same port.

> > On what port is it listening (netstat -ap | grep ogo-webui)?
> Returns:
> tcp        0      0 *:20000       *:*       LISTEN   15763/ogo-webui-1.0

Looks good.

> > Does that correspond to the ngobjweb configuration in Apache
> Let me see. I added the following lines in apache2.conf:
> <LocationMatch "^/opengroupware*">
>       SetHandler ngobjweb-adaptor
>       SetAppPort 20000
> </LocationMatch>

Looks good.

> But there are two thinks I really wonder about. First I can type both
> hostname/OpenGroupware AND hostname/opengroupware. Have I messed
> everything up completely now?

Nope, I don't think that matters.  If you are getting a Skyrix error
though the browser then you have the Apache connection working.


From users@opengroupware.org  Thu Mar  1 12:59:44 2007
From: users@opengroupware.org (Martin Hasselmann)
Date: Thu, 01 Mar 2007 13:59:44 +0100
Subject: [OGo-Users] ogo Debian Sarge First install apach2 404
In-Reply-To: <1172751363.4555.11.camel@aleph.whitemice.org>
References: <45E5BE66.9040106@gmx.net>	 <20070228130207.T5806@philodox.fenks.org>  <45E5E092.9050505@yahoo.com>	 <1172693767.4528.63.camel@aleph.whitemice.org>  <45E5EA76.3040802@gmx.net>	 <1172700046.4528.70.camel@aleph.whitemice.org>  <45E6B9EE.1050806@gmx.net> <1172751363.4555.11.camel@aleph.whitemice.org>
Message-ID: <45E6CE40.2090303@gmx.net>

Adam Tauno Williams schrieb:

> psql -h localhost -U OGo OGo
> 
> If you don't specify a "-h" it assumes a domain socket connection with
> uses different default authentication;  since OGo is using a TCP/IP
> connection, to test you should use a TCP/IP connection.

Maybe I am too stupid for postgresql :/

su - postgres
psql -h localhost -U ogo ogo (lowercases are correct because both user
and database are written in lowercases)

returns: FATAL: IDENT-Authentification for user ogo failed

Why??
Even after consulting postgresql's docs I don't see any mistype or
something :(

> Nope, I don't think that matters.  If you are getting a Skyrix error
> though the browser then you have the Apache connection working.

Let me resume: The only problem I got now is to let OGo connect to the
postgresql-DB, right?

Still searching around the web to solve this problem.

Kind regards,
Martin

From users@opengroupware.org  Thu Mar  1 13:07:08 2007
From: users@opengroupware.org (Adam Tauno Williams)
Date: Thu, 01 Mar 2007 08:07:08 -0500
Subject: [OGo-Users] ogo Debian Sarge First install apach2 404
In-Reply-To: <45E6CE40.2090303@gmx.net>
References: <45E5BE66.9040106@gmx.net>
 <20070228130207.T5806@philodox.fenks.org>  <45E5E092.9050505@yahoo.com>
 <1172693767.4528.63.camel@aleph.whitemice.org>  <45E5EA76.3040802@gmx.net>
 <1172700046.4528.70.camel@aleph.whitemice.org>  <45E6B9EE.1050806@gmx.net>
 <1172751363.4555.11.camel@aleph.whitemice.org>  <45E6CE40.2090303@gmx.net>
Message-ID: <1172754428.4555.23.camel@aleph.whitemice.org>

> > psql -h localhost -U OGo OGo
> > If you don't specify a "-h" it assumes a domain socket connection with
> > uses different default authentication;  since OGo is using a TCP/IP
> > connection, to test you should use a TCP/IP connection.
> Maybe I am too stupid for postgresql :/
> su - postgres
> psql -h localhost -U ogo ogo (lowercases are correct because both user
> and database are written in lowercases)
> returns: FATAL: IDENT-Authentification for user ogo failed

"IDENT-Authentication" means you must be who are claiming to be,  su to
"ogo" and try it.

> Why??
> Even after consulting postgresql's docs I don't see any mistype or
> something :(

You aren't mistyping anything,  what you are trying to do just doesn't
match your configuration;  look in pg_hba.conf.

> > Nope, I don't think that matters.  If you are getting a Skyrix error
> > though the browser then you have the Apache connection working.
> Let me resume: The only problem I got now is to let OGo connect to the
> postgresql-DB, right?

Yes, seems that way.

Did you look at the WMOGAG section on database connection configuration?
Also see the PostgreSQL documentation for the differences between
trust/ident/password mechanisms.


From users@opengroupware.org  Thu Mar  1 14:22:05 2007
From: users@opengroupware.org (Juuso Alasuutari)
Date: Thu, 1 Mar 2007 16:22:05 +0200
Subject: [OGo-Users] Apache2 + mod_ngobjweb trouble
Message-ID: <200703011622.05488.juuso.alasuutari@seclan.com>

I'm trying to switch from Apache 1 to 2 on a Debian Sarge-based OGo server. 
The ngobjweb module is giving me a hard time. Apache2 refuses to load, 
saying:

Cannot load /usr/lib/apache2/modules/mod_ngobjweb.so into 
server: /usr/lib/apache2/modules/mod_ngobjweb.so: undefined symbol: 
ap_table_get

I tried changing ap_http_method to ap_http_scheme and recompiling the module 
(as per 
http://docs.opengroupware.org/Members/whitemice/misc/ogo-install-for-opensuse102/document_view), 
but Apache2 doesn't seem to like that either:

Cannot load /usr/lib/apache2/modules/mod_ngobjweb.so into 
server: /usr/lib/apache2/modules/mod_ngobjweb.so: undefined symbol: 
ap_http_scheme

I've tried the ngobjweb sources from sope 4.4.0, some older source versioned 
200407092000, and also the latest nightly build, but it's the same with each 
of them. I built them with 'make HTTPD=/usr/sbin/apache2 apxs=/usr/bin/apxs' 
(as is the configuration in Debian Sarge).

I noticed that I need to have apache-dev installed to build. Ngobjweb uses 
apxs and headers in /usr/include/apache-1.3/, provided by apache-dev. Without 
the headers the compile fails horribly.

I've read previous postings about this issue 
(http://mail.opengroupware.org/pipermail/users/2007-February/017328.html) and 
they seem to imply that it's indeed possible to build mod_ngobjweb for 
Apache2; what is it that I'm doing wrong? How can I build a working module 
without needing Apache 1 headers?

-- 
Juuso Alasuutari
      seclan.com

From users@opengroupware.org  Thu Mar  1 14:35:41 2007
From: users@opengroupware.org (Florian Reitmeir)
Date: Thu, 1 Mar 2007 15:35:41 +0100
Subject: [OGo-Users] Apache2 + mod_ngobjweb trouble
In-Reply-To: <200703011622.05488.juuso.alasuutari@seclan.com>
References: <200703011622.05488.juuso.alasuutari@seclan.com>
Message-ID: <20070301143540.GI11254@squat.noreply.org>

On Don, 01 M=C3=A4r 2007, Juuso Alasuutari wrote:

> I'm trying to switch from Apache 1 to 2 on a Debian Sarge-based OGo serve=
r.=20
> The ngobjweb module is giving me a hard time. Apache2 refuses to load,=20
> saying:

Why don't you use the packages? there is a module package for apache2 which
works fine for me.

--=20
Florian Reitmeir

From users@opengroupware.org  Thu Mar  1 14:42:11 2007
From: users@opengroupware.org (Juuso Alasuutari)
Date: Thu, 1 Mar 2007 16:42:11 +0200
Subject: [OGo-Users] Apache2 + mod_ngobjweb trouble
In-Reply-To: <20070301143540.GI11254@squat.noreply.org>
References: <200703011622.05488.juuso.alasuutari@seclan.com> <20070301143540.GI11254@squat.noreply.org>
Message-ID: <200703011642.11711.juuso.alasuutari@seclan.com>

On Thursday 01 March 2007 16:35, Florian Reitmeir wrote:
> On Don, 01 M=C3=A4r 2007, Juuso Alasuutari wrote:
> > I'm trying to switch from Apache 1 to 2 on a Debian Sarge-based OGo
> > server. The ngobjweb module is giving me a hard time. Apache2 refuses to
> > load, saying:
>
> Why don't you use the packages? there is a module package for apache2 whi=
ch
> works fine for me.

I was just about to slap myself because the I noticed that with 'apt-cache=
=20
search' before seeing your reply. I installed it, started the opengroupware=
=20
init script, and everything worked. Geez...

Thanks a lot anyway, and sorry for the noise. :)

=2D-=20
Juuso Alasuutari
      seclan.com

From users@opengroupware.org  Thu Mar  1 16:45:13 2007
From: users@opengroupware.org (Martin Hasselmann)
Date: Thu, 01 Mar 2007 17:45:13 +0100
Subject: [OGo-Users] ogo Debian Sarge First install apach2 404
In-Reply-To: <1172754428.4555.23.camel@aleph.whitemice.org>
References: <45E5BE66.9040106@gmx.net>	 <20070228130207.T5806@philodox.fenks.org>  <45E5E092.9050505@yahoo.com>	 <1172693767.4528.63.camel@aleph.whitemice.org>  <45E5EA76.3040802@gmx.net>	 <1172700046.4528.70.camel@aleph.whitemice.org>  <45E6B9EE.1050806@gmx.net>	 <1172751363.4555.11.camel@aleph.whitemice.org>  <45E6CE40.2090303@gmx.net> <1172754428.4555.23.camel@aleph.whitemice.org>
Message-ID: <45E70319.70204@gmx.net>

Hi again,

I've got one more!

> You aren't mistyping anything,  what you are trying to do just doesn't
> match your configuration;  look in pg_hba.conf.

That was indeed a good hint even though the reconfiguring had no effect.

> Did you look at the WMOGAG section on database connection configuration?

Now I did and that gave me another idea.

When I connect to host/OpenGroupware (case-sensitive) it still returns me

The SKYRIX application server could not connect to the database server !

Please ensure that your database server is running and that the
LSConnectionDictionary default is correctly set.

OK, but the following is very interesting:

Current database configuration: database:	ogo
server:	localhost
user:	ogo

This is wrong because after a reinstall I renamend everything to ogo1.
So I followed the instructions of WMOGAG and tried to change 'Defaults'

Defaults write returns:

LSConnectionDictionary = {
            databaseName = ogo1;
            hostName = localhost;
            password = ********;
            port = 5432;
            userName = ogo1;
};
Of course I made the changes after su - ogo1

So I think that there is something wrong because my browser tells my
something different. Anybody knows what went wrong?

Thanks and best regards,
Martin

From users@opengroupware.org  Thu Mar  1 18:25:30 2007
From: users@opengroupware.org (Adam Tauno Williams)
Date: Thu, 01 Mar 2007 13:25:30 -0500
Subject: [OGo-Users] ogo Debian Sarge First install apach2 404
In-Reply-To: <45E70319.70204@gmx.net>
References: <45E5BE66.9040106@gmx.net>
 <20070228130207.T5806@philodox.fenks.org>  <45E5E092.9050505@yahoo.com>
 <1172693767.4528.63.camel@aleph.whitemice.org>  <45E5EA76.3040802@gmx.net>
 <1172700046.4528.70.camel@aleph.whitemice.org>  <45E6B9EE.1050806@gmx.net>
 <1172751363.4555.11.camel@aleph.whitemice.org>  <45E6CE40.2090303@gmx.net>
 <1172754428.4555.23.camel@aleph.whitemice.org>  <45E70319.70204@gmx.net>
Message-ID: <1172773530.7327.3.camel@aleph.whitemice.org>

--=-ytIB7ONlH8/8Dq1LtfR+
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

> I've got one more!
> > You aren't mistyping anything,  what you are trying to do just doesn't
> > match your configuration;  look in pg_hba.conf.

Did you signal the postmaster process after modifying the file?

export PGDATA=3D/var/lib/pgsql/data/
su postgres -c "/usr/bin/pg_ctl reload"

(The export may not be necessary, that depends on your system/packages)


> That was indeed a good hint even though the reconfiguring had no effect.
> > Did you look at the WMOGAG section on database connection configuration=
?
> Now I did and that gave me another idea.
> When I connect to host/OpenGroupware (case-sensitive) it still returns me
> The SKYRIX application server could not connect to the database server !
> Please ensure that your database server is running and that the
> LSConnectionDictionary default is correctly set.
> OK, but the following is very interesting:
> Current database configuration: database:	ogo
> server:	localhost
> user:	ogo
> This is wrong because after a reinstall I renamend everything to ogo1.
> So I followed the instructions of WMOGAG and tried to change 'Defaults'
> Defaults write returns:
> LSConnectionDictionary =3D {
>             databaseName =3D ogo1;
>             hostName =3D localhost;
>             password =3D ********;
>             port =3D 5432;
>             userName =3D ogo1;
> };
> Of course I made the changes after su - ogo1
> So I think that there is something wrong because my browser tells my
> something different. Anybody knows what went wrong?

You have top restart ogo-webui after changing defaults;  it only reads
them at start, and only tries to connect to the database once.

--=-ytIB7ONlH8/8Dq1LtfR+
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQBF5xqaLRePpNle04MRAjsKAJ9tSAHJt4NuM+xnHyoMZcnFT9fmJQCeKJPW
hATj7S57Qneycf2zrcqIxGs=
=FuX1
-----END PGP SIGNATURE-----

--=-ytIB7ONlH8/8Dq1LtfR+--


From users@opengroupware.org  Fri Mar  2 13:53:51 2007
From: users@opengroupware.org (Juuso Alasuutari)
Date: Fri, 2 Mar 2007 15:53:51 +0200
Subject: [OGo-Users] LDAPInitialBindSpecific not working
Message-ID: <200703021553.51499.juuso.alasuutari@seclan.com>

Hi again. :)

I'm configuring OGo 1.0 to authenticate against LDAPv3 (OpenLDAP) by using the 
LDAPInitialBind settings as instructed in this manual: 
http://docs.opengroupware.org/Members/whitemice/wmogag/download. Here's what 
I have in NSGlobalDomain.plist (don't worry, I'm only using the root account 
temporarily for testing):

    LSAuthLDAPServer = "ldap.foo.bar";
    LSAuthLDAPServerRoot = "dc=foo,dc=bar";
    LSAuthLDAPServerPort = 389;
    LDAPLoginAttributeName = "uid";
    DisablePasswordModification = YES;
    LDAPInitialBindSpecific = YES;
    LDAPInitialBindDN = "uid=root,ou=people,dc=foo,dc=bar";
    LDAPInitialBindPW = "xxx";

When I enable 'allow bind_v2' in slapd.conf I am able to log in via 
http://ldap.foo.bar/OpenGroupware, but without it and using the above 
settings login attempts fail and nothing even appears in the LDAP server's 
syslog.

Any clues?

-- 
Juuso Alasuutari
      seclan.com

From users@opengroupware.org  Fri Mar  2 14:59:08 2007
From: users@opengroupware.org (Doug Smith)
Date: Fri, 02 Mar 2007 08:59:08 -0600
Subject: [OGo-Users] LDAP for Skyrix Zidestore along with OGo Zidestore.
Message-ID: <45E83BBC.10309@alchemysystems.com>

I have contacted Skyrix support and am patiently awaiting an answer, 
however I was hoping someone may have seen this since my users aren't so 
patient.


I installed InstantOGo and configured it to use LDAP.  LDAP 
authentication works great for Thunderbird and Mac Mail which use the 
OGo Zidestore.  When I try Outlook it logs to the Skyrix Zidestore log 
instead and appears to be failing authentication.  Does anyone know how 
to enable LDAP for the Skyrix5 Zidestore as well?  I included at the 
bottom the only changes I have made to the server to get LDAP to work.


 From the log file - /var/log/skyrix5/skyrix-zidestore.err

Mar 01 17:05:11 ZideStore [4617]: <[object-handler]>D request 
0x09C444AC: OPTIONS /zidestore/so/dsmith/ (ctx=0x09D6262C)
Mar 01 17:05:11 ZideStore [4617]: <[object-handler]>D authenticator 
allowed request.
Mar 01 17:05:11 ZideStore [4617]: <[object-handler]>D traverse 
(/zidestore/so/dsmith/): dsmith (no acquisition)
Mar 01 17:05:11 ZideStore [4617]: |ZideStore| traverse: dsmith
Mar 01 17:05:11 ZideStore [4617]: |ZideStore|   do traverse name: 'dsmith'
Mar 01 17:05:11 ZideStore [4617]: |ZideStore| lookup name: dsmith
Mar 01 17:05:11 ZideStore [4617]: |ZideStore|   did not find key 
'dsmith' in SoClass: <0x09AF40FC[SoObjCClass]: super=0x09AD9C8C 
objc=ZideStore slots=GET>
Mar 01 17:05:11 ZideStore [4617]: |ZideStore|   looked up value:
Mar 01 17:05:11 ZideStore [4617]: |ZideStore|   lookup in root object:
Mar 01 17:05:11 ZideStore [4617]: |ZideStore|   root is application object
Mar 01 17:05:11 ZideStore [4617]: |ZideStore|   GOT:
Mar 01 17:05:11 ZideStore [4617]: |ZideStore|   traverse miss: 
name=dsmith: i=0,count=1
Mar 01 17:05:11 ZideStore [4617]: |ZideStore|     miss is last object.
Mar 01 17:05:11 ZideStore [4617]: |ZideStore|     handle miss error: 
(Exception name:SoAuthRequired class:SoAuthRequiredException 
reason:authentication required info:<nil>)
Mar 01 17:05:11 ZideStore [4617]: <[object-handler]>D   not calling 
exception: (Exception name:SoAuthRequired class:SoAuthRequiredException 
reason:authentication required info:<nil>)
Mar 01 17:05:11 ZideStore [4617]: <[object-handler]>D   render object: 
(Exception name:SoAuthRequired class:SoAuthRequiredException 
reason:authentication required info:<nil>)
Mar 01 17:05:11 ZideStore [4617]: <[object-handler]>D     render in ctx: 
<0x09D6262C[WOContext]: 00145e707c709d6262c app=ZideStore sn=none eid= 
rqeid=>
Mar 01 17:05:11 ZideStore [4617]: <[object-handler]>D     use 
rule-selected renderer: <SoDefaultRenderer 0x9d687ac>
Mar 01 17:05:11 ZideStore [4617]: <[so-dflt-renderer]>D     render as 
security exception: (Exception name:SoAuthRequired 
class:SoAuthRequiredException reason:authentication required info:<nil>)
Mar 01 17:05:11 ZideStore [4617]: <[so-dflt-renderer]>D     
authenticator: <SxAuthenticator 0x9c49c74>
Mar 01 17:05:11 ZideStore [4617]: <[so-dflt-renderer]>D     
authenticator did render exception.
Mar 01 17:05:11 ZideStore [4617]: <[object-handler]>D   made response: 
0x09D65494 (status=401,len=,type=)
Mar 01 17:05:11 ZideStore [4617]: <[object-handler]>D request 
0x09C4E13C: OPTIONS /zidestore/so/dsmith/ (ctx=0x09D6262C)
Mar 01 17:05:11 ZideStore [4617]: <0x09C49C74[SxAuthenticator]> failed 
to authenticate: dsmith.
Mar 01 17:05:12 ZideStore [4617]: <0x09C49C74[SxAuthenticator]> tried 
wrong password for user 'dsmith'!
Mar 01 17:05:12 ZideStore [4617]: <[object-handler]>D request 
0x09C52074: OPTIONS /zidestore/so/dsmith/ (ctx=0x09D6262C)
Mar 01 17:05:12 ZideStore [4617]: <0x09C49C74[SxAuthenticator]> failed 
to authenticate: dsmith.
Mar 01 17:05:12 ZideStore [4617]: <0x09C49C74[SxAuthenticator]> tried 
wrong password for user 'dsmith'!

What I added to my NSGlobalDomain.plist to get OGo Zidestore to work...

    LSAuthLDAPServer = "dc01.avatartechnology.net";
    LSAuthLDAPServerPort = "389";
    LSAuthLDAPServerRoot = "dc=avatartechnology,dc=net";


    LDAPInitialBindSpecific = YES;
    LDAPInitialBindDN = "cn=ldapbind,cn=users,dc=avatartechnology,dc=net";
    LDAPInitialBaseDN = "dc=avatartechnology,dc=net";
    LDAPInitialBindPW = "********";
    LDAPDebugEnabled = "YES";
    LDAPLoginAttributeName = sAMAccountName;






From users@opengroupware.org  Fri Mar  2 15:27:24 2007
From: users@opengroupware.org (Adam Tauno Williams)
Date: Fri, 02 Mar 2007 10:27:24 -0500
Subject: [OGo-Users] LDAP for Skyrix Zidestore along with OGo Zidestore.
In-Reply-To: <45E83BBC.10309@alchemysystems.com>
References: <45E83BBC.10309@alchemysystems.com>
Message-ID: <1172849244.4307.5.camel@aleph.whitemice.org>

--=-x6vVM+NTGupShEa7kH/N
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

> I have contacted Skyrix support and am patiently awaiting an answer,=20
> however I was hoping someone may have seen this since my users aren't so=20
> patient
> I installed InstantOGo and configured it to use LDAP.  LDAP=20
> authentication works great for Thunderbird and Mac Mail which use the=20
> OGo Zidestore.=20

In what fashion to TB or MacMai use ZideStore?  Mail functionality
doesn't involve Zidestore at all (currently).

>  When I try Outlook it logs to the Skyrix Zidestore log=20
> instead and appears to be failing authentication.  Does anyone know how=20
> to enable LDAP for the Skyrix5 Zidestore as well?  I included at the=20
> bottom the only changes I have made to the server to get LDAP to work.

On my servers the ZideStore/ZideLook servers installed under a different
user account that the Open Source set of servers;  OGo uses user "ogo"
and ZideStore/ZideLook use user "skyrix5".  You have to set the defaults
for the skyrix5 user.

> What I added to my NSGlobalDomain.plist to get OGo Zidestore to work...
>     LSAuthLDAPServer =3D "dc01.avatartechnology.net";
>     LSAuthLDAPServerPort =3D "389";
>     LSAuthLDAPServerRoot =3D "dc=3Davatartechnology,dc=3Dnet";
>     LDAPInitialBindSpecific =3D YES;
>     LDAPInitialBindDN =3D "cn=3Dldapbind,cn=3Dusers,dc=3Davatartechnology=
,dc=3Dnet";
>     LDAPInitialBaseDN =3D "dc=3Davatartechnology,dc=3Dnet";
>     LDAPInitialBindPW =3D "********";
>     LDAPDebugEnabled =3D "YES";
>     LDAPLoginAttributeName =3D sAMAccountName;

Have you checked what use the ZideStore/ZideLook server is using? ("ps
axu | grep -i zide") Make sure the defaults are set for that user too.

--=-x6vVM+NTGupShEa7kH/N
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQBF6EJcLRePpNle04MRAhYMAJ9pRJDq+bCGqG19dybVcNEO8ACZ9wCfdrbD
V1gwe5L5dbOMB+yeKhm2sXg=
=IetM
-----END PGP SIGNATURE-----

--=-x6vVM+NTGupShEa7kH/N--


From users@opengroupware.org  Fri Mar  2 15:34:57 2007
From: users@opengroupware.org (Adam Tauno Williams)
Date: Fri, 02 Mar 2007 10:34:57 -0500
Subject: [OGo-Users] LDAPInitialBindSpecific not working
In-Reply-To: <200703021553.51499.juuso.alasuutari@seclan.com>
References: <200703021553.51499.juuso.alasuutari@seclan.com>
Message-ID: <1172849697.4307.12.camel@aleph.whitemice.org>

--=-Ynuo6AbaW3EVHYlJO8Ko
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

> I'm configuring OGo 1.0 to authenticate against LDAPv3 (OpenLDAP) by usin=
g the=20
> LDAPInitialBind settings as instructed in this manual:=20
> http://docs.opengroupware.org/Members/whitemice/wmogag/download. Here's w=
hat=20
> I have in NSGlobalDomain.plist (don't worry, I'm only using the root acco=
unt=20
> temporarily for testing):
>     LSAuthLDAPServer =3D "ldap.foo.bar";
>     LSAuthLDAPServerRoot =3D "dc=3Dfoo,dc=3Dbar";
>     LSAuthLDAPServerPort =3D 389;
>     LDAPLoginAttributeName =3D "uid";
>     DisablePasswordModification =3D YES;
>     LDAPInitialBindSpecific =3D YES;
>     LDAPInitialBindDN =3D "uid=3Droot,ou=3Dpeople,dc=3Dfoo,dc=3Dbar";
>     LDAPInitialBindPW =3D "xxx";
> When I enable 'allow bind_v2' in slapd.conf I am able to log in via=20
> http://ldap.foo.bar/OpenGroupware, but without it and using the above=20
> settings login attempts fail and nothing even appears in the LDAP server'=
s=20
> syslog.

That seems very odd: "nothing even appears in the LDAP server's syslog"

What is value of the DSA's loglevel directive?  I'm on the road today,
but off the top of my head I think you want 128+32+8 as a minimum in
order to figure out what is going on.  Since it looks like you are on
the same machine, and thus using ethereal/wireshark is probably out, you
can throw in +2 if you want to see the packets.

And if you are logging to syslog make sure syslog isn't ditching traffic
below a certain level.

A rule like:
local4.*                        -/var/log/ldap
 - is a good idea.
> Any clues?


--=-Ynuo6AbaW3EVHYlJO8Ko
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQBF6EQhLRePpNle04MRAppLAJ90sKNlv/oURqSS2BLucKwzWTJPqwCfSRf0
WqJ/whS0v3nw69wVAFUwgfs=
=s5W+
-----END PGP SIGNATURE-----

--=-Ynuo6AbaW3EVHYlJO8Ko--


From users@opengroupware.org  Fri Mar  2 17:01:58 2007
From: users@opengroupware.org (Doug Smith)
Date: Fri, 02 Mar 2007 11:01:58 -0600
Subject: [OGo-Users] LDAP for Skyrix Zidestore along with OGo Zidestore.
In-Reply-To: <1172849244.4307.5.camel@aleph.whitemice.org>
References: <45E83BBC.10309@alchemysystems.com> <1172849244.4307.5.camel@aleph.whitemice.org>
Message-ID: <45E85886.4090400@alchemysystems.com>

Adam Tauno Williams wrote:
>> I have contacted Skyrix support and am patiently awaiting an answer, 
>> however I was hoping someone may have seen this since my users aren't so 
>> patient
>> I installed InstantOGo and configured it to use LDAP.  LDAP 
>> authentication works great for Thunderbird and Mac Mail which use the 
>> OGo Zidestore. 
>>     
>
> In what fashion to TB or MacMai use ZideStore?  Mail functionality
> doesn't involve Zidestore at all (currently).
>   
When TB and MacMail log it is to the files ogo-zidestore-1.5-err.log and 
ogo-zidestore-1.5-out.log which is why I said they use the OGo 
zidestore.  I'm new to this product so maybe my assumption is wrong.
>   
>>  When I try Outlook it logs to the Skyrix Zidestore log 
>> instead and appears to be failing authentication.  Does anyone know how 
>> to enable LDAP for the Skyrix5 Zidestore as well?  I included at the 
>> bottom the only changes I have made to the server to get LDAP to work.
>>     
>
> On my servers the ZideStore/ZideLook servers installed under a different
> user account that the Open Source set of servers;  OGo uses user "ogo"
> and ZideStore/ZideLook use user "skyrix5".  You have to set the defaults
> for the skyrix5 user.
>   
I'm sure you are on the right path, but I'm not sure what you mean by 
"set the defaults".  I tried adding my LDAP settings to 
/etc/opengroupware.org/ZideStore.plist and 
/etc/opengroupware.org/Defaults.plist with no luck.  I tried changing 
the /etc/init.d/sx-zidestore to use user ogo and change perms on the 
dirs to ogo:skyrix and the init script broke so I put it all back.



>   
>> What I added to my NSGlobalDomain.plist to get OGo Zidestore to work...
>>     LSAuthLDAPServer = "dc01.avatartechnology.net";
>>     LSAuthLDAPServerPort = "389";
>>     LSAuthLDAPServerRoot = "dc=avatartechnology,dc=net";
>>     LDAPInitialBindSpecific = YES;
>>     LDAPInitialBindDN = "cn=ldapbind,cn=users,dc=avatartechnology,dc=net";
>>     LDAPInitialBaseDN = "dc=avatartechnology,dc=net";
>>     LDAPInitialBindPW = "********";
>>     LDAPDebugEnabled = "YES";
>>     LDAPLoginAttributeName = sAMAccountName;
>>     
>
> Have you checked what use the ZideStore/ZideLook server is using? ("ps
> axu | grep -i zide") Make sure the defaults are set for that user too.
>   


[root@scogo Defaults]# ps -ef |grep -i zide
skyrix5   3516     1  0 09:08 ?        00:00:00 
/opt/skyrix/skyrix5/WOApps/ZideStore.woa/ix86/linux-gnu/gnu-fd-nil/ZideStore 
-WOUseWatchDog YES
skyrix5   3525  3516  0 09:08 ?        00:00:00 
/opt/skyrix/skyrix5/WOApps/ZideStore.woa/ix86/linux-gnu/gnu-fd-nil/ZideStore 
-WOUseWatchDog YES
ogo       3875     1  0 09:09 ?        00:00:01 
/usr/local/sbin/ogo-zidestore-1.5

From users@opengroupware.org  Fri Mar  2 17:41:39 2007
From: users@opengroupware.org (Adam Tauno Williams)
Date: Fri, 02 Mar 2007 12:41:39 -0500
Subject: [OGo-Users] LDAP for Skyrix Zidestore along with OGo Zidestore.
In-Reply-To: <45E85886.4090400@alchemysystems.com>
References: <45E83BBC.10309@alchemysystems.com>
 <1172849244.4307.5.camel@aleph.whitemice.org>
 <45E85886.4090400@alchemysystems.com>
Message-ID: <1172857299.4294.4.camel@aleph.whitemice.org>

--=-Gr5goLchgDzMPlQnCTrK
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

> >>  When I try Outlook it logs to the Skyrix Zidestore log=20
> >> instead and appears to be failing authentication.  Does anyone know ho=
w=20
> >> to enable LDAP for the Skyrix5 Zidestore as well?  I included at the=20
> >> bottom the only changes I have made to the server to get LDAP to work.
> > On my servers the ZideStore/ZideLook servers installed under a differen=
t
> > user account that the Open Source set of servers;  OGo uses user "ogo"
> > and ZideStore/ZideLook use user "skyrix5".  You have to set the default=
s
> > for the skyrix5 user.
> I'm sure you are on the right path, but I'm not sure what you mean by=20
> "set the defaults".  I tried adding my LDAP settings to=20
> /etc/opengroupware.org/ZideStore.plist and=20

"/etc/opengroupware.org" is only a sym-link to
"/var/lib/opengroupware.org/.libFoundation", which is the defaults
directory for the user "ogo".

> /etc/opengroupware.org/Defaults.plist with no luck.  I tried changing=20
> the /etc/init.d/sx-zidestore to use user ogo and change perms on the=20
> dirs to ogo:skyrix and the init script broke so I put it all back.

su to the user the ZideStore/ZideLook daemon runs as and use the
Defaults command to set the defaults.  Defaults are per-user.  If the
daemon runs as a different user, with a different home directory,  then
it has an entirely separate collection of defaults.

> > Have you checked what use the ZideStore/ZideLook server is using? ("ps
> > axu | grep -i zide") Make sure the defaults are set for that user too.
> [root@scogo Defaults]# ps -ef |grep -i zide
> skyrix5   3516     1  0 09:08 ?        00:00:00=20
> /opt/skyrix/skyrix5/WOApps/ZideStore.woa/ix86/linux-gnu/gnu-fd-nil/ZideSt=
ore=20
> -WOUseWatchDog YES
> skyrix5   3525  3516  0 09:08 ?        00:00:00=20
> /opt/skyrix/skyrix5/WOApps/ZideStore.woa/ix86/linux-gnu/gnu-fd-nil/ZideSt=
ore=20
> -WOUseWatchDog YES
> ogo       3875     1  0 09:09 ?        00:00:01=20
> /usr/local/sbin/ogo-zidestore-1.5

See...ZideStore/ZideLook is running as user "skyrix5",  set the defaults
for that user;  which has nothing to do with "/etc/opengroupware.org".

--=-Gr5goLchgDzMPlQnCTrK
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQBF6GHTLRePpNle04MRAj0QAJ4mbkATeCJnsCPqgEgHc+UG2msCPQCfT0L2
fQ9PJMba5tPRy5HobiQlYs4=
=Jfxu
-----END PGP SIGNATURE-----

--=-Gr5goLchgDzMPlQnCTrK--


From users@opengroupware.org  Fri Mar  2 19:26:29 2007
From: users@opengroupware.org (Martin Hasselmann)
Date: Fri, 02 Mar 2007 20:26:29 +0100
Subject: <SOLVED> Re: [OGo-Users] ogo Debian Sarge First install apach2 404
In-Reply-To: <45E5BE66.9040106@gmx.net>
References: <45E5BE66.9040106@gmx.net>
Message-ID: <45E87A65.5080801@gmx.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi again,

finally I made it. There are some smaller things I've made to get OGo
running so I cannot differentiate which one of my changes where actually
the solution. I guess it is a combination ;)

Thanks for all your help. I registered at OGo and will write a HowTo soon.

Kind regards,
Martin

PS @Matt: I CC'd you on purpose :) I documented my installation in Germa
n and will need some time to translate is. When this is done I will send
you the link and then wait for your corrections/additions etc. :)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF6HploAQ/BgYpd2QRAsohAJwJYl8dLgXNXjY3meTwZIVJHY85jgCeMchp
8ISjy1susCE4LT2nDD8UH7s=
=H7yM
-----END PGP SIGNATURE-----

From users@opengroupware.org  Fri Mar  2 20:47:10 2007
From: users@opengroupware.org (Doug Smith)
Date: Fri, 02 Mar 2007 14:47:10 -0600
Subject: [OGo-Users] LDAP for Skyrix Zidestore along with OGo Zidestore.
In-Reply-To: <1172857299.4294.4.camel@aleph.whitemice.org>
References: <45E83BBC.10309@alchemysystems.com>	 <1172849244.4307.5.camel@aleph.whitemice.org>	 <45E85886.4090400@alchemysystems.com> <1172857299.4294.4.camel@aleph.whitemice.org>
Message-ID: <45E88D4E.8040503@alchemysystems.com>

Thanks for the help on authentication.  I was able to get the settings 
in for the Skyrix5 user.  The connector now authenticates, but Outlook 
doesn't seem to when it starts.  I think it is because the account is 
created for ogo-zidestore when logging into the webserver, but no 
account is created for SX-zidestore.  Maybe now I need to get rid of 
ogo-zidestore and have everything use the sx-zidestore.  I'm curious if 
this sounds right to you.  Here is the first part of the error log when 
Outlook starts.  It is a total of 1398 lines. =\

Mar 02 14:15:22 ZideStore [17814]: <[object-handler]>D request 
0x087E09E4: OPTIONS /zidestore/so/dsmith/ 
(ctx=0x088FEC34)                  
Mar 02 14:15:22 ZideStore [17814]: <[object-handler]>D authenticator 
allowed request.
Mar 02 14:15:22 ZideStore [17814]: <[object-handler]>D traverse 
(/zidestore/so/dsmith/): dsmith (no acquisition)
Mar 02 14:15:22 ZideStore [17814]: |ZideStore| traverse: dsmith
Mar 02 14:15:22 ZideStore [17814]: |ZideStore|   do traverse name: 
'dsmith'                                                                
Mar 02 14:15:22 ZideStore [17814]: |ZideStore| lookup name: dsmith
Mar 02 14:15:22 ZideStore [17814]: |ZideStore|   did not find key 
'dsmith' in SoClass: <0x08690634[SoObjCClass]: super=0x086761C4 
objc=ZideStore slots=GET>
Mar 02 14:15:22 ZideStore [17814]: |ZideStore|   looked up 
value:                                                                           

Mar 02 14:15:22 ZideStore [17814]: |ZideStore|   lookup in root 
object:                                                                    
Mar 02 14:15:22 ZideStore [17814]: |ZideStore|   root is application object
Mar 02 14:15:22 ZideStore [17814]: |ZideStore|   GOT:
Mar 02 14:15:22 ZideStore [17814]: |ZideStore|   traverse miss: 
name=dsmith: i=0,count=1                                                   
Mar 02 14:15:22 ZideStore [17814]: |ZideStore|     miss is last 
object.                                                                    
Mar 02 14:15:22 ZideStore [17814]: |ZideStore|     handle miss error: 
(Exception name:SoAuthRequired class:SoAuthRequiredException 
reason:authentication required info:<nil>)
Mar 02 14:15:22 ZideStore [17814]: <[object-handler]>D   not calling 
exception: (Exception name:SoAuthRequired class:SoAuthRequiredException 
reason:authentication required 
info:<nil>)                                                                                                 

Mar 02 14:15:22 ZideStore [17814]: <[object-handler]>D   render object: 
(Exception name:SoAuthRequired class:SoAuthRequiredException 
reason:authentication required info:<nil>)
Mar 02 14:15:22 ZideStore [17814]: <[object-handler]>D     render in 
ctx: <0x088FEC34[WOContext]: 00145e885da088fec34 app=ZideStore sn=none 
eid= 
rqeid=>                                                                                                                                

Mar 02 14:15:22 ZideStore [17814]: <[object-handler]>D     use 
rule-selected renderer: <SoDefaultRenderer 0x8904db4>
Mar 02 14:15:22 ZideStore [17814]: <[so-dflt-renderer]>D     render as 
security exception: (Exception name:SoAuthRequired 
class:SoAuthRequiredException reason:authentication required 
info:<nil>)                                                                                      

Mar 02 14:15:22 ZideStore [17814]: <[so-dflt-renderer]>D     
authenticator: <SxAuthenticator 0x87e61ec>
Mar 02 14:15:22 ZideStore [17814]: <[so-dflt-renderer]>D     
authenticator did render exception.
Mar 02 14:15:22 ZideStore [17814]: <[object-handler]>D   made response: 
0x08901A9C (status=401,len=,type=)                                 
Mar 02 14:15:22 ZideStore [17814]: <[object-handler]>D request 
0x087EA684: OPTIONS /zidestore/so/dsmith/ 
(ctx=0x088FEC34)                  
Mar 02 14:15:22 ZideStore [17814]: <0x00226520[LSCommandContext]> 
+[LSCommandContext(LDAPSupport) isLDAPLoginAuthorized:password:]: LDAP 
server 'dc01.avatartechnology.net:389' did authenticate user 'dsmith'
Mar 02 14:15:22 ZideStore [17814]: <[object-handler]>D authenticator 
allowed request.
Mar 02 14:15:22 ZideStore [17814]: <[object-handler]>D traverse 
(/zidestore/so/dsmith/): dsmith (no acquisition)                           
Mar 02 14:15:22 ZideStore [17814]: |ZideStore| traverse: dsmith
Mar 02 14:15:22 ZideStore [17814]: |ZideStore|   do traverse name: 
'dsmith'                                                                
Mar 02 14:15:22 ZideStore [17814]: |ZideStore| lookup name: dsmith
Mar 02 14:15:22 ZideStore [17814]: |ZideStore|   did not find key 
'dsmith' in SoClass: <0x08690634[SoObjCClass]: super=0x086761C4 
objc=ZideStore slots=GET>
Mar 02 14:15:22 ZideStore [17814]: |ZideStore|   looked up value:
Mar 02 14:15:22 ZideStore [17814]: |ZideStore|   lookup in root object:
Mar 02 14:15:22 ZideStore [17814]: |ZideStore|   root is application 
object                                                                
Mar 02 14:15:22 ZideStore [17814]: |ZideStore|   GOT:
Mar 02 14:15:23 ZideStore [17814]: <0x00226520[LSCommandContext]> 
+[LSCommandContext(LDAPSupport) isLDAPLoginAuthorized:password:]: LDAP 
server 'dc01.avatartechnology.net:389' did authenticate user 
'dsmith'                                                                          

Mar 02 14:15:23 ZideStore [17814]: |ZideStore| set clientObject: 
<0x088CEEEC[SxUserFolder]: login=dsmith>
Mar 02 14:15:23 ZideStore [17814]: <[object-handler]>D   dispatcher: 
<0x088BFAEC[SoObjectWebDAVDispatcher]: object=<0x088CEEEC[SxUserFolder]: 
login=dsmith>>


Adam Tauno Williams wrote:
>>>>  When I try Outlook it logs to the Skyrix Zidestore log 
>>>> instead and appears to be failing authentication.  Does anyone know how 
>>>> to enable LDAP for the Skyrix5 Zidestore as well?  I included at the 
>>>> bottom the only changes I have made to the server to get LDAP to work.
>>>>         
>>> On my servers the ZideStore/ZideLook servers installed under a different
>>> user account that the Open Source set of servers;  OGo uses user "ogo"
>>> and ZideStore/ZideLook use user "skyrix5".  You have to set the defaults
>>> for the skyrix5 user.
>>>       
>> I'm sure you are on the right path, but I'm not sure what you mean by 
>> "set the defaults".  I tried adding my LDAP settings to 
>> /etc/opengroupware.org/ZideStore.plist and 
>>     
>
> "/etc/opengroupware.org" is only a sym-link to
> "/var/lib/opengroupware.org/.libFoundation", which is the defaults
> directory for the user "ogo".
>
>   
>> /etc/opengroupware.org/Defaults.plist with no luck.  I tried changing 
>> the /etc/init.d/sx-zidestore to use user ogo and change perms on the 
>> dirs to ogo:skyrix and the init script broke so I put it all back.
>>     
>
> su to the user the ZideStore/ZideLook daemon runs as and use the
> Defaults command to set the defaults.  Defaults are per-user.  If the
> daemon runs as a different user, with a different home directory,  then
> it has an entirely separate collection of defaults.
>
>   
>>> Have you checked what use the ZideStore/ZideLook server is using? ("ps
>>> axu | grep -i zide") Make sure the defaults are set for that user too.
>>>       
>> [root@scogo Defaults]# ps -ef |grep -i zide
>> skyrix5   3516     1  0 09:08 ?        00:00:00 
>> /opt/skyrix/skyrix5/WOApps/ZideStore.woa/ix86/linux-gnu/gnu-fd-nil/ZideStore 
>> -WOUseWatchDog YES
>> skyrix5   3525  3516  0 09:08 ?        00:00:00 
>> /opt/skyrix/skyrix5/WOApps/ZideStore.woa/ix86/linux-gnu/gnu-fd-nil/ZideStore 
>> -WOUseWatchDog YES
>> ogo       3875     1  0 09:09 ?        00:00:01 
>> /usr/local/sbin/ogo-zidestore-1.5
>>     
>
> See...ZideStore/ZideLook is running as user "skyrix5",  set the defaults
> for that user;  which has nothing to do with "/etc/opengroupware.org".
>   


From users@opengroupware.org  Fri Mar  2 20:51:01 2007
From: users@opengroupware.org (Adam Tauno Williams)
Date: Fri, 02 Mar 2007 15:51:01 -0500
Subject: [OGo-Users] LDAP for Skyrix Zidestore along with OGo Zidestore.
In-Reply-To: <45E88D4E.8040503@alchemysystems.com>
References: <45E83BBC.10309@alchemysystems.com>	 <1172849244.4307.5.camel@aleph.whitemice.org>	 <45E85886.4090400@alchemysystems.com> <1172857299.4294.4.camel@aleph.whitemice.org> <45E88D4E.8040503@alchemysystems.com>
Message-ID: <45E88E35.2060508@morrison-ind.com>

> Thanks for the help on authentication.  I was able to get the settings 
> in for the Skyrix5 user.  The connector now authenticates, but Outlook 
> doesn't seem to when it starts.  I think it is because the account is 
> created for ogo-zidestore when logging into the webserver, but no 

Logging into ZideStore does not create an account.  You need to populate 
the accounts through XML-RPC or have users log into the web interface at 
least once.

> account is created for SX-zidestore.  Maybe now I need to get rid of 
> ogo-zidestore and have everything use the sx-zidestore. 

NO,  using both OGo/ZideStore and ZideLook/ZideStore is OK and even 
normal.  They connect to the same database, and thus share accounts.

From users@opengroupware.org  Fri Mar  2 23:47:06 2007
From: users@opengroupware.org (Martin Hasselmann)
Date: Sat, 03 Mar 2007 00:47:06 +0100
Subject: <SOLVED> Re: [OGo-Users] ogo Debian Sarge First install apach2
 404
In-Reply-To: <45E87A65.5080801@gmx.net>
References: <45E5BE66.9040106@gmx.net> <45E87A65.5080801@gmx.net>
Message-ID: <45E8B77A.4050707@gmx.net>

Hi,

as I promised I wrote something down which you can see here if you are
interested:

http://docs.opengroupware.org/Members/mhasselmann/sarge-apache2/document_view

Martin Hasselmann schrieb:
> Hi again,
> 
> finally I made it. There are some smaller things I've made to get OGo
> running so I cannot differentiate which one of my changes where actually
> the solution. I guess it is a combination ;)
> 
> Thanks for all your help. I registered at OGo and will write a HowTo soon.
> 
> Kind regards,
> Martin
> 
> PS @Matt: I CC'd you on purpose :) I documented my installation in Germa
> n and will need some time to translate is. When this is done I will send
> you the link and then wait for your corrections/additions etc. :)

From users@opengroupware.org  Sat Mar  3 10:27:58 2007
From: users@opengroupware.org (Torsten Becker)
Date: Sat, 03 Mar 2007 11:27:58 +0100
Subject: [OGo-Users] LDAPInitialBindSpecific not working
In-Reply-To: <1172849697.4307.12.camel@aleph.whitemice.org>
References: <200703021553.51499.juuso.alasuutari@seclan.com> <1172849697.4307.12.camel@aleph.whitemice.org>
Message-ID: <45E94DAE.6080302@nc-world.de>

Adam Tauno Williams schrieb:
>> I'm configuring OGo 1.0 to authenticate against LDAPv3 (OpenLDAP) by using the 
>> LDAPInitialBind settings as instructed in this manual: 
>> http://docs.opengroupware.org/Members/whitemice/wmogag/download. Here's what 
>> I have in NSGlobalDomain.plist (don't worry, I'm only using the root account 
>> temporarily for testing):
>>     LSAuthLDAPServer = "ldap.foo.bar";
>>     LSAuthLDAPServerRoot = "dc=foo,dc=bar";
>>     LSAuthLDAPServerPort = 389;
>>     LDAPLoginAttributeName = "uid";
>>     DisablePasswordModification = YES;
>>     LDAPInitialBindSpecific = YES;
>>     LDAPInitialBindDN = "uid=root,ou=people,dc=foo,dc=bar";
>>     LDAPInitialBindPW = "xxx";
>> When I enable 'allow bind_v2' in slapd.conf I am able to log in via 
>> http://ldap.foo.bar/OpenGroupware, but without it and using the above 
>> settings login attempts fail and nothing even appears in the LDAP server's 
>> syslog.
>>     
>
> That seems very odd: "nothing even appears in the LDAP server's syslog"
>
> What is value of the DSA's loglevel directive?  I'm on the road today,
> but off the top of my head I think you want 128+32+8 as a minimum in
> order to figure out what is going on.  Since it looks like you are on
> the same machine, and thus using ethereal/wireshark is probably out, you
> can throw in +2 if you want to see the packets.
>
> And if you are logging to syslog make sure syslog isn't ditching traffic
> below a certain level.
>
> A rule like:
> local4.*                        -/var/log/ldap
>  - is a good idea.
>   
>> Any clues?
>>     
>
>   
I try to do the same Setup just for autheticatting against kerberos with 
users in ldap.
I figured out that the Syntax

LDAPInitialBindSpecific = YES;

sounds right for "Defaults read" but the InitialBind will not work.

If you remove the '=' then it should work, it does it in my setup.

LDAPInitialBindSpecific YES;


Greetz, Torsten




-- 
---

net-concept T. Becker




From users@opengroupware.org  Sat Mar  3 11:35:44 2007
From: users@opengroupware.org (Torsten Becker)
Date: Sat, 03 Mar 2007 12:35:44 +0100
Subject: [OGo-Users] ldap+kerberos authentication
Message-ID: <45E95D90.4030909@nc-world.de>

Hello List!

I try to setup ogo to authenticate users via mod-auth-kerb from apache2.
I read all documents I found on,last the wihtemice administartors guide.

I use OpenGroupware.org1.1 on a debian system mixed from sarge and etch.

Ldap and Kerberos are up and work for some different applications.
For example I can login to plone2.5 via the apache-kerberos module.

I configured these defaults for user OGo which is the user for my ogo 
installation:

---------------------------config------------------------------------------------
ogo:/etc/opengroupware.org/OGo/Defaults# cat NSGlobalDomain.plist
{
    "skyrix_id" = "ogo.axg.local-ogo";
    LSAttachmentPath = "/var/lib/opengroupware.org/documents";
    LSConnectionDictionary = {
        databaseName = OGo;
        hostName = localhost;
        password = "";
        port = 5432;
        userName = OGo;
    };
    LSNewsImagesPath = "/var/lib/opengroupware.org/news_images/";
    LSNewsImagesUrl = "/NewsImages-ogo";
    Languages = (
        German
    );
    SkyFSPath = "/var/lib/opengroupware.org/skyfs";
    SkyLogoutURL = "/OpenGroupware";
    TimeZoneName = GMT;

    LDAPInitialBindDN = "uid=root,ou=smbUser,dc=axg,dc=local";
    LDAPInitialBindPW = "{SSHA}S0bmzeGvCwcCkCuT43GL54xCGTe70uBN";
    LDAPInitialBindSpecific YES;
    LSAuthLDAPServer = "auth.axg.local";
    LSAuthLDAPServerRoot = "dc=axg,dc=local";
}


ogo:/etc/opengroupware.org/OGo/Defaults# cat ogo-webui-1.1.plist
{
    LSUseBasicAuthentication = YES;
}

--------------------------------------end 
config--------------------------------------------------

This is the configured site in apache2:

--------------------------------------config-------------------------------------------------------
ogo:/etc/opengroupware.org/OGo/Defaults# cat 
/etc/apache2/sites-enabled/ssl-site
<IfDefine SSL>
<VirtualHost 192.168.111.236:443>
        DocumentRoot /var/www
        ErrorLog /var/log/apache2/ssl-error_log
        TransferLog /var/log/apache2/ssl-access_log
        SSLEngine on
        SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLCertificateFile /etc/apache2/certs/ogo.pem
        SSLCertificateKeyFile /etc/apache2/certs/ogo_key.pem
        SSLCACertificateFile /etc/apache2/certs/axgCA.pem

        KrbMethodNegotiate on
        Krb5Keytab /etc/apache2/certs/apache2.keytab
        KrbAuthRealms REALM
        KrbVerifyKDC on

<Location /OpenGroupware>
        AuthType Kerberos
        KrbAuthRealms REALM
        KrbServiceName HTTP
        Krb5Keytab /etc/apache2/certs/apache2.keytab
        KrbMethodNegotiate on
        KrbMethodK5Passwd off
        Require user hcallahan@REALM ckent@REALM
</Location>

<Directory /var/www>
        Options Indexes FollowSymlinks
        AllowOverride All
        Order allow,deny
        allow from all

        AuthType Basic
</Directory>
</VirtualHost>
</IfDefine>
------------------------------------end-config-------------------------------------

Now I end up with apache2 authenticating the user to reach location 
/OpenGroupware
and I see (in Postgresql Logfile) user OGo connecting to the database 
trying to do something.
This login from OGo to Postgres repeats until some timeout and the 
browser tells me that he was able
to verify the user to location /OpenGroupware.

If I disable Basic Authentication in ogo, apache2 autheticates the user 
and I see the login prompt
from ogo. I can now login in normal manner without errors.

Does some know what ogo tries to do in the database or how i can it make 
visible to me?
I tried to set logging of postgres to debug, but that did not get me 
further.

I have another question.
Since I enabled mod-auth-kerb, ogo server uses User OGo to connect to 
postgres.
The normal setup for debian uses User ogo. So I had to change database 
name and user to be able
to login again. But i'am not very happy with this, because I fear 
problems for transfering data from
standard installation to the new installation with different database 
name and user.

Perhaps some can tell me a solution to this.

Greetz, Torsten

-- 
---

net-concept T. Becker




From users@opengroupware.org  Sat Mar  3 12:55:46 2007
From: users@opengroupware.org (Helge Hess)
Date: Sat, 3 Mar 2007 13:55:46 +0100
Subject: [OGo-Users] ldap+kerberos authentication
In-Reply-To: <45E95D90.4030909@nc-world.de>
References: <45E95D90.4030909@nc-world.de>
Message-ID: <CC4251B5-4D65-4264-B0BD-42B469F76143@opengroupware.org>

On Mar 3, 2007, at 12:35, Torsten Becker wrote:
>    LDAPInitialBindPW = "{SSHA}S0bmzeGvCwcCkCuT43GL54xCGTe70uBN";

Uhm? You need to specify the password here.

Greets,
   Helge
-- 
Helge Hess
http://www.helgehess.eu/



From users@opengroupware.org  Sat Mar  3 14:39:06 2007
From: users@opengroupware.org (Torsten Becker)
Date: Sat, 03 Mar 2007 15:39:06 +0100
Subject: [OGo-Users] ldap+kerberos authentication
In-Reply-To: <CC4251B5-4D65-4264-B0BD-42B469F76143@opengroupware.org>
References: <45E95D90.4030909@nc-world.de> <CC4251B5-4D65-4264-B0BD-42B469F76143@opengroupware.org>
Message-ID: <45E9888A.1010905@nc-world.de>

Helge Hess schrieb:
> On Mar 3, 2007, at 12:35, Torsten Becker wrote:
>>    LDAPInitialBindPW =3D "{SSHA}S0bmzeGvCwcCkCuT43GL54xCGTe70uBN";
>
> Uhm? You need to specify the password here.
>
> Greets,
>   Helge
I tested both, the cleartext password and the bove hashed string of the=20
password.
For both I get no error messages from ldap-authentication and the=20
behavior of the server is equal.

Is there any way to see what username ogo tries to login after the=20
apache2 authenticates him?
Or is there a way to see what the OGo user tries to do on his database?
For now I can only see OGo to connect to postgres...

Greets, Torsten

--=20
---

net-concept T. Becker
Goethestrasse 7
55288 Udenheim

Tel:    +49 6732 9339 761
Fax:    +49 6732 9339 767
Mobil:  +49  178 4589 296

eMail:	t.becker@nc-world.de
Web:	http://www-nc-world.de

Steuernummer:	03/009/4264/8



Diese E-Mail enth=E4lt vertrauliche und/oder rechtlich gesch=FCtzte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mai=
l
irrt=FCmlich erhalten haben, informieren Sie bitte sofort den Absender un=
d
vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
Weitergabe dieser Mail ist nicht gestattet.
=20
This e-mail may contain confidential and/or privileged information. If yo=
u
are not the intended recipient (or have received this e-mail in error)
please notify the sender immediately and delete this e-mail. Any
unauthorised copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.



From users@opengroupware.org  Sat Mar  3 18:11:47 2007
From: users@opengroupware.org (Adam Tauno Williams)
Date: Sat, 03 Mar 2007 13:11:47 -0500
Subject: [OGo-Users] ldap+kerberos authentication
In-Reply-To: <45E9888A.1010905@nc-world.de>
References: <45E95D90.4030909@nc-world.de>
 <CC4251B5-4D65-4264-B0BD-42B469F76143@opengroupware.org>
 <45E9888A.1010905@nc-world.de>
Message-ID: <1172945507.4777.1.camel@laptop02.whitemice.org>

> >>    LDAPInitialBindPW = "{SSHA}S0bmzeGvCwcCkCuT43GL54xCGTe70uBN";
> > Uhm? You need to specify the password here.
> I tested both, the cleartext password and the bove hashed string of the 
> password.
> For both I get no error messages from ldap-authentication and the

Sure, the bind just fails.
 
> behavior of the server is equal.

Increase your logging level.

> Is there any way to see what username ogo tries to login after the 
> apache2 authenticates him?

This is recorded in the ogo-webui-*.err file

> Or is there a way to see what the OGo user tries to do on his database?
> For now I can only see OGo to connect to postgres...

OGo connects to PostgreSQL using the parameters defined in
LSConnectionDictionary.


From users@opengroupware.org  Sat Mar  3 19:15:42 2007
From: users@opengroupware.org (Torsten Becker)
Date: Sat, 03 Mar 2007 20:15:42 +0100
Subject: [OGo-Users] ldap+kerberos authentication
In-Reply-To: <1172945507.4777.1.camel@laptop02.whitemice.org>
References: <45E95D90.4030909@nc-world.de>	 <CC4251B5-4D65-4264-B0BD-42B469F76143@opengroupware.org>	 <45E9888A.1010905@nc-world.de> <1172945507.4777.1.camel@laptop02.whitemice.org>
Message-ID: <45E9C95E.3020105@nc-world.de>

Adam Tauno Williams schrieb:
>>>>    LDAPInitialBindPW = "{SSHA}S0bmzeGvCwcCkCuT43GL54xCGTe70uBN";
>>>>         
>>> Uhm? You need to specify the password here.
>>>       
>> I tested both, the cleartext password and the bove hashed string of the 
>> password.
>> For both I get no error messages from ldap-authentication and the
>>     
>
> Sure, the bind just fails.
>   
Not so sure. The failure of an anonymous bind is documented in the webui 
logfile.
The errormessage in this logfile only disappears after setting the DN, 
PW and BindSpecific Parameters.
>  
>   
>> behavior of the server is equal.
>>     
>
> Increase your logging level.
>   
For which application?
How can I do this for OGo??
>   
>> Is there any way to see what username ogo tries to login after the 
>> apache2 authenticates him?
>>     
>
> This is recorded in the ogo-webui-*.err file
>
>   
I don't have such a file on the system.
>> Or is there a way to see what the OGo user tries to do on his database?
>> For now I can only see OGo to connect to postgres...
>>     
>
> OGo connects to PostgreSQL using the parameters defined in
> LSConnectionDictionary.
>
>   
Not definitly. After standard debian installation and building a ogo 
instance with ogo-create-instance script, I have db named ogo and dbuser 
called ogo.
In my LSConnectionDictionary are these credentials configured (ogo,ogo). 
All is fine.

But after enabling mod-auth-kerb my browser tells me a connection error 
to postgres. Postgres logs show connection errors for user OGo@127.0.0.1

I was not able to change this behaviour and therefor changed my 
database, dbuser and LSConnectionDictionary to OGo,OGo




From users@opengroupware.org  Sun Mar  4 04:03:26 2007
From: users@opengroupware.org (Adam Tauno Williams)
Date: Sat, 03 Mar 2007 23:03:26 -0500
Subject: [OGo-Users] ldap+kerberos authentication
In-Reply-To: <45E9C95E.3020105@nc-world.de>
References: <45E95D90.4030909@nc-world.de>
 <CC4251B5-4D65-4264-B0BD-42B469F76143@opengroupware.org>
 <45E9888A.1010905@nc-world.de>
 <1172945507.4777.1.camel@laptop02.whitemice.org>
 <45E9C95E.3020105@nc-world.de>
Message-ID: <1172981007.4151.8.camel@aleph.whitemice.org>

> >>>>    LDAPInitialBindPW = "{SSHA}S0bmzeGvCwcCkCuT43GL54xCGTe70uBN";
> >>> Uhm? You need to specify the password here.
> >> I tested both, the cleartext password and the bove hashed string of the 
> >> password.
> >> For both I get no error messages from ldap-authentication and the

Are you authenticating via OGo/LDAP or Apache/LDAP or Apache/Kerberos?
You seem to be confusing all three configurations.

> > Sure, the bind just fails.
> Not so sure. The failure of an anonymous bind is documented in the webui 
> logfile.
> The errormessage in this logfile only disappears after setting the DN, 
> PW and BindSpecific Parameters.

Seems expected unless your LDAP server is set to permit LDAPv2 and/or
anonymous binds (probably not).

> >> behavior of the server is equal.
> > Increase your logging level.
> For which application?

Your LDAP DSA if you are interested as to what search/bind-attempt is
being attempted (if any).

But you are talking about Kerberos,  so I don't see how LDAP binding is
relevant.

> How can I do this for OGo??
> >> Is there any way to see what username ogo tries to login after the 
> >> apache2 authenticates him?
> > This is recorded in the ogo-webui-*err file
> I don't have such a file on the system.

Yes, you do.  Did you look in /var/log/opengroupware?  For instance, I
have ogo-webui-1.1-err.log & ogo-webui-1.1-out.log.

> >> Or is there a way to see what the OGo user tries to do on his database?
> >> For now I can only see OGo to connect to postgres...
> > OGo connects to PostgreSQL using the parameters defined in
> > LSConnectionDictionary.
> Not definitly. 

Yes, definitely.

> After standard debian installation and building a ogo 
> instance with ogo-create-instance script, I have db named ogo and dbuser 
> called ogo.
> In my LSConnectionDictionary are these credentials configured (ogo,ogo). 
> All is fine.
> But after enabling mod-auth-kerb my browser tells me a connection error 
> to postgres. Postgres logs show connection errors for user OGo@127.0.0.1
> I was not able to change this behaviour and therefor changed my 
> database, dbuser and LSConnectionDictionary to OGo,OGo

Beats me, this is totally unrelated;  you must have bumped something
else.  PostgreSQL user names and role names are case sensitive.


From users@opengroupware.org  Sun Mar  4 04:05:09 2007
From: users@opengroupware.org (Adam Tauno Williams)
Date: Sat, 03 Mar 2007 23:05:09 -0500
Subject: [OGo-Users] ldap+kerberos authentication
In-Reply-To: <45E95D90.4030909@nc-world.de>
References: <45E95D90.4030909@nc-world.de>
Message-ID: <1172981109.4151.10.camel@aleph.whitemice.org>

> Does some know what ogo tries to do in the database or how i can it make 
> visible to me?

Set the PGDebugEnabled default to "YES".


From users@opengroupware.org  Sun Mar  4 15:46:33 2007
From: users@opengroupware.org (Torsten Becker)
Date: Sun, 04 Mar 2007 16:46:33 +0100
Subject: [OGo-Users] ldap+kerberos authentication
In-Reply-To: <1172981007.4151.8.camel@aleph.whitemice.org>
References: <45E95D90.4030909@nc-world.de>	 <CC4251B5-4D65-4264-B0BD-42B469F76143@opengroupware.org>	 <45E9888A.1010905@nc-world.de>	 <1172945507.4777.1.camel@laptop02.whitemice.org>	 <45E9C95E.3020105@nc-world.de> <1172981007.4151.8.camel@aleph.whitemice.org>
Message-ID: <45EAE9D9.80701@nc-world.de>

Adam Tauno Williams schrieb:
>>>>>>    LDAPInitialBindPW = "{SSHA}S0bmzeGvCwcCkCuT43GL54xCGTe70uBN";
>>>>>>             
>>>>> Uhm? You need to specify the password here.
>>>>>           
>>>> I tested both, the cleartext password and the bove hashed string of the 
>>>> password.
>>>> For both I get no error messages from ldap-authentication and the
>>>>         
>
> Are you authenticating via OGo/LDAP or Apache/LDAP or Apache/Kerberos?
> You seem to be confusing all three configurations.
>
>   
I want to authenticate via Apache/Kerberos. All Docs I found told to 
configure the LDAP settings in the Defaults...

>>> Sure, the bind just fails.
>>>       
>> Not so sure. The failure of an anonymous bind is documented in the webui 
>> logfile.
>> The errormessage in this logfile only disappears after setting the DN, 
>> PW and BindSpecific Parameters.
>>     
>
> Seems expected unless your LDAP server is set to permit LDAPv2 and/or
> anonymous binds (probably not).
>
>   
The slapd permits LDAPv2 but not anonymous binds.
>>>> behavior of the server is equal.
>>>>         
>>> Increase your logging level.
>>>       
>> For which application?
>>     
>
> Your LDAP DSA if you are interested as to what search/bind-attempt is
> being attempted (if any).
>
> But you are talking about Kerberos,  so I don't see how LDAP binding is
> relevant.
>   
The only search attemps that I could see, searched for the user OGo. 
This user exists local.
I would be happy, if someone could give me a complete description of the 
configuration I need to authenticate
via apache-mod-kerberos and be authenticated to ogo without prompted for 
another login.
>   
>> How can I do this for OGo??
>>     
>>>> Is there any way to see what username ogo tries to login after the 
>>>> apache2 authenticates him?
>>>>         
>>> This is recorded in the ogo-webui-*err file
>>>       
>> I don't have such a file on the system.
>>     
>
> Yes, you do.  Did you look in /var/log/opengroupware?  For instance, I
> have ogo-webui-1.1-err.log & ogo-webui-1.1-out.log.
>   
Sorry I searched the whole system. I don't have these files. In 
/var/log/opengroupware.org/OGo/ are just the
standard logfiles webui.log, zidestore.log and xmlrpcd.log
>   
>>>> Or is there a way to see what the OGo user tries to do on his database?
>>>> For now I can only see OGo to connect to postgres...
>>>>         
>>> OGo connects to PostgreSQL using the parameters defined in
>>> LSConnectionDictionary.
>>>       
>> Not definitly. 
>>     
>
> Yes, definitely.
>
>   
>> After standard debian installation and building a ogo 
>> instance with ogo-create-instance script, I have db named ogo and dbuser 
>> called ogo.
>> In my LSConnectionDictionary are these credentials configured (ogo,ogo). 
>> All is fine.
>> But after enabling mod-auth-kerb my browser tells me a connection error 
>> to postgres. Postgres logs show connection errors for user OGo@127.0.0.1
>> I was not able to change this behaviour and therefor changed my 
>> database, dbuser and LSConnectionDictionary to OGo,OGo
>>     
>
> Beats me, this is totally unrelated;  you must have bumped something
> else.  PostgreSQL user names and role names are case sensitive.
>
>   
I know its unrelated, but confused me...




From users@opengroupware.org  Sun Mar  4 15:47:16 2007
From: users@opengroupware.org (Torsten Becker)
Date: Sun, 04 Mar 2007 16:47:16 +0100
Subject: [OGo-Users] ldap+kerberos authentication
In-Reply-To: <1172981109.4151.10.camel@aleph.whitemice.org>
References: <45E95D90.4030909@nc-world.de> <1172981109.4151.10.camel@aleph.whitemice.org>
Message-ID: <45EAEA04.3030703@nc-world.de>

Adam Tauno Williams schrieb:
>> Does some know what ogo tries to do in the database or how i can it make 
>> visible to me?
>>     
>
> Set the PGDebugEnabled default to "YES".
>
>   
Thank you. I will test it. Perhaps I can find some hints then...



From users@opengroupware.org  Sun Mar  4 20:19:27 2007
From: users@opengroupware.org (Matt Johnson)
Date: Sun, 04 Mar 2007 20:19:27 +0000
Subject: <SOLVED> Re: [OGo-Users] ogo Debian Sarge First install apach2
 404
In-Reply-To: <45E8B77A.4050707@gmx.net>
References: <45E5BE66.9040106@gmx.net> <45E87A65.5080801@gmx.net> <45E8B77A.4050707@gmx.net>
Message-ID: <45EB29CF.5080904@yahoo.com>

Martin Hasselmann wrote:
> Hi,
>
> as I promised I wrote something down which you can see here if you are
> interested:
>
> http://docs.opengroupware.org/Members/mhasselmann/sarge-apache2/document_view
>
> Martin Hasselmann schrieb:
>   
>> Hi again,
>>
>> finally I made it. There are some smaller things I've made to get OGo
>> running so I cannot differentiate which one of my changes where actually
>> the solution. I guess it is a combination ;)
>>
>> Thanks for all your help. I registered at OGo and will write a HowTo soon.
>>
>> Kind regards,
>> Martin
>>
>> PS @Matt: I CC'd you on purpose :) I documented my installation in Germa
>> n and will need some time to translate is. When this is done I will send
>> you the link and then wait for your corrections/additions etc. :)
>>     
Martin,

I've just created myself a membership on the docs project website. Could 
you give me permission to edit the document? It's the "sharing" tab. My 
username is "johnsonmlw". Then I can edit the document. The original is 
saved, so you can undo any changes you don't like afterwards :)

I've just posted my notes up:

http://docs.opengroupware.org/Members/johnsonmlw/debiansargeapache2/document_view

My notes are for a fresh install of Debian Sarge and I don't edit any 
settings.

You should be able to edit my notes (I've given you the correct 
permissions)... And please go ahead and edit it.

:)

--
Matt

From users@opengroupware.org  Sun Mar  4 20:26:33 2007
From: users@opengroupware.org (Matt Johnson)
Date: Sun, 4 Mar 2007 12:26:33 -0800 (PST)
Subject: <SOLVED> Re: [OGo-Users] ogo Debian Sarge First install apach2 404
Message-ID: <9272.12005.qm@web50108.mail.yahoo.com>

Posted last email to mailing list by accident.=0A=0A=0A=0AAnyone with any c=
omments on the document welcomed though!=0A=0A=0A=0A--=0A=0AMatt=0A

From users@opengroupware.org  Sun Mar  4 20:33:46 2007
From: users@opengroupware.org (Matt Johnson)
Date: Sun, 04 Mar 2007 20:33:46 +0000
Subject: [OGo-Users] stable, release, ,trunk, nightly
Message-ID: <45EB2D2A.2060106@yahoo.com>

Hi,

So stable(version 1) is stable. Got that.

How does 1.1.6 yummy stand? Is it static? i.e. Will it be the same this 
time next month if I have to reinstall? Guess it's not "very tested"?

Thanks for any comments.

--
Matt

From users@opengroupware.org  Sun Mar  4 23:44:51 2007
From: users@opengroupware.org (Torsten Becker)
Date: Mon, 05 Mar 2007 00:44:51 +0100
Subject: [OGo-Users] ldap+kerberos authentication
In-Reply-To: <45EAEA04.3030703@nc-world.de>
References: <45E95D90.4030909@nc-world.de> <1172981109.4151.10.camel@aleph.whitemice.org> <45EAEA04.3030703@nc-world.de>
Message-ID: <45EB59F3.1030207@nc-world.de>

Torsten Becker schrieb:
> Adam Tauno Williams schrieb:
>>> Does some know what ogo tries to do in the database or how i can it 
>>> make visible to me?
>>>     
>>
>> Set the PGDebugEnabled default to "YES".
>>
>>   
> Thank you. I will test it. Perhaps I can find some hints then...
>
>
This is shown in the webui.log after enabling PGDebugEnabled:

Mar 04 23:25:07 ogo-webui-1.1 [22508]: PostgreSQL72 connection 
established: <0x0x8b6d244[PGConnection]:  connection=0x0x8b35318>
Mar 04 23:25:07 ogo-webui-1.1 [22508]: PostgreSQL72 channel 0x0x82da2c4 
opened (connection=<0x0x8b6d244[PGConnection]:  connection=0x0x8b35318>)
Mar 04 23:25:07 ogo-webui-1.1 [22508]: PG0x0x82da2c4 SQL: BEGIN TRANSACTION
Mar 04 23:25:07 ogo-webui-1.1 [22508]: PG0x0x82da2c4 SQL: SELECT 
t1.login, t1.is_locked, t1.password FROM  person t1 WHERE (t1.login = 
'root') AND (t1.is_account=1)
Mar 04 23:25:07 ogo-webui-1.1 [22508]: PG0x0x82da2c4 SQL: COMMIT TRANSACTION
PostgreSQL72 connection dropped 0x0x8b6d244 (channel=0x0x82da2c4)

This repeats since some timeout.
After the timeout the browser shows the login dialog for the defined 
kerberos login.
After giving the credentials  I see the  login-screen from ogo  with  
the  username plus realm (ckent@AXG.LOCAL) and an empty password field.
The asking for credentials is new, since I removed all Defaults 
concerning LDAP in the ogo configuration.
Only BasicAuthentication is enabled.

This is the log for not using BasicAuthentication for ogo:

Mar 04 23:26:19 ogo-webui-1.1 [23004]: |ogo-webui-1.1| OpenGroupware.org 
instance initialized.
Mar 04 23:26:19 ogo-webui-1.1 [23004]: |ogo-webui-1.1| WOHttpAdaptor 
listening on address *:20000
Mar 04 23:26:28 ogo-webui-1.1 [23004]: PostgreSQL72 connection 
established: <0x0x8b1d254[PGConnection]:  connection=0x0x8b2add8>
Mar 04 23:26:28 ogo-webui-1.1 [23004]: PostgreSQL72 channel 0x0x82da2c4 
opened (connection=<0x0x8b1d254[PGConnection]:  connection=0x0x8b2add8>)
Mar 04 23:26:28 ogo-webui-1.1 [23004]: PG0x0x82da2c4 SQL: BEGIN TRANSACTION
Mar 04 23:26:28 ogo-webui-1.1 [23004]: PG0x0x82da2c4 SQL: SELECT 
t1.login, t1.is_locked, t1.password FROM  person t1 WHERE (t1.login = 
'root') AND (t1.is_account=1)
Mar 04 23:26:28 ogo-webui-1.1 [23004]: PG0x0x82da2c4 SQL: COMMIT TRANSACTION
PostgreSQL72 connection dropped 0x0x8b1d254 (channel=0x0x82da2c4)
Mar 04 23:26:28 ogo-webui-1.1 [23004]: PostgreSQL72 connection 
established: <0x0x8b423fc[PGConnection]:  connection=0x0x8b389f0>
Mar 04 23:26:28 ogo-webui-1.1 [23004]: PostgreSQL72 channel 0x0x82da2c4 
opened (connection=<0x0x8b423fc[PGConnection]:  connection=0x0x8b389f0>)

At this time mod-auth-kerb authenticated the user and the loginprompt 
from ogo is shown in the browser.
Now i can login as root with no errors.




From users@opengroupware.org  Mon Mar  5 00:47:05 2007
From: users@opengroupware.org (Helge Hess)
Date: Mon, 5 Mar 2007 01:47:05 +0100
Subject: [OGo-Users] stable, release, ,trunk, nightly
In-Reply-To: <45EB2D2A.2060106@yahoo.com>
References: <45EB2D2A.2060106@yahoo.com>
Message-ID: <6CB08FC6-85E3-4129-B6BF-28A02A607D18@opengroupware.org>

On Mar 4, 2007, at 21:33, Matt Johnson wrote:
> How does 1.1.6 yummy stand? Is it static? i.e. Will it be the same  
> this time next month if I have to reinstall?

Ahm, yes? Why should it change, its a release.

> Guess it's not "very tested"?

More importantly its an alpha release.

Greets,
   Helge
-- 
Helge Hess
http://www.helgehess.eu/



From users@opengroupware.org  Mon Mar  5 00:41:15 2007
From: users@opengroupware.org (Adam Tauno Williams)
Date: Sun, 04 Mar 2007 19:41:15 -0500
Subject: [OGo-Users] stable, release, ,trunk, nightly
In-Reply-To: <45EB2D2A.2060106@yahoo.com>
References: <45EB2D2A.2060106@yahoo.com>
Message-ID: <2288-SnapperMsg05076A73C2111D3A@[70.217.38.170]>

>How does 1.1.6 yummy stand? Is it static? 

Yes

>i.e. Will it be the same this 
>time next month if I have to >reinstall? 

Yes

>Guess it's not "very tested"?

Trunk is pretty well tested,  from which 1.1.x is derived.  It just doesn't have any kind of 
promise to be stable.  I'd *personally* be surprised if you have any problems,  beyond any 
problems you have in 1.0.

I run trunk in production,  but I test it on another server first.

From users@opengroupware.org  Mon Mar  5 02:00:37 2007
From: users@opengroupware.org (Adam Tauno Williams)
Date: Sun, 04 Mar 2007 21:00:37 -0500
Subject: [OGo-Users] ldap+kerberos authentication
In-Reply-To: <45EB59F3.1030207@nc-world.de>
References: <45E95D90.4030909@nc-world.de>
 <1172981109.4151.10.camel@aleph.whitemice.org>
 <45EAEA04.3030703@nc-world.de>  <45EB59F3.1030207@nc-world.de>
Message-ID: <1173060037.4748.7.camel@aleph.whitemice.org>

> This is shown in the webui.log after enabling PGDebugEnabled:
> Mar 04 23:25:07 ogo-webui-1.1 [22508]: PostgreSQL72 connection 
> established: <0x0x8b6d244[PGConnection]:  connection=0x0x8b35318>
> Mar 04 23:25:07 ogo-webui-1.1 [22508]: PostgreSQL72 channel 0x0x82da2c4 
> opened (connection=<0x0x8b6d244[PGConnection]:  connection=0x0x8b35318>)
> Mar 04 23:25:07 ogo-webui-1.1 [22508]: PG0x0x82da2c4 SQL: BEGIN TRANSACTION
> Mar 04 23:25:07 ogo-webui-1.1 [22508]: PG0x0x82da2c4 SQL: SELECT 
> t1.login, t1.is_locked, t1.password FROM  person t1 WHERE (t1.login = 
> 'root') AND (t1.is_account=1)
> Mar 04 23:25:07 ogo-webui-1.1 [22508]: PG0x0x82da2c4 SQL: COMMIT TRANSACTION
> PostgreSQL72 connection dropped 0x0x8b6d244 (channel=0x0x82da2c4)
> This repeats since some timeout.
> After the timeout the browser shows the login dialog for the defined 
> kerberos login.
> After giving the credentials  I see the  login-screen from ogo  with  
> the  username plus realm (ckent@AXG.LOCAL) and an empty password field.

Which probably means OGo doesn't believe the user is legitimate.

1.) You have logged in at least once and changed the "root" user's
password?
2.) Is "cketn@AXG.LOCAL" an account in OGo's database?

Did you read the bug report regarding this?
http://bugzilla.opengroupware.org/bugzilla/show_bug.cgi?id=1121

Also this old thread might be valuable
http://mail.opengroupware.org/pipermail/users/2006-January/015501.html


> At this time mod-auth-kerb authenticated the user and the loginprompt 
> from ogo is shown in the browser.
> Now i can login as root with no errors.



From users@opengroupware.org  Mon Mar  5 08:52:18 2007
From: users@opengroupware.org (Alexandre Ghisoli)
Date: Mon, 05 Mar 2007 09:52:18 +0100
Subject: [OGo-Users] stable, release, ,trunk, nightly
In-Reply-To: <45EB2D2A.2060106@yahoo.com>
References: <45EB2D2A.2060106@yahoo.com>
Message-ID: <1173084738.6793.15.camel@pc-05.interne.ycom.ch>

Le dimanche 04 mars 2007 à 20:33 +0000, Matt Johnson a écrit :
> Hi,
> 
> So stable(version 1) is stable. Got that.
> 
> How does 1.1.6 yummy stand? Is it static? i.e. Will it be the same this 
> time next month if I have to reinstall? Guess it's not "very tested"?
> 
> Thanks for any comments.
> 
> --
> Matt

I'm using 1.1.x for a year, and now running 1.1.6 since it get out. We
have a team of ~5-8 ppl using it every days, running on amd64. Just
crashed 2 or 3 times.

>From my point of view, 1.1.6 is pretty stable, and yes, it's a "static"
version, it will stay as is, and next version will get a new number
(1.1.7 could be a good guess).

-- 
        Alexandre


From users@opengroupware.org  Mon Mar  5 09:12:54 2007
From: users@opengroupware.org (Juuso Alasuutari)
Date: Mon, 5 Mar 2007 11:12:54 +0200
Subject: [OGo-Users] LDAPInitialBindSpecific not working
In-Reply-To: <1172849697.4307.12.camel@aleph.whitemice.org>
References: <200703021553.51499.juuso.alasuutari@seclan.com> <1172849697.4307.12.camel@aleph.whitemice.org>
Message-ID: <200703051112.54075.juuso.alasuutari@seclan.com>

On Friday 02 March 2007 17:34, Adam Tauno Williams wrote:
> > I'm configuring OGo 1.0 to authenticate against LDAPv3 (OpenLDAP) by
> > using the LDAPInitialBind settings as instructed in this manual:
> > http://docs.opengroupware.org/Members/whitemice/wmogag/download. Here's
> > what I have in NSGlobalDomain.plist (don't worry, I'm only using the root
> > account temporarily for testing):
> >     LSAuthLDAPServer = "ldap.foo.bar";
> >     LSAuthLDAPServerRoot = "dc=foo,dc=bar";
> >     LSAuthLDAPServerPort = 389;
> >     LDAPLoginAttributeName = "uid";
> >     DisablePasswordModification = YES;
> >     LDAPInitialBindSpecific = YES;
> >     LDAPInitialBindDN = "uid=root,ou=people,dc=foo,dc=bar";
> >     LDAPInitialBindPW = "xxx";
> > When I enable 'allow bind_v2' in slapd.conf I am able to log in via
> > http://ldap.foo.bar/OpenGroupware, but without it and using the above
> > settings login attempts fail and nothing even appears in the LDAP
> > server's syslog.
>
> That seems very odd: "nothing even appears in the LDAP server's syslog"
>
> What is value of the DSA's loglevel directive?  I'm on the road today,
> but off the top of my head I think you want 128+32+8 as a minimum in
> order to figure out what is going on.  Since it looks like you are on
> the same machine, and thus using ethereal/wireshark is probably out, you
> can throw in +2 if you want to see the packets.

I tried changing the loglevel, but I'm still not getting anything in the logs 
that looks like a response to my actions. When I type my name and passwd in 
the OGo login page, it almost instantly reloads the page with the login 
failure message "Wrong Password or User". Seems like the auth query fails 
very quickly.

I have the bind user set to root, I've the slapd loglevel set to 512+128+32+8, 
and I watch the syslog with this command:
  watch -n0.1 "grep slapd.*root /var/log/syslog | tail -15"
But no events appear when I try to log in. Again, allowing bind_v2 in 
slapd.conf fixes OGo login, so there's supposedly nothing wrong with the 
connections or the account settings (I can login as root).

> And if you are logging to syslog make sure syslog isn't ditching traffic
> below a certain level.
>
> A rule like:
> local4.*                        -/var/log/ldap
>  - is a good idea.

I didn't try this yet, it seems that syslog gets a lot of traffic as it is.

-- 
Juuso Alasuutari
      seclan.com

From users@opengroupware.org  Mon Mar  5 09:14:52 2007
From: users@opengroupware.org (Juuso Alasuutari)
Date: Mon, 5 Mar 2007 11:14:52 +0200
Subject: [OGo-Users] LDAPInitialBindSpecific not working
In-Reply-To: <45E94DAE.6080302@nc-world.de>
References: <200703021553.51499.juuso.alasuutari@seclan.com> <1172849697.4307.12.camel@aleph.whitemice.org> <45E94DAE.6080302@nc-world.de>
Message-ID: <200703051114.52840.juuso.alasuutari@seclan.com>

On Saturday 03 March 2007 12:27, Torsten Becker wrote:
> Adam Tauno Williams schrieb:
> >> I'm configuring OGo 1.0 to authenticate against LDAPv3 (OpenLDAP) by
> >> using the LDAPInitialBind settings as instructed in this manual:
> >> http://docs.opengroupware.org/Members/whitemice/wmogag/download. Here's
> >> what I have in NSGlobalDomain.plist (don't worry, I'm only using the
> >> root account temporarily for testing):
> >>     LSAuthLDAPServer = "ldap.foo.bar";
> >>     LSAuthLDAPServerRoot = "dc=foo,dc=bar";
> >>     LSAuthLDAPServerPort = 389;
> >>     LDAPLoginAttributeName = "uid";
> >>     DisablePasswordModification = YES;
> >>     LDAPInitialBindSpecific = YES;
> >>     LDAPInitialBindDN = "uid=root,ou=people,dc=foo,dc=bar";
> >>     LDAPInitialBindPW = "xxx";
> >> When I enable 'allow bind_v2' in slapd.conf I am able to log in via
> >> http://ldap.foo.bar/OpenGroupware, but without it and using the above
> >> settings login attempts fail and nothing even appears in the LDAP
> >> server's syslog.
> >
> > That seems very odd: "nothing even appears in the LDAP server's syslog"
> >
> > What is value of the DSA's loglevel directive?  I'm on the road today,
> > but off the top of my head I think you want 128+32+8 as a minimum in
> > order to figure out what is going on.  Since it looks like you are on
> > the same machine, and thus using ethereal/wireshark is probably out, you
> > can throw in +2 if you want to see the packets.
> >
> > And if you are logging to syslog make sure syslog isn't ditching traffic
> > below a certain level.
> >
> > A rule like:
> > local4.*                        -/var/log/ldap
> >  - is a good idea.
> >
> >> Any clues?
>
> I try to do the same Setup just for autheticatting against kerberos with
> users in ldap.
> I figured out that the Syntax
>
> LDAPInitialBindSpecific = YES;
>
> sounds right for "Defaults read" but the InitialBind will not work.
>
> If you remove the '=' then it should work, it does it in my setup.
>
> LDAPInitialBindSpecific YES;

Unfortunately this doesn't work for me, the connection to the Skyrix server 
breaks when I do this (I see an error in http://<server>/OpenGroupware). I 
think the syntax is simply wrong and the server won't start up because of 
that.

-- 
Juuso Alasuutari
      seclan.com

From users@opengroupware.org  Mon Mar  5 09:33:50 2007
From: users@opengroupware.org (=?ISO-8859-1?Q?Samuli_Sepp=E4nen?=)
Date: Mon, 05 Mar 2007 11:33:50 +0200
Subject: [OGo-Users] How do I select the default place where projects are saved
Message-ID: <45EBE3FE.7070702@tietoteema.fi>

When creating new projects the user has the choice of saving the project
 to either Database or Filesystem, like below:

Project Base: ( ) Database ( ) Filesystem

By default neither of these is selected, but we don't want to force
average Joe making this kind of hard decisions. So how do I either

- disable the Filesystem checkbox
- preselect the Database checkbox

I did not find any obvious Defaults, nor any info from the OGo docs or
mailinglist archives. Can this be done?


Samuli Seppänen



From users@opengroupware.org  Mon Mar  5 09:29:08 2007
From: users@opengroupware.org (Torsten Becker)
Date: Mon, 05 Mar 2007 10:29:08 +0100
Subject: [OGo-Users] ldap+kerberos authentication
In-Reply-To: <1173060037.4748.7.camel@aleph.whitemice.org>
References: <45E95D90.4030909@nc-world.de>	 <1172981109.4151.10.camel@aleph.whitemice.org>	 <45EAEA04.3030703@nc-world.de>  <45EB59F3.1030207@nc-world.de> <1173060037.4748.7.camel@aleph.whitemice.org>
Message-ID: <45EBE2E4.7090105@nc-world.de>

Adam Tauno Williams schrieb:
>
> Which probably means OGo doesn't believe the user is legitimate.
>
> 1.) You have logged in at least once and changed the "root" user's
> password?
> 2.) Is "cketn@AXG.LOCAL" an account in OGo's database?
>   
Yes for both.
> Did you read the bug report regarding this?
> http://bugzilla.opengroupware.org/bugzilla/show_bug.cgi?id=1121
>
>   
Yes. But here is said it would be nice to have, not how it will be.
> Also this old thread might be valuable
> http://mail.opengroupware.org/pipermail/users/2006-January/015501.html
>   
Here is only told, that it is not doing it. No solution is shown.
I wonder about this document, that brought me to give it a try:

http://docs.opengroupware.org/Members/mcarpenter/ldap_kerberos_howto/view?searchterm=kerberos


So it leaves me with the question: Is there anyone out there doing 
Kerberos Authentication with Apache2 and OGo accepts it?
Then I would be interested in the config files.






From users@opengroupware.org  Mon Mar  5 09:43:10 2007
From: users@opengroupware.org (YATHE Jaures Arthur)
Date: Mon, 5 Mar 2007 10:43:10 +0100 (CET)
Subject: [OGo-Users] OGO: webui crash when the password is wrong or exception occured
In-Reply-To: <1172754428.4555.23.camel@aleph.whitemice.org>
Message-ID: <20070305094310.89350.qmail@web26703.mail.ukl.yahoo.com>

--0-656812866-1173087790=:88862
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit


Hi,
I dont understand this problem:
I installed OGO1.1 on debian sarge (kernel 2.6 smp).
When you attempt to login with a good username and bad password Web-UI  crash and you have and Internal server error and ago instance is initialised all others users connected are disconnected and redirected at the login form.
It's the same if any exception occured in the program : missing file path in the project.

I purged all package (SOPE,libfoundation,OGO ...,mod_ngo...,) and try many version of OGO the same problem remain again.

Please help me !!!.

 		
---------------------------------
 Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.
--0-656812866-1173087790=:88862
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

<br>Hi,<br>I dont understand this problem:<br>I installed OGO1.1 on debian sarge (kernel 2.6 smp).<br>When you attempt to login with a good username and bad password Web-UI&nbsp; crash and you have and Internal server error and ago instance is initialised all others users connected are disconnected and redirected at the login form.<br>It's the same if any exception occured in the program : missing file path in the project.<br><br>I purged all package (SOPE,libfoundation,OGO ...,mod_ngo...,) and try many version of OGO the same problem remain again.<br><br>Please help me !!!.<br><p>&#32;
		<hr size="1"> 
Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! 
Profitez des connaissances, des opinions et des expériences des internautes sur <a href="http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com">Yahoo! Questions/Réponses</a>.
--0-656812866-1173087790=:88862--

From users@opengroupware.org  Mon Mar  5 10:05:14 2007
From: users@opengroupware.org (Per Jensen)
Date: Mon, 5 Mar 2007 11:05:14 +0100 (CET)
Subject: [OGo-Users] stable, release, ,trunk, nightly
In-Reply-To: <1173084738.6793.15.camel@pc-05.interne.ycom.ch>
References: <45EB2D2A.2060106@yahoo.com>
 <1173084738.6793.15.camel@pc-05.interne.ycom.ch>
Message-ID: <11497.212.242.181.96.1173089114.squirrel@webmail.net-es.dk>

>> Matt
>
> I'm using 1.1.x for a year, and now running 1.1.6 since it get out. We
> have a team of ~5-8 ppl using it every days, running on amd64. Just
> crashed 2 or 3 times.
>
>>From my point of view, 1.1.6 is pretty stable, and yes, it's a "static"
> version, it will stay as is, and next version will get a new number
> (1.1.7 could be a good guess).
>
> --
>         Alexandre
>
> --

I can second that. Am running 1.1.6 on Debian Sarge and it is prtty stable
here also. At the moment 5-10 collegues use OGo regularly. Once in a while
the webui process goes amok and sucks all processor time.

/Per



From users@opengroupware.org  Mon Mar  5 10:23:11 2007
From: users@opengroupware.org (Matt Johnson)
Date: Mon, 5 Mar 2007 02:23:11 -0800 (PST)
Subject: [OGo-Users] stable, release, ,trunk, nightly
Message-ID: <20070305102311.38038.qmail@web50104.mail.re2.yahoo.com>

The comments so far have been very useful in making decisions this end. I a=
ppreciate the feedback, and apologies if it was a bit of a obvious question=
.=0A=0AI'll take these comments to our collaboration meeting later. I'm ver=
y keen to use OGo.=0A=0AThanks all.=0A=0A--=0AMatt=0A=0A=0A----- Original M=
essage ----=0AFrom: Per Jensen <per@net-es.dk>=0ATo: users@opengroupware.or=
g=0ASent: Monday, 5 March, 2007 10:05:14 AM=0ASubject: Re: [OGo-Users] stab=
le, release, ,trunk, nightly=0A=0A>> Matt=0A>=0A> I'm using 1.1.x for a yea=
r, and now running 1.1.6 since it get out. We=0A> have a team of ~5-8 ppl u=
sing it every days, running on amd64. Just=0A> crashed 2 or 3 times.=0A>=0A=
>>From my point of view, 1.1.6 is pretty stable, and yes, it's a "static"=
=0A> version, it will stay as is, and next version will get a new number=0A=
> (1.1.7 could be a good guess).=0A>=0A> --=0A>         Alexandre=0A>=0A> -=
-=0A=0AI can second that. Am running 1.1.6 on Debian Sarge and it is prtty =
stable=0Ahere also. At the moment 5-10 collegues use OGo regularly. Once in=
 a while=0Athe webui process goes amok and sucks all processor time.=0A=0A/=
Per=0A=0A=0A-- =0AOpenGroupware.org Users=0Ausers@opengroupware.org=0Ahttp:=
//mail.opengroupware.org/mailman/listinfo/users=0A=0A=0A

From users@opengroupware.org  Mon Mar  5 11:05:59 2007
From: users@opengroupware.org (Adam Tauno Williams)
Date: Mon, 05 Mar 2007 06:05:59 -0500
Subject: [OGo-Users] LDAPInitialBindSpecific not working
In-Reply-To: <200703051112.54075.juuso.alasuutari@seclan.com>
References: <200703021553.51499.juuso.alasuutari@seclan.com>
 <1172849697.4307.12.camel@aleph.whitemice.org>
 <200703051112.54075.juuso.alasuutari@seclan.com>
Message-ID: <1173092759.4635.7.camel@aleph.whitemice.org>

> > > I'm configuring OGo 1.0 to authenticate against LDAPv3 (OpenLDAP) by
> > > using the LDAPInitialBind settings as instructed in this manual:
> > > http://docs.opengroupware.org/Members/whitemice/wmogag/download. Here's
> > > what I have in NSGlobalDomain.plist (don't worry, I'm only using the root
> > > account temporarily for testing):
> > >     LSAuthLDAPServer = "ldap.foo.bar";
> > >     LSAuthLDAPServerRoot = "dc=foo,dc=bar";
> > >     LSAuthLDAPServerPort = 389;
> > >     LDAPLoginAttributeName = "uid";
> > >     DisablePasswordModification = YES;
> > >     LDAPInitialBindSpecific = YES;
> > >     LDAPInitialBindDN = "uid=root,ou=people,dc=foo,dc=bar";
> > >     LDAPInitialBindPW = "xxx";
> > > When I enable 'allow bind_v2' in slapd.conf I am able to log in via
> > > http://ldap.foo.bar/OpenGroupware, but without it and using the above
> > > settings login attempts fail and nothing even appears in the LDAP
> > > server's syslog
> > That seems very odd: "nothing even appears in the LDAP server's syslog"
> > What is value of the DSA's loglevel directive?  I'm on the road today,
> > but off the top of my head I think you want 128+32+8 as a minimum in
> > order to figure out what is going on.  Since it looks like you are on
> > the same machine, and thus using ethereal/wireshark is probably out, you
> > can throw in +2 if you want to see the packets.
> I tried changing the loglevel, but I'm still not getting anything in the logs 
> that looks like a response to my actions.

If you make no corresponding change to your systems syslog of course you
won't see anything additional.
ftp://kalamazoolinux.org/pub/pdf/Timber.pdf


>  When I type my name and passwd in 
> the OGo login page, it almost instantly reloads the page with the login 
> failure message "Wrong Password or User". Seems like the auth query fails 
> very quickly.
> I have the bind user set to root, I've the slapd loglevel set to 512+128+32+8, 

I assume that means "loglevel 680" exists in slapd.conf?

> and I watch the syslog with this command:
>   watch -n0.1 "grep slapd.*root /var/log/syslog | tail -15"
> But no events appear when I try to log in. Again, allowing bind_v2 in 
> slapd.conf fixes OGo login, so there's supposedly nothing wrong with the 
> connections or the account settings (I can login as root).



From users@opengroupware.org  Mon Mar  5 11:13:50 2007
From: users@opengroupware.org (Adam Tauno Williams)
Date: Mon, 05 Mar 2007 06:13:50 -0500
Subject: [OGo-Users] LDAPInitialBindSpecific not working
In-Reply-To: <1173092759.4635.7.camel@aleph.whitemice.org>
References: <200703021553.51499.juuso.alasuutari@seclan.com>
 <1172849697.4307.12.camel@aleph.whitemice.org>
 <200703051112.54075.juuso.alasuutari@seclan.com>
 <1173092759.4635.7.camel@aleph.whitemice.org>
Message-ID: <1173093230.4635.11.camel@aleph.whitemice.org>

On Mon, 2007-03-05 at 06:05 -0500, Adam Tauno Williams wrote:
> > > > I'm configuring OGo 1.0 to authenticate against LDAPv3 (OpenLDAP) by
> > > > using the LDAPInitialBind settings as instructed in this manual:
> > > > http://docs.opengroupware.org/Members/whitemice/wmogag/download. Here's
> > > > what I have in NSGlobalDomain.plist (don't worry, I'm only using the root
> > > > account temporarily for testing):
> > > >     LSAuthLDAPServer = "ldap.foo.bar";
> > > >     LSAuthLDAPServerRoot = "dc=foo,dc=bar";
> > > >     LSAuthLDAPServerPort = 389;
> > > >     LDAPLoginAttributeName = "uid";
> > > >     DisablePasswordModification = YES;
> > > >     LDAPInitialBindSpecific = YES;
> > > >     LDAPInitialBindDN = "uid=root,ou=people,dc=foo,dc=bar";
> > > >     LDAPInitialBindPW = "xxx";

You can also try setting "LDAPDebugEnabled" to "YES"


From users@opengroupware.org  Mon Mar  5 11:16:50 2007
From: users@opengroupware.org (Adam Tauno Williams)
Date: Mon, 05 Mar 2007 06:16:50 -0500
Subject: [OGo-Users] ldap+kerberos authentication
In-Reply-To: <45EBE2E4.7090105@nc-world.de>
References: <45E95D90.4030909@nc-world.de>
 <1172981109.4151.10.camel@aleph.whitemice.org>
 <45EAEA04.3030703@nc-world.de>  <45EB59F3.1030207@nc-world.de>
 <1173060037.4748.7.camel@aleph.whitemice.org>
 <45EBE2E4.7090105@nc-world.de>
Message-ID: <1173093410.4635.15.camel@aleph.whitemice.org>

> > Which probably means OGo doesn't believe the user is legitimate.
> > 1.) You have logged in at least once and changed the "root" user's
> > password?
> > 2.) Is "cketn@AXG.LOCAL" an account in OGo's database?
> Yes for both.
> > Did you read the bug report regarding this?
> > http://bugzilla.opengroupware.org/bugzilla/show_bug.cgi?id=1121
> Yes. But here is said it would be nice to have, not how it will be.
> > Also this old thread might be valuable
> > http://mail.opengroupware.org/pipermail/users/2006-January/015501.html
> Here is only told, that it is not doing it. No solution is shown.
> I wonder about this document, that brought me to give it a try:
> http://docs.opengroupware.org/Members/mcarpenter/ldap_kerberos_howto/view?searchterm=kerberos

I didn't reference this document because I don't believe it is relevant.
This document simply describes setting up LDAP authentication,  I don't
understand what it has to do with Kerberos.  Perhaps this works if you
enable BASIC auth in the Keberos module,  but that basically defeats
Kerberos (and isn't SSO);  it might be interesting to try however.  Does
the module still support basic auth?

> So it leaves me with the question: Is there anyone out there doing 
> Kerberos Authentication with Apache2 and OGo accepts it?
> Then I would be interested in the config files.



From users@opengroupware.org  Mon Mar  5 11:28:44 2007
From: users@opengroupware.org (Adam Tauno Williams)
Date: Mon, 05 Mar 2007 06:28:44 -0500
Subject: [OGo-Users] How do I select the default place where projects
 are saved
In-Reply-To: <45EBE3FE.7070702@tietoteema.fi>
References: <45EBE3FE.7070702@tietoteema.fi>
Message-ID: <1173094124.4635.19.camel@aleph.whitemice.org>

> When creating new projects the user has the choice of saving the project
>  to either Database or Filesystem, like below:
> Project Base: ( ) Database ( ) Filesystem
> By default neither of these is selected, but we don't want to force
> average Joe making this kind of hard decisions. So how do I either
> - disable the Filesystem checkbox
> - preselect the Database checkbox
> I did not find any obvious Defaults, nor any info from the OGo docs or
> mailinglist archives. Can this be done?

http://bugzilla.opengroupware.org/bugzilla/show_bug.cgi?id=394

Have your tried deleting the "SkyFSPath" default?  In my notes I have
"when no projectBases are defined, the editor will default to the
database one" - but I'm not entirely sure what that means (it is dated
2004).


From users@opengroupware.org  Mon Mar  5 13:57:45 2007
From: users@opengroupware.org (Juuso Alasuutari)
Date: Mon, 5 Mar 2007 15:57:45 +0200
Subject: [OGo-Users] LDAPInitialBindSpecific not working
In-Reply-To: <1173092759.4635.7.camel@aleph.whitemice.org>
References: <200703021553.51499.juuso.alasuutari@seclan.com> <200703051112.54075.juuso.alasuutari@seclan.com> <1173092759.4635.7.camel@aleph.whitemice.org>
Message-ID: <200703051557.45784.juuso.alasuutari@seclan.com>

On Monday 05 March 2007 13:05, Adam Tauno Williams wrote:
> > > > I'm configuring OGo 1.0 to authenticate against LDAPv3 (OpenLDAP) by
> > > > using the LDAPInitialBind settings as instructed in this manual:
> > > > http://docs.opengroupware.org/Members/whitemice/wmogag/download.
> > > > Here's what I have in NSGlobalDomain.plist (don't worry, I'm only
> > > > using the root account temporarily for testing):
> > > >     LSAuthLDAPServer = "ldap.foo.bar";
> > > >     LSAuthLDAPServerRoot = "dc=foo,dc=bar";
> > > >     LSAuthLDAPServerPort = 389;
> > > >     LDAPLoginAttributeName = "uid";
> > > >     DisablePasswordModification = YES;
> > > >     LDAPInitialBindSpecific = YES;
> > > >     LDAPInitialBindDN = "uid=root,ou=people,dc=foo,dc=bar";
> > > >     LDAPInitialBindPW = "xxx";
> > > > When I enable 'allow bind_v2' in slapd.conf I am able to log in via
> > > > http://ldap.foo.bar/OpenGroupware, but without it and using the above
> > > > settings login attempts fail and nothing even appears in the LDAP
> > > > server's syslog
> > >
> > > That seems very odd: "nothing even appears in the LDAP server's syslog"
> > > What is value of the DSA's loglevel directive?  I'm on the road today,
> > > but off the top of my head I think you want 128+32+8 as a minimum in
> > > order to figure out what is going on.  Since it looks like you are on
> > > the same machine, and thus using ethereal/wireshark is probably out,
> > > you can throw in +2 if you want to see the packets.
> >
> > I tried changing the loglevel, but I'm still not getting anything in the
> > logs that looks like a response to my actions.
>
> If you make no corresponding change to your systems syslog of course you
> won't see anything additional.
> ftp://kalamazoolinux.org/pub/pdf/Timber.pdf
>
> >  When I type my name and passwd in
> > the OGo login page, it almost instantly reloads the page with the login
> > failure message "Wrong Password or User". Seems like the auth query fails
> > very quickly.
> > I have the bind user set to root, I've the slapd loglevel set to
> > 512+128+32+8,
>
> I assume that means "loglevel 680" exists in slapd.conf?

Yes, I have that setting there. Thanks for the syslog tip-off, the output is 
much easier to read when it's in its own file. Now I see that there indeed is 
some activity when I try to login:

Mar  5 15:45:28 <hostname> slapd[22084]: daemon: activity on 1 descriptors
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: new connection on 17
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: added 17r
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: activity on:
Mar  5 15:45:28 <hostname> slapd[22084]:
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: select: listen=6 
active_threads=0 tvp=NULL
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: activity on 1 descriptors
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: activity on:
Mar  5 15:45:28 <hostname> slapd[22084]:  17r
Mar  5 15:45:28 <hostname> slapd[22084]:
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: read activity on 17
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: select: listen=6 
active_threads=0 tvp=NULL
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: activity on 1 descriptors
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: activity on:
Mar  5 15:45:28 <hostname> slapd[22084]:  17r
Mar  5 15:45:28 <hostname> slapd[22084]:
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: read activity on 17
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: select: listen=6 
active_threads=0 tvp=NULL
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: activity on 1 descriptors
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: select: listen=6 
active_threads=0 tvp=NULL
Mar  5 15:45:28 <hostname> slapd[22110]: daemon: removing 17


-- 
Juuso Alasuutari
      seclan.com

From users@opengroupware.org  Mon Mar  5 14:07:01 2007
From: users@opengroupware.org (Juuso Alasuutari)
Date: Mon, 5 Mar 2007 16:07:01 +0200
Subject: [OGo-Users] LDAPInitialBindSpecific not working
In-Reply-To: <1173093230.4635.11.camel@aleph.whitemice.org>
References: <200703021553.51499.juuso.alasuutari@seclan.com> <1173092759.4635.7.camel@aleph.whitemice.org> <1173093230.4635.11.camel@aleph.whitemice.org>
Message-ID: <200703051607.01139.juuso.alasuutari@seclan.com>

On Monday 05 March 2007 13:13, Adam Tauno Williams wrote:
> On Mon, 2007-03-05 at 06:05 -0500, Adam Tauno Williams wrote:
> > > > > I'm configuring OGo 1.0 to authenticate against LDAPv3 (OpenLDAP)
> > > > > by using the LDAPInitialBind settings as instructed in this manual:
> > > > > http://docs.opengroupware.org/Members/whitemice/wmogag/download.
> > > > > Here's what I have in NSGlobalDomain.plist (don't worry, I'm only
> > > > > using the root account temporarily for testing):
> > > > >     LSAuthLDAPServer = "ldap.foo.bar";
> > > > >     LSAuthLDAPServerRoot = "dc=foo,dc=bar";
> > > > >     LSAuthLDAPServerPort = 389;
> > > > >     LDAPLoginAttributeName = "uid";
> > > > >     DisablePasswordModification = YES;
> > > > >     LDAPInitialBindSpecific = YES;
> > > > >     LDAPInitialBindDN = "uid=root,ou=people,dc=foo,dc=bar";
> > > > >     LDAPInitialBindPW = "xxx";
>
> You can also try setting "LDAPDebugEnabled" to "YES"

Well, what do we have here, some noise 
in /var/log/opengroupware.org/ogo/webui.log:

Mar 05 14:01:06 ogo-webui-1.0 [5325]: LDAP: check pwd of login 'root' on 
ldap.foo.bar,389,dc=foo,dc=bar ...
Mar 05 14:01:06 ogo-webui-1.0 [5325]: <0xB7A620E0[NGLdapConnection]>   no 
password provided.
Mar 05 14:01:06 ogo-webui-1.0 [5325]: <0xB7B6D000[LSCommandContext]> 
+[LSCommandContext(LDAPSupport) isLDAPLoginAuthorized:password:]: LDAP 
server 'ldap.foo.bar:389' did not authenticate user 'root'

"No password provided"? I do have this line in NSGlobalDomain.plist:

LDAPInitialBindPW = "mypassword";

-- 
Juuso Alasuutari
      seclan.com

From users@opengroupware.org  Mon Mar  5 14:49:39 2007
From: users@opengroupware.org (Adam Tauno Williams)
Date: Mon, 05 Mar 2007 09:49:39 -0500
Subject: [OGo-Users] LDAPInitialBindSpecific not working
In-Reply-To: <200703051607.01139.juuso.alasuutari@seclan.com>
References: <200703021553.51499.juuso.alasuutari@seclan.com>
 <1173092759.4635.7.camel@aleph.whitemice.org>
 <1173093230.4635.11.camel@aleph.whitemice.org>
 <200703051607.01139.juuso.alasuutari@seclan.com>
Message-ID: <1173106179.4442.7.camel@aleph.whitemice.org>

--=-RXCUiZo6a6sPQ5p0h3Jn
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

> > You can also try setting "LDAPDebugEnabled" to "YES"
> Well, what do we have here, some noise=20
> in /var/log/opengroupware.org/ogo/webui.log:
> Mar 05 14:01:06 ogo-webui-1.0 [5325]: LDAP: check pwd of login 'root' on=20
> ldap.foo.bar,389,dc=3Dfoo,dc=3Dbar ...
> Mar 05 14:01:06 ogo-webui-1.0 [5325]: <0xB7A620E0[NGLdapConnection]>   no=
=20
> password provided.
> Mar 05 14:01:06 ogo-webui-1.0 [5325]: <0xB7B6D000[LSCommandContext]>=20
> +[LSCommandContext(LDAPSupport) isLDAPLoginAuthorized:password:]: LDAP=20
> server 'ldap.foo.bar:389' did not authenticate user 'root'
>=20
> "No password provided"? I do have this line in NSGlobalDomain.plist:

Or perhaps this means no password was provided by the session/user in
order to perform authentication?  Not certain this is what it means, but
if you have LDAP authentication enabled it is going to want a password
to authenticate the user;  unless mod_auth_kerb is providing that then
you'd have a problem here.

> LDAPInitialBindPW =3D "mypassword";


--=-RXCUiZo6a6sPQ5p0h3Jn
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQBF7C4DLRePpNle04MRAn0pAJ9AtkSQnOmKZbxxCoLbpeq7C8+8KQCfXWnw
pxcK35QbRtvo+92VnCW78s0=
=9LGn
-----END PGP SIGNATURE-----

--=-RXCUiZo6a6sPQ5p0h3Jn--


From users@opengroupware.org  Mon Mar  5 16:17:05 2007
From: users@opengroupware.org (Torsten Becker)
Date: Mon, 05 Mar 2007 17:17:05 +0100
Subject: [OGo-Users] ldap+kerberos authentication
In-Reply-To: <1173093410.4635.15.camel@aleph.whitemice.org>
References: <45E95D90.4030909@nc-world.de>	 <1172981109.4151.10.camel@aleph.whitemice.org>	 <45EAEA04.3030703@nc-world.de>  <45EB59F3.1030207@nc-world.de>	 <1173060037.4748.7.camel@aleph.whitemice.org>	 <45EBE2E4.7090105@nc-world.de> <1173093410.4635.15.camel@aleph.whitemice.org>
Message-ID: <45EC4281.1030800@nc-world.de>

Adam Tauno Williams schrieb:
>>> Did you read the bug report regarding this?
>>> http://bugzilla.opengroupware.org/bugzilla/show_bug.cgi?id=1121
>>>       
>> Yes. But here is said it would be nice to have, not how it will be.
>>     
>>> Also this old thread might be valuable
>>> http://mail.opengroupware.org/pipermail/users/2006-January/015501.html
>>>       
>> Here is only told, that it is not doing it. No solution is shown.
>> I wonder about this document, that brought me to give it a try:
>> http://docs.opengroupware.org/Members/mcarpenter/ldap_kerberos_howto/view?searchterm=kerberos
>>     
>
> I didn't reference this document because I don't believe it is relevant.
> This document simply describes setting up LDAP authentication,  I don't
> understand what it has to do with Kerberos.  Perhaps this works if you
> enable BASIC auth in the Keberos module,  but that basically defeats
> Kerberos (and isn't SSO);  it might be interesting to try however.  Does
> the module still support basic auth?
>
>   
Thank you very much for your help Adam.
I think I give up for now. I see no way to get ogo working with Kerberos 
in a real SSO solution.
I will secure the usage of ogo with kerberos + sll , but users will have 
to login to ogo in normal way.

OGo lacks some features for me, Kerberos authentication is only one of them.

Greets, Torsten

-- 
---

net-concept T. Becker




From users@opengroupware.org  Mon Mar  5 16:32:09 2007
From: users@opengroupware.org (Adam Tauno Williams)
Date: Mon, 05 Mar 2007 11:32:09 -0500
Subject: [OGo-Users] ldap+kerberos authentication
In-Reply-To: <45EC4281.1030800@nc-world.de>
References: <45E95D90.4030909@nc-world.de>
 <1172981109.4151.10.camel@aleph.whitemice.org>
 <45EAEA04.3030703@nc-world.de>  <45EB59F3.1030207@nc-world.de>
 <1173060037.4748.7.camel@aleph.whitemice.org>
 <45EBE2E4.7090105@nc-world.de>
 <1173093410.4635.15.camel@aleph.whitemice.org>
 <45EC4281.1030800@nc-world.de>
Message-ID: <1173112329.4442.10.camel@aleph.whitemice.org>

--=-x+qM9iQaS549j1yng3cG
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

> I think I give up for now. I see no way to get ogo working with Kerberos=20
> in a real SSO solution.
> I will secure the usage of ogo with kerberos + sll , but users will have=20
> to login to ogo in normal way.
> OGo lacks some features for me, Kerberos authentication is only one of th=
em.

Be sure to subscribe yourself to Bug#1121 so you get a notification if
anyone works on it.

If you have some missing features please file enhancement requests
and/or pop over to discuss@ and let us know what they are.



--=-x+qM9iQaS549j1yng3cG
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQBF7EYJLRePpNle04MRAtvWAJsFaHfTDLPLjLftfoK3Dy00HkKo3wCfWRCT
9iKpUyWANf16xm51hnf5Jpc=
=dZkH
-----END PGP SIGNATURE-----

--=-x+qM9iQaS549j1yng3cG--


From users@opengroupware.org  Mon Mar  5 17:08:17 2007
From: users@opengroupware.org (Doug Smith)
Date: Mon, 05 Mar 2007 11:08:17 -0600
Subject: [OGo-Users] LDAP for Skyrix Zidestore along with OGo Zidestore.
In-Reply-To: <45E88E35.2060508@morrison-ind.com>
References: <45E83BBC.10309@alchemysystems.com>	 <1172849244.4307.5.camel@aleph.whitemice.org>	 <45E85886.4090400@alchemysystems.com> <1172857299.4294.4.camel@aleph.whitemice.org> <45E88D4E.8040503@alchemysystems.com> <45E88E35.2060508@morrison-ind.com>
Message-ID: <45EC4E81.6030807@alchemysystems.com>

Adam Tauno Williams wrote:
>
> Logging into ZideStore does not create an account.  You need to 
> populate the accounts through XML-RPC or have users log into the web 
> interface at least once.
>


Hmm.. how do I add accounts through XML-RPC?  I completely reinstalled 
the server this morning, added the LDAP settings to both connectors, and 
then logged in the web interface to create my account.  The plugin still 
doesn't work though and below is the error I get now...

Mar 05 10:42:01 ZideStore [8895]: SNS support disabled.
Mar 05 10:42:01 ZideStore [8895]: |ZideStore| register ZideStore 
product: WCAP.zsp
Mar 05 10:42:01 ZideStore [8895]: |ZideStore| register ZideStore 
product: ZLConnect.zsp
Mar 05 10:42:01 ZideStore [8895]: |ZideStore| register ZideStore 
product: PrefsUI.zsp
Mar 05 10:42:02 ZideStore [8895]: |ZideStore| vMem Size check enabled: 
shutting down app when vMem > 200 MB
Mar 05 10:42:02 ZideStore [8895]: |ZideStore| WOHttpAdaptor listening on 
address <InetSocketAddress: localhost:23005>
Mar 05 10:42:21 ZideStore [8895]: <[object-handler]>D request 
0x09E5294C: OPTIONS /zidestore/so/dsmith/ (ctx=0x09F71C84)
Mar 05 10:42:21 ZideStore [8895]: <[object-handler]>D authenticator 
allowed request.
Mar 05 10:42:21 ZideStore [8895]: <[object-handler]>D traverse 
(/zidestore/so/dsmith/): dsmith (no acquisition)
Mar 05 10:42:21 ZideStore [8895]: |ZideStore| traverse: dsmith
Mar 05 10:42:21 ZideStore [8895]: |ZideStore|   do traverse name: 'dsmith'
Mar 05 10:42:21 ZideStore [8895]: |ZideStore| lookup name: dsmith
Mar 05 10:42:21 ZideStore [8895]: |ZideStore|   did not find key 
'dsmith' in SoClass: <0x09D0257C[SoObjCClass]: super=0x09CE810C 
objc=ZideStore slots=GET>
Mar 05 10:42:21 ZideStore [8895]: |ZideStore|   looked up value:
Mar 05 10:42:21 ZideStore [8895]: |ZideStore|   lookup in root object:
Mar 05 10:42:21 ZideStore [8895]: |ZideStore|   root is application object
Mar 05 10:42:21 ZideStore [8895]: |ZideStore|   GOT:
Mar 05 10:42:21 ZideStore [8895]: |ZideStore|   traverse miss: 
name=dsmith: i=0,count=1
Mar 05 10:42:21 ZideStore [8895]: |ZideStore|     miss is last object.
Mar 05 10:42:21 ZideStore [8895]: |ZideStore|     handle miss error: 
(Exception name:SoAuthRequired class:SoAuthRequiredException 
reason:authentication required info:<nil>)
Mar 05 10:42:21 ZideStore [8895]: <[object-handler]>D   not calling 
exception: (Exception name:SoAuthRequired class:SoAuthRequiredException 
reason:authentication required info:<nil>)
Mar 05 10:42:21 ZideStore [8895]: <[object-handler]>D   render object: 
(Exception name:SoAuthRequired class:SoAuthRequiredException 
reason:authentication required info:<nil>)
Mar 05 10:42:21 ZideStore [8895]: <[object-handler]>D     render in ctx: 
<0x09F71C84[WOContext]: 00145ec486d09f71c84 app=ZideStore sn=none eid= 
rqeid=>
Mar 05 10:42:21 ZideStore [8895]: <[object-handler]>D     use 
rule-selected renderer: <SoDefaultRenderer 0x9f7ccb4>
Mar 05 10:42:21 ZideStore [8895]: <[so-dflt-renderer]>D     render as 
security exception: (Exception name:SoAuthRequired 
class:SoAuthRequiredException reason:authentication required info:<nil>)
Mar 05 10:42:21 ZideStore [8895]: <[so-dflt-renderer]>D     
authenticator: <SxAuthenticator 0x9e58124>
Mar 05 10:42:21 ZideStore [8895]: <[so-dflt-renderer]>D     
authenticator did render exception.
Mar 05 10:42:21 ZideStore [8895]: <[object-handler]>D   made response: 
0x09F74B0C (status=401,len=,type=)
Mar 05 10:42:21 ZideStore [8895]: <[object-handler]>D request 
0x09E5C6A4: OPTIONS /zidestore/so/dsmith/ (ctx=0x09F71C84)
Mar 05 10:42:21 ZideStore [8895]: <0x001E2520[LSCommandContext]> 
+[LSCommandContext(LDAPSupport) isLDAPLoginAuthorized:password:]: LDAP 
server 'dc01.avatartechnology.net:389' did authenticate user 'dsmith'
Mar 05 10:42:21 ZideStore [8895]: <[object-handler]>D authenticator 
allowed request.
Mar 05 10:42:21 ZideStore [8895]: <[object-handler]>D traverse 
(/zidestore/so/dsmith/): dsmith (no acquisition)
Mar 05 10:42:21 ZideStore [8895]: |ZideStore| traverse: dsmith
Mar 05 10:42:21 ZideStore [8895]: |ZideStore|   do traverse name: 'dsmith'
Mar 05 10:42:21 ZideStore [8895]: |ZideStore| lookup name: dsmith
Mar 05 10:42:21 ZideStore [8895]: |ZideStore|   did not find key 
'dsmith' in SoClass: <0x09D0257C[SoObjCClass]: super=0x09CE810C 
objc=ZideStore slots=GET>
Mar 05 10:42:21 ZideStore [8895]: |ZideStore|   looked up value:
Mar 05 10:42:21 ZideStore [8895]: |ZideStore|   lookup in root object:
Mar 05 10:42:21 ZideStore [8895]: |ZideStore|   root is application object
Mar 05 10:42:21 ZideStore [8895]: |ZideStore|   GOT:
Mar 05 10:42:21 ZideStore [8895]: <0x001E2520[LSCommandContext]> 
+[LSCommandContext(LDAPSupport) isLDAPLoginAuthorized:password:]: LDAP 
server 'dc01.avatartechnology.net:389' did authenticate user 'dsmith'
Mar 05 10:42:21 ZideStore [8895]: |ZideStore| set clientObject: 
<0x09F4261C[SxUserFolder]: login=dsmith>
Mar 05 10:42:21 ZideStore [8895]: <[object-handler]>D   dispatcher: 
<0x09F34A6C[SoObjectWebDAVDispatcher]: object=<0x09F4261C[SxUserFolder]: 
login=dsmith>>
Mar 05 10:42:21 ZideStore [8895]: <[object-handler]>D   dispatch object: 
<0x09F4261C[SxUserFolder]: login=dsmith>
Mar 05 10:42:21 ZideStore [8895]: <[object-handler]>D   render object: (
    GET,
    HEAD,
    POST,
    OPTIONS,
    MKCOL,
    DELETE,
    PUT,
    LOCK,
    UNLOCK,
    COPY,
    MOVE,
    PROPFIND,
    SEARCH
)
Mar 05 10:42:21 ZideStore [8895]: <[object-handler]>D     render in ctx: 
<0x09F71C84[WOContext]: 00245ec486d09f71c84 app=ZideStore sn=none eid= 
rqeid=>
Mar 05 10:42:21 ZideStore [8895]: enabled debugging in SoWebDAVRenderer 
(SoRendererDebugEnabled)
Mar 05 10:42:21 ZideStore [8895]: <[object-handler]>D     use 
rule-selected renderer: <SoWebDAVRenderer 0x9f482d4>
Mar 05 10:42:21 ZideStore [8895]: <[object-handler]>D   made response: 
0x09F70334 (status=200,len=,type=text/xml)
Mar 05 10:42:21 ZideStore [8895]: <0x001E2520[LSCommandContext]> 
+[LSCommandContext(LDAPSupport) isLDAPLoginAuthorized:password:]: LDAP 
server 'dc01.avatartechnology.net:389' did authenticate user 'dsmith'
Mar 05 10:42:22 ZideStore [8895]: <0x001E2520[LSCommandContext]> 
+[LSCommandContext(LDAPSupport) isLDAPLoginAuthorized:password:]: LDAP 
server 'dc01.avatartechnology.net:389' did authenticate user 'dsmith'




From users@opengroupware.org  Tue Mar  6 09:16:39 2007
From: users@opengroupware.org (Juuso Alasuutari)
Date: Tue, 6 Mar 2007 11:16:39 +0200
Subject: [OGo-Users] LDAPInitialBindSpecific not working
In-Reply-To: <1173106179.4442.7.camel@aleph.whitemice.org>
References: <200703021553.51499.juuso.alasuutari@seclan.com> <200703051607.01139.juuso.alasuutari@seclan.com> <1173106179.4442.7.camel@aleph.whitemice.org>
Message-ID: <200703061116.39210.juuso.alasuutari@seclan.com>

On Monday 05 March 2007 16:49, Adam Tauno Williams wrote:
> > > You can also try setting "LDAPDebugEnabled" to "YES"
> >
> > Well, what do we have here, some noise
> > in /var/log/opengroupware.org/ogo/webui.log:
> > Mar 05 14:01:06 ogo-webui-1.0 [5325]: LDAP: check pwd of login 'root' on
> > ldap.foo.bar,389,dc=foo,dc=bar ...
> > Mar 05 14:01:06 ogo-webui-1.0 [5325]: <0xB7A620E0[NGLdapConnection]>   no
> > password provided.
> > Mar 05 14:01:06 ogo-webui-1.0 [5325]: <0xB7B6D000[LSCommandContext]>
> > +[LSCommandContext(LDAPSupport) isLDAPLoginAuthorized:password:]: LDAP
> > server 'ldap.foo.bar:389' did not authenticate user 'root'
> >
> > "No password provided"? I do have this line in NSGlobalDomain.plist:
>
> Or perhaps this means no password was provided by the session/user in
> order to perform authentication?  Not certain this is what it means, but
> if you have LDAP authentication enabled it is going to want a password
> to authenticate the user;  unless mod_auth_kerb is providing that then
> you'd have a problem here.

I'm not using Kerberos at all so I don't see how that could be relevant. Do 
you mean that OGo is expecting LDAP to return some password to use? Why, and 
what for? Or perhaps I misunderstood what you meant.

I'm very confused by this by now. I've followed the instructions by the mark, 
possibly there's something to be configured in slapd.conf I've failed to 
notice. But even with the log files the inner workings of OGo still seems 
like a small mystery to me.

-- 
Juuso Alasuutari
      seclan.com

From users@opengroupware.org  Tue Mar  6 09:20:58 2007
From: users@opengroupware.org (Helge Hess)
Date: Tue, 6 Mar 2007 10:20:58 +0100
Subject: [OGo-Users] LDAPInitialBindSpecific not working
In-Reply-To: <200703051607.01139.juuso.alasuutari@seclan.com>
References: <200703021553.51499.juuso.alasuutari@seclan.com> <1173092759.4635.7.camel@aleph.whitemice.org> <1173093230.4635.11.camel@aleph.whitemice.org> <200703051607.01139.juuso.alasuutari@seclan.com>
Message-ID: <D0190487-BDE3-432F-B247-2A5AF7E1CB5F@opengroupware.org>

On Mar 5, 2007, at 15:07, Juuso Alasuutari wrote:
> Mar 05 14:01:06 ogo-webui-1.0 [5325]: LDAP: check pwd of login  
> 'root' on
> ldap.foo.bar,389,dc=foo,dc=bar ...
> Mar 05 14:01:06 ogo-webui-1.0 [5325]: <0xB7A620E0[NGLdapConnection] 
> >   no
> password provided.
> Mar 05 14:01:06 ogo-webui-1.0 [5325]: <0xB7B6D000[LSCommandContext]>
> +[LSCommandContext(LDAPSupport) isLDAPLoginAuthorized:password:]: LDAP
> server 'ldap.foo.bar:389' did not authenticate user 'root'
>
> "No password provided"?

Yes. On startup OGo attempts to login root w/o a password to ensure a  
password is set.

> I do have this line in NSGlobalDomain.plist:
>
> LDAPInitialBindPW = "mypassword";

This is the bind password for LDAP.

Helge
-- 
Helge Hess
http://www.helgehess.eu/



From users@opengroupware.org  Tue Mar  6 09:23:17 2007
From: users@opengroupware.org (Helge Hess)
Date: Tue, 6 Mar 2007 10:23:17 +0100
Subject: [OGo-Users] LDAPInitialBindSpecific not working
In-Reply-To: <200703021553.51499.juuso.alasuutari@seclan.com>
References: <200703021553.51499.juuso.alasuutari@seclan.com>
Message-ID: <79C8E70C-8F17-45EA-B5C9-850CB49AEADC@opengroupware.org>

On Mar 2, 2007, at 14:53, Juuso Alasuutari wrote:
> When I enable 'allow bind_v2' in slapd.conf I am able to log in via
> http://ldap.foo.bar/OpenGroupware, but without it and using the above
> settings login attempts fail and nothing even appears in the LDAP  
> server's
> syslog.
>
> Any clues?

I think OGo 1.0 configures the connection for LDAP v2. OGo 1.1  
enables v3.

Helge
-- 
Helge Hess
http://www.helgehess.eu/



From users@opengroupware.org  Tue Mar  6 09:59:50 2007
From: users@opengroupware.org (=?ISO-8859-1?Q?Samuli_Sepp=E4nen?=)
Date: Tue, 06 Mar 2007 11:59:50 +0200
Subject: [OGo-Users] How do I select the default place where projects
 are saved
In-Reply-To: <1173094124.4635.19.camel@aleph.whitemice.org>
References: <45EBE3FE.7070702@tietoteema.fi> <1173094124.4635.19.camel@aleph.whitemice.org>
Message-ID: <45ED3B96.7050300@tietoteema.fi>

Adam Tauno Williams kirjoitti:
>> When creating new projects the user has the choice of saving the project
>>  to either Database or Filesystem, like below:
>> Project Base: ( ) Database ( ) Filesystem
>> By default neither of these is selected, but we don't want to force
>> average Joe making this kind of hard decisions. So how do I either
>> - disable the Filesystem checkbox
>> - preselect the Database checkbox
>> I did not find any obvious Defaults, nor any info from the OGo docs or
>> mailinglist archives. Can this be done?
> 
> http://bugzilla.opengroupware.org/bugzilla/show_bug.cgi?id=394
> 
> Have your tried deleting the "SkyFSPath" default?  In my notes I have
> "when no projectBases are defined, the editor will default to the
> database one" - but I'm not entirely sure what that means (it is dated
> 2004).
>

I tried changing the SkyFSPath to a non-existent path, to a directory
with no access (for user "ogo") and setting it to "". None of these
helped. I guess that I could just add a small hint for the user, like

Project Base: ( ) Database (recommended) ( ) Filesystem

and hope that the user follows this recommendation :).

From users@opengroupware.org  Tue Mar  6 10:11:20 2007
From: users@opengroupware.org (Helge Hess)
Date: Tue, 6 Mar 2007 11:11:20 +0100
Subject: [OGo-Users] How do I select the default place where projects are saved
In-Reply-To: <45ED3B96.7050300@tietoteema.fi>
References: <45EBE3FE.7070702@tietoteema.fi> <1173094124.4635.19.camel@aleph.whitemice.org> <45ED3B96.7050300@tietoteema.fi>
Message-ID: <E4443911-A39A-46A6-9F3B-12AA4BEEEC83@opengroupware.org>

On Mar 6, 2007, at 10:59, Samuli Sepp=E4nen wrote:
> I tried changing the SkyFSPath to a non-existent path, to a directory
> with no access (for user "ogo") and setting it to "". None of these
> helped. I guess that I could just add a small hint for the user, like
>
> Project Base: ( ) Database (recommended) ( ) Filesystem
>
> and hope that the user follows this recommendation :).

Just deinstall the project-fs package if you don't need it.

Otherwise you can always tweak the templates the way you like it.

Helge
--=20
Helge Hess
http://www.helgehess.eu/



From users@opengroupware.org  Tue Mar  6 12:22:57 2007
From: users@opengroupware.org (Per Jensen)
Date: Tue, 6 Mar 2007 13:22:57 +0100 (CET)
Subject: [OGo-Users] Danish translation
Message-ID: <25627.212.242.181.96.1173183777.squirrel@webmail.net-es.dk>

List,

I have been in contact with the projectlead of the danish translation
effort, and he does not participate anymore in the opengroupware project.

I will therefore submit an expanded set of '.strings' files in the near
future.

Regards
Per



From users@opengroupware.org  Tue Mar  6 12:54:03 2007
From: users