[OGo-Users] ldap+kerberos authentication

Adam Tauno Williams users@opengroupware.org
Sat, 03 Mar 2007 23:03:26 -0500 

> >>>>    LDAPInitialBindPW = "{SSHA}S0bmzeGvCwcCkCuT43GL54xCGTe70uBN";
> >>> Uhm? You need to specify the password here.
> >> I tested both, the cleartext password and the bove hashed string of the 
> >> password.
> >> For both I get no error messages from ldap-authentication and the

Are you authenticating via OGo/LDAP or Apache/LDAP or Apache/Kerberos?
You seem to be confusing all three configurations.

> > Sure, the bind just fails.
> Not so sure. The failure of an anonymous bind is documented in the webui 
> logfile.
> The errormessage in this logfile only disappears after setting the DN, 
> PW and BindSpecific Parameters.

Seems expected unless your LDAP server is set to permit LDAPv2 and/or
anonymous binds (probably not).

> >> behavior of the server is equal.
> > Increase your logging level.
> For which application?

Your LDAP DSA if you are interested as to what search/bind-attempt is
being attempted (if any).

But you are talking about Kerberos,  so I don't see how LDAP binding is
relevant.

> How can I do this for OGo??
> >> Is there any way to see what username ogo tries to login after the 
> >> apache2 authenticates him?
> > This is recorded in the ogo-webui-*err file
> I don't have such a file on the system.

Yes, you do.  Did you look in /var/log/opengroupware?  For instance, I
have ogo-webui-1.1-err.log & ogo-webui-1.1-out.log.

> >> Or is there a way to see what the OGo user tries to do on his database?
> >> For now I can only see OGo to connect to postgres...
> > OGo connects to PostgreSQL using the parameters defined in
> > LSConnectionDictionary.
> Not definitly. 

Yes, definitely.

> After standard debian installation and building a ogo 
> instance with ogo-create-instance script, I have db named ogo and dbuser 
> called ogo.
> In my LSConnectionDictionary are these credentials configured (ogo,ogo). 
> All is fine.
> But after enabling mod-auth-kerb my browser tells me a connection error 
> to postgres. Postgres logs show connection errors for user OGo@127.0.0.1
> I was not able to change this behaviour and therefor changed my 
> database, dbuser and LSConnectionDictionary to OGo,OGo

Beats me, this is totally unrelated;  you must have bumped something
else.  PostgreSQL user names and role names are case sensitive.