Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Kerio Connect 8.0 & Mac 10.8.2 & Open Directory (LDAP Authentification Problem)
  •  
henrihoffmann

Messages: 55
Karma: 1
Send a private message to this user
Hi,

have currently 7.4.3 running on our Mac Server. All Users are defined in Apples Open Directory. Works fine.
After upgrading to 8.0, after a while the message queue fills up with "Directory Authentification Problem" (or something like this) in the
status column. Got also a lot of Mail Delivery Problem mails.
OpenDirectory was fine, have restarted Kerio a couple of times, same problem.
After 24h I'am gone back to 7.4.3, no trouble with this release (since a couple of months).

2nd. Problem, the Mac OSx 10.8.2 adressbook and calendar sync failed, because of authentification issues, I assume this is also the same problem as before. The "Test" bottom in the Kerio Domain definition returned "successful" even the problem exists.

Thanks
Henri
  •  
FloFMS

Messages: 23
Karma: 0
Send a private message to this user
Hello

I have the same Issues on MacOS X 10.6.8 Server with Open Directory.
I uninstalled Kerio 8 and go back to 7.4.3. >After this all works normally.

Error:
Can't bind to LDAP server xxx.xxx using any supported authentication method. Username: uid=xxx,cn=xxx,dc=xxx,dc=xxx. (ThreadId=2954383360)

Regards
Florian
  •  
anarvey

Messages: 39
Karma: 4
Send a private message to this user
Did you remember to update the Kerio Open Directory plugin?
  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
Let me start by saying that I am not yet running 10.8.x or Connect 8.0. However, I have had issues with OD auth in earlier versions - OD connections would fail after some time, requiring a restart.

So, keep that in mind when I make this suggestion - you should not trust me!

Check out Kerio KB article: http:// kb.kerio.com/product/kerio-connect/os-x/kerberos-authenticat ion-with-osx-107-against-an-opendirectory-server-911.html

If you don't already have Kerberos authentication configured, this may make your setup more reliable.

Many thanks to Apple for all the helpful changes you've made in your server products since 10.6. Crying or Very Sad

If you try this, please post back with your results. I hope to deploy 8.0.x on 10.8.x in the next couple of months and appreciate learning from your brave leap into version 8.0.

Regards,
Lyle Millander
  •  
nitrokev

Messages: 48
Karma: 1
Send a private message to this user
I'm having the same problem with 10.8.2 and OD and Kerio 8

I have installed the latest OD extension, I'm seeing errors in the slap.log saying there is a Realm change and authentication failure, although most of the time users are receiving emails as normal, but it does drop out completely every few days.

I have sent my logs to Kerio and they said the OD and Kerberos on my server were corrupt.

So I have just done a complete clean install of OS X 10.8, installed latest server.app, set up DNS and created a new OD master, and downloaded and installed the latest Kerio Connect.

All looked fine until I installed the latest Kerio OD extension, then I began seeing errors saying there was a checksum error in OD

507c79a9 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif"

and realm change in slap.log

: SASL [conn=1025] Failure: realm changed: authentication aborted

Nothing else was installed on the server and no other areas of server.app were configured, so it looks to me like the OD extension is causing the OD to corrupt.

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
There appears to be a bug in Mountain Lion's Open Directory server, which causes crashes of slapd daemon.

Is there anyone with other OS X Server than 10.8.x experiencing error message "SASL [conn=1025] Failure: realm changed: authentication aborted " ?
  •  
nitrokev

Messages: 48
Karma: 1
Send a private message to this user
do you guys have any influence with apple to be able to report this OD bug and get it fixed. or will you have to try and work round it?
  •  
henrihoffmann

Messages: 55
Karma: 1
Send a private message to this user
Hi,

after 5-7 times upgrading and downgrading I can confirm that 7.4.3 works with 10.8.2 very stable, no OD issues.
As soon I switch to Kerio 8 it stops working after a couple of days. OD works for all other application (including Workspace)
without issues.

Best regards
Henri
  •  
anarvey

Messages: 39
Karma: 4
Send a private message to this user
javascript:%20insertTag(document.post_form.msg_body,%20'',%2 0'%20:cry:%20');

Two computers with OSX 10.8.2 Server and Kerio Connect 8.0.0.

Both stop allowing logins after a few days. Were working fine with 7.4.3.

On one I was able to convert all users to local as there were so few users. It would not be too practical on the other.

Every two days or so I have to go into the System Preferences Connect item and Stop and then Start the Connect to allow people to log in again.

Not too happy.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
You can try the following workaround:

1. Open Terminal, stop LDAP server:
sudo launchctl unload /System/Library/LaunchDaemons/org.openldap.slapd.plist

2. Edit the configuration file:
sudo vi /etc/openldap/slapd.d/cn\=config.ldif

3. Add following lines to the end of the file:
olcAccess: {0}to dn.exact="" attrs=supportedSASLMechanisms by * none
olcAccess: {1}to * by * read

4. Start LDAP server
sudo launchctl load /System/Library/LaunchDaemons/org.openldap.slapd.plist

This way, the access to rootDSE in LDAP server will be disabled and LDAP server will not announce SASL authentication to clients.
Kerio Connect will then use simple bind instead.

[Updated on: Fri, 18 January 2013 13:47]

  •  
nitrokev

Messages: 48
Karma: 1
Send a private message to this user
Thanks I'll try this later today, are there any effects this might have that we should be aware of?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
I'm not aware of any side-effect of this change.
Keep in mind that this is a workaround. You should revert these changes back when (if) Apple fixes the bug in Open Directory SASL authentication or after we release a version with a workaround on Kerio Connect side (however, Open Directory still may have problems with other clients then).
  •  
nitrokev

Messages: 48
Karma: 1
Send a private message to this user
I applied your work around and it seems to have stopped the realm changed warning in the logs,

But Im still getting:

50fa8631 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config.ldif"
50fa8631 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif"
50fa8631 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable

when I run, sudo /usr/libexec/slapd -Tt

I only get the checksum errors if kerio OD extension is installed
  •  
henrihoffmann

Messages: 55
Karma: 1
Send a private message to this user
Hi,

I have also had such checksum problems.
I have fixed it by backuping and restoring the OD.
Afterwards run slaptest to verify the configuration.

sudo saltiest
Password:
50fa9ee8 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded

Best regards
Henri
nitrokev

Messages: 48
Karma: 1
Send a private message to this user
Hi Pavel,

I'm afraid the workaround did not work, it did stop the failed realm message over the weekend, but users have just lost authentication again this morning
Previous Topic: restrict forwarding
Next Topic: LDAP Lookup of Kerio Connect User Accounts
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Oct 21 17:40:45 CEST 2017

Total time taken to generate the page: 0.00580 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.