[OGo-Users] ldap+kerberos authentication

[Torsten Becker]

Adam Tauno Williams schrieb:
>>>>>>    LDAPInitialBindPW = "{SSHA}S0bmzeGvCwcCkCuT43GL54xCGTe70uBN";
>>>>>>             
>>>>> Uhm? You need to specify the password here.
>>>>>           
>>>> I tested both, the cleartext password and the bove hashed string of the 
>>>> password.
>>>> For both I get no error messages from ldap-authentication and the
>>>>         
>
> Are you authenticating via OGo/LDAP or Apache/LDAP or Apache/Kerberos?
> You seem to be confusing all three configurations.
>
>   
I want to authenticate via Apache/Kerberos. All Docs I found told to 
configure the LDAP settings in the Defaults...

>>> Sure, the bind just fails.
>>>       
>> Not so sure. The failure of an anonymous bind is documented in the webui 
>> logfile.
>> The errormessage in this logfile only disappears after setting the DN, 
>> PW and BindSpecific Parameters.
>>     
>
> Seems expected unless your LDAP server is set to permit LDAPv2 and/or
> anonymous binds (probably not).
>
>   
The slapd permits LDAPv2 but not anonymous binds.
>>>> behavior of the server is equal.
>>>>         
>>> Increase your logging level.
>>>       
>> For which application?
>>     
>
> Your LDAP DSA if you are interested as to what search/bind-attempt is
> being attempted (if any).
>
> But you are talking about Kerberos,  so I don't see how LDAP binding is
> relevant.
>   
The only search attemps that I could see, searched for the user OGo. 
This user exists local.
I would be happy, if someone could give me a complete description of the 
configuration I need to authenticate
via apache-mod-kerberos and be authenticated to ogo without prompted for 
another login.
>   
>> How can I do this for OGo??
>>     
>>>> Is there any way to see what username ogo tries to login after the 
>>>> apache2 authenticates him?
>>>>         
>>> This is recorded in the ogo-webui-*err file
>>>       
>> I don't have such a file on the system.
>>     
>
> Yes, you do.  Did you look in /var/log/opengroupware?  For instance, I
> have ogo-webui-1.1-err.log & ogo-webui-1.1-out.log.
>   
Sorry I searched the whole system. I don't have these files. In 
/var/log/opengroupware.org/OGo/ are just the
standard logfiles webui.log, zidestore.log and xmlrpcd.log
>   
>>>> Or is there a way to see what the OGo user tries to do on his database?
>>>> For now I can only see OGo to connect to postgres...
>>>>         
>>> OGo connects to PostgreSQL using the parameters defined in
>>> LSConnectionDictionary.
>>>       
>> Not definitly. 
>>     
>
> Yes, definitely.
>
>   
>> After standard debian installation and building a ogo 
>> instance with ogo-create-instance script, I have db named ogo and dbuser 
>> called ogo.
>> In my LSConnectionDictionary are these credentials configured (ogo,ogo). 
>> All is fine.
>> But after enabling mod-auth-kerb my browser tells me a connection error 
>> to postgres. Postgres logs show connection errors for user OGo@127.0.0.1
>> I was not able to change this behaviour and therefor changed my 
>> database, dbuser and LSConnectionDictionary to OGo,OGo
>>     
>
> Beats me, this is totally unrelated;  you must have bumped something
> else.  PostgreSQL user names and role names are case sensitive.
>
>   
I know its unrelated, but confused me...