Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Problem authenticating users against Open Directory
  •  
tiredofnick

Messages: 26
Karma: 0
Send a private message to this user
Trying authenticate users against an Apple server open directory that is running fine, usernames are stored ASCII. When I test the connection to the directory server it works fine, and I am able to add a user from the directory fine. When the user tries to authenticate to the Kerio mail server using their OD creds, auth fails.

I have quite a bit of this in my LDAP log on the Mac server:
Aug 4 15:14:31 server slapd[6533]: SASL [conn=31] Failure: no user in database\n

So I'm assuming I have something set up on the Kerio side incorrectly. Assuming its my LDAP search string, but then how the heck would the test work when I add the connection to the directory??

[Updated on: Mon, 04 August 2008 21:17]

  •  
tiredofnick

Messages: 26
Karma: 0
Send a private message to this user
just as an update, I'm seeing this in my debug log when a user tries to login.

[05/Aug/2008 14:48:58][42828800] {ldapdb} Search request: result='(0) Success', filter='(&(objectclass=apple-user)(kerio-Mail-Active=*)( uid=nick))', scope='sub', server='opendirectory.server.com', base DN='cn=users,dc=server,dc=com'
[05/Aug/2008 14:48:58][42828800] {ldapdb} Acquired connection to the LDAP server: "opendirectory.server.com". Pool slot: 1; Thread ID: 42828800
[05/Aug/2008 14:48:59][42828800] {ldapdb} LDAP connection was released. Pool slot: 1
[05/Aug/2008 14:48:59][42828800] {ldapdb} LDAP connection was released. Pool slot: 0
[05/Aug/2008 14:48:59][42828800] {auth} Cannot copy authorization rights for user nick. The authorization was denied. Code -60005
  •  
My IT Indy

Messages: 1262
Karma: 40
Send a private message to this user
I'm curious about the opendirectory.server.com log entry. Is DNS setup correctly?

-
My IT Indy
Kerio Certified Reseller and Hosted Provider
http://www.myitindy.com
  •  
tiredofnick

Messages: 26
Karma: 0
Send a private message to this user
heh, well i changed the names, that isn't the actual server DNS entry. names have been changed to protect the innocent.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
tiredofnick wrote on Tue, 05 August 2008 20:53


[05/Aug/2008 14:48:59][42828800] {auth} Cannot copy authorization rights for user nick. The authorization was denied. Code -60005


I believe this could be easily solved by using Kerberos authentication instead of Apple Password Server. This can be done in the Directory Service mapping in e-mail domain definition. Just make sure that Kerberos server is running on your OD server (DNS server has to be properly configured).
Kerberos authentication is better and much more secure.
  •  
tiredofnick

Messages: 26
Karma: 0
Send a private message to this user
yeah, i was afraid someone would say that. kerberos setup is tough in my "unique" environment. heh.

better to do it right than to half ass it though!
Previous Topic: USER Attributes
Next Topic: KMS 6.5.2 and calendar notification loop with iPhone events
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Oct 23 06:14:59 CEST 2017

Total time taken to generate the page: 0.00479 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.