OIDC - Authorization failed
-
Thank you for reply @fbartels
Now i receive this error in log.
/var/log/syslog;
Dec 1 10:40:39 mail kopano-konnectd[1417]: level=debug msg="kc identifier backend refresh session failed: kc identifier backend sso logon failed: KCERR_LOGON_FAILED (Logon Failed) (KC:0x80000009)" abeid=AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAkAAABNV1ZsTTJJNFlqWXRZemMwWWkweE1ETmhMVGxqTlRRdFpqazRPR1ZrTnpBd1lUa3cAAAAA id=MWVlM2I4YjYtYzc0Yi0xMDNhLTljNTQtZjk4OGVkNzAwYTkw Dec 1 10:40:40 mail kopano-konnectd[1417]: level=debug msg="kc identifier backend refresh session failed: kc identifier backend sso logon failed: KCERR_LOGON_FAILED (Logon Failed) (KC:0x80000009)" abeid=AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAkAAABNV1ZsTTJJNFlqWXRZemMwWWkweE1ETmhMVGxqTlRRdFpqazRPR1ZrTnpBd1lUa3cAAAAA id=MWVlM2I4YjYtYzc0Yi0xMDNhLTljNTQtZjk4OGVkNzAwYTkw Dec 1 10:40:40 mail kopano-konnectd[1417]: level=debug msg="kc identifier backend refresh session failed: kc identifier backend sso logon failed: KCERR_LOGON_FAILED (Logon Failed) (KC:0x80000009)" abeid=AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAkAAABNV1ZsTTJJNFlqWXRZemMwWWkweE1ETmhMVGxqTlRRdFpqazRPR1ZrTnpBd1lUa3cAAAAA id=MWVlM2I4YjYtYzc0Yi0xMDNhLTljNTQtZjk4OGVkNzAwYTkw Dec 1 10:40:42 mail kopano-konnectd[1417]: level=debug msg="kc identifier backend logon" abeid=AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA id=YmVmM2I0NjQtYzgwNC0xMDNhLTg1MGMtMDkxY2NhOTY2ZmJk ref="identifier-kc:-:YmVmM2I0NjQtYzgwNC0xMDNhLTg1MGMtMDkxY2NhOTY2ZmJk" session="Session(1581284045969739298@R6gRlBNaSdaFwjsv8aq6lg==)" username=user1@domain.org Dec 1 10:40:42 mail kopano-konnectd[1417]: level=debug msg="identifier client lookup" client_id=webapp-meet.domain.org known=false redirect_uri="https://meet.domain.org/webapp/#oidc-callback" trusted=true Dec 1 10:40:42 mail kopano-konnectd[1417]: level=debug msg="identifier client lookup" client_id=webapp-meet.domain.org known=false redirect_uri="https://meet.domain.org/webapp/#oidc-callback" trusted=true Dec 1 10:40:43 mail kopano-konnectd[1417]: level=debug msg="identifier client lookup" client_id=webapp-meet.domain.org known=false redirect_uri="https://meet.domain.org/webapp/#oidc-callback" trusted=true
/etc/kopano/server.cfg;
server_listen = *%lo:236 server_listen_tls = *%lo:237 server_ssl_key_file = /etc/kopano/ssl/server.pem server_ssl_ca_file = /etc/ssl/certs/ca-certificates.crt mysql_user = kopanodbadmin mysql_password = pass local_admin_users = root kopano log_file = /var/log/kopano/server.log log_level = 5 attachment_storage = s3 attachment_s3_hostname = s3-eu-central-1.amazonaws.com attachment_s3_region = eu-central-1 attachment_s3_protocol = https attachment_s3_uristyle = path attachment_s3_accesskeyid = attachment_s3_secretaccesskey = attachment_s3_bucketname = kopano-mail attachment_path = attachments user_plugin = ldap user_plugin_config = /etc/kopano/ldap.cfg enable_sso = true server_hostname = meet.domain.org kcoidc_issuer_identifier = https://meet.domain.org enable_hosted_kopano = true storename_format = %f (%c) loginname_format = %u@%c enable_gab = yes hide_everyone = yes hide_system = yes sync_gab_realtime = yes search_enabled = yes search_socket = file:///var/run/kopano/search.sock search_timeout = 10 disabled_features = pop3
/etc/kopano/ldap.cfg;
!include /usr/share/kopano/ldap.openldap.cfg ldap_uri = ldap://127.0.0.1:389 ldap_bind_user = cn=admin,dc=hosted,dc=local ldap_bind_passwd = pass ldap_search_base = dc=hosted,dc=local ldap_last_modification_attribute = modifyTimestamp ldap_user_type_attribute_value = kopano-user ldap_group_type_attribute_value = kopano-group ldap_user_search_filter = (objectClass=kopano-user) ldap_user_unique_attribute = entryUUID ldap_group_search_filter = (objectClass=kopano-group) ldap_company_search_filter = (objectClass=kopano-company) ldap_quota_multiplier = 1048576
user.ldif;
dn: uid=user1,ou=domain.org,dc=hosted,dc=local objectClass: posixAccount objectClass: top objectClass: kopano-user objectClass: inetOrgPerson gidNumber: 1101 cn: User1 Surname mail: user1@domain.org uidNumber: 1101 homeDirectory: /home/user1 kopanoAliases: root@domain.org kopanoUserServer: kopano uid: user1 kopanoAccount: 1 kopanoAdmin: 0 sn: Surname userPassword: pass kopanoQuotaOverride: 1 kopanoEnabledFeatures: mobile outlook webapp imap kopanoDisabledFeatures: pop3 kopanoQuotaWarn: 10000000000 kopanoQuotaSoft: 11000000000 kopanoQuotaHard: 12000000000
Thanks for the help!
-Karif
-
@karif how is konnect configured. is it all on the same server? Which versions are you using? which os?
-
OS: Debian 10
Kopano versions;
ii kopano-backup 10.0.6.502.8b8baeb2a-0+275.1 amd64 ii kopano-client 10.0.6.502.8b8baeb2a-0+297.1 amd64 ii kopano-common 10.0.6.502.8b8baeb2a-0+297.1 amd64 ii kopano-dagent 10.0.6.502.8b8baeb2a-0+297.1 amd64 ii kopano-dagent-pytils 10.0.6.502.8b8baeb2a-0+275.1 amd64 ii kopano-gateway 10.0.6.502.8b8baeb2a-0+297.1 amd64 ii kopano-grapi 10.5.0+0.f3e0f35-0+37.3 amd64 ii kopano-grapi-bin 10.5.0+0.f3e0f35-0+37.3 amd64 ii kopano-grapi-i18n 10.5.0+0.f3e0f35-0+37.3 all ii kopano-ical 10.0.6.502.8b8baeb2a-0+297.1 amd64 ii kopano-kapid 0.15.0-0+343.2 amd64 ii kopano-konnectd 0.33.8-0+354.1 amd64 ii kopano-kwebd 0.12.4-0+315.1 amd64 ii kopano-kwmserverd 1.2.0-0+335.1 amd64 ii kopano-lang 10.0.6.502.8b8baeb2a-0+297.1 all ii kopano-meet 2.2.3-0+356.1 all ii kopano-meet-packages 2.2.3-0+356.1 all ii kopano-meet-webapp 2.2.3-0+356.1 all ii kopano-monitor 10.0.6.502.8b8baeb2a-0+297.1 amd64 ii kopano-python-utils 10.0.6.502.8b8baeb2a-0+275.1 amd64 ii kopano-python3-extras 0.2.0+0-0+56.1 amd64 ii kopano-search 10.0.6.502.8b8baeb2a-0+275.1 amd64 ii kopano-server 10.0.6.502.8b8baeb2a-0+297.1 amd64 ii kopano-server-packages 10.0.6.502.8b8baeb2a-0+297.1 all ii kopano-spamd 10.0.6.502.8b8baeb2a-0+275.1 amd64 ii kopano-spooler 10.0.6.502.8b8baeb2a-0+297.1 amd64 ii kopano-webapp 5.0.0.36+1917.1 all ii kopano-webapp-plugin-files 4.0.1.0+444.1 all ii libgsoap-kopano-2.8.102 2.8.102-0+1.3 amd64 ii libvmime-kopano3 0.9.2.96+3.8 amd64 ii python3-grapi.backend.kopano 10.5.0+0.f3e0f35-0+37.3 amd64 ii python3-kopano 10.0.6.502.8b8baeb2a-0+275.1 all ii python3-kopano-search 10.0.6.502.8b8baeb2a-0+275.1 all ii python3-kopano-utils 10.0.6.502.8b8baeb2a-0+275.1 all ii z-push-backend-kopano 2.6.0+0-0 all ii z-push-kopano 2.6.0+0-0 all
I just change the oidc_issuer_identifier in konnectd.cfg to my domain. And yes all on same server. Also i am using kweb not nginx or apache.
oidc_issuer_identifier=https://meet.domain.org
I follow this and a few other guides;
https://kb.kopano.io/display/WIKI/Kopano+One+on+Debian+10+-+quick+installation+instructions
Thank you!
-
@karif said in OIDC - Authorization failed:
Now i receive this error in log.
does that mean that kopano-server wasn’t configured for sso before? Is that still the same user session in Konnect or did you log out and back in again?
It could be worthwhile checking the logging of kopano-server.
-
@fbartels said in OIDC - Authorization failed:
@karif said in OIDC - Authorization failed:
Now i receive this error in log.
does that mean that kopano-server wasn’t configured for sso before? Is that still the same user session in Konnect or did you log out and back in again?
It could be worthwhile checking the logging of kopano-server.
No it was configured, i was just using ldap backend for konnectd on before. But now i am using kc backend. While i was using ldap backend i didnt receive any error but problem was same. Now atleast i am getting an error in logs after i switch to kc backend.
It was always same user.
I am suspecting that the ldap login name and expected login name by konnectd is not same. I am logging by username@domain.org and i set server.cfg this way but OIDC also expecting this format from me ?
storename_format = %f (%c) loginname_format = %u@%c
/etc/kopano/konnectd-identifier-scopes.yaml;
# This file contains additional scopes for Konnect. All of the scopes listed # here are made available to clients upon request if not limited by other means. --- scopes: kopano/kwm: description: "Access Kopano Meet" kopano/kvs: description: "Access Kopano Key Value Store" kopano/pubs: description: "Access Kopano Pub/Sub" kopano/gc: description: "Read and write your Kopano Groupware data"
Thanks
-
@karif said in OIDC - Authorization failed:
i was just using ldap backend for konnectd on before
yes, that would not work. Konnect needs to use the Kopano backend for SSO in Kopano WebApp (and the RestAPI, and kopano-server in general).
Usually the
loginname_format
is left untouched in hosted offerings, and ratherldap_loginname_attribute
is set to mail.But if you are planning on hosting other users data on that system (which the multi tenant configuration implies) I would recommend against using the nightly builds and rather but a subscription to get access to actual release builds. On top if the above does not fix it for you you would have access to our support that could give your system a more closer look.
-
@fbartels Thanks for the advise Felix. I made the change;
ldap_loginname_attribute = mail
But it doesnt fix the problem…
I also changed;
/usr/share/kopano-webapp/config.phpdefine("LOGINNAME_STRIP_DOMAIN", true);
But it doesnt helped either.
“I would recommend against using the nightly builds and rather but a subscription to get access to actual release builds”
I would like to build a stable multi-tenant kopano system with oidc authorization, is this not possible with your open source packages? Shall i get subscription for this ?
Also i cant find a proper guide to accomplished this, is it me who cant find it or there is not any ?
Last time i struggle like this when i setup my openstack cluster :) Documents are there but feel like many dots not connected. Logs are a bit vague if you are not familiar with kopano. Luckily we have forum and @fbartels on this forum :) .
As an opensource believer hope i can have a working kopano server soon.
Thanks
Karif
==> /var/log/kopano/php-mapi.log <== 2020-12-02T06:37:59.803700: [error ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed 2020-12-02T06:37:59.803807: [error ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827) 2020-12-02T06:38:02.851056: [error ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed 2020-12-02T06:38:02.851149: [error ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827) 2020-12-02T06:38:05.898950: [error ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed 2020-12-02T06:38:05.899048: [error ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827) 2020-12-02T06:38:08.939214: [error ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed 2020-12-02T06:38:08.939319: [error ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827) 2020-12-02T06:38:11.979627: [error ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed 2020-12-02T06:38:11.979747: [error ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827) 2020-12-02T06:38:15.023726: [error ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed 2020-12-02T06:38:15.023820: [error ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827)
-
Any advise will be appreciated.
@fbartels @longsleepThanks!
-Karif -
Change
enable_sso = true
to
enable_sso = yes
in your server config. I know its stupid and we will fix it eventually - but for now
yes
it is. Otherwise SSO is not enabled. -
@longsleep Not sure if i have to cry or smile :) . It worked! It took my 1 week. Thank you very much for the information, appreciated.
Is there any other place that i need to say yes instead of true? Or this is the only place?
Thanks,
Karif
-
@karif said in OIDC - Authorization failed:
Is there any other place that i need to say yes instead of true? Or this is the only place?
There are other settings which only check for
yes
unfortunately. -
@longsleep How can i find the list of them ?
Thanks
-
@karif said in OIDC - Authorization failed:
@longsleep How can i find the list of them ?
ThanksI am not aware of a real good way - so by looking at the source.
Something like
git grep 'yes' | grep -E 'strcmp|strcasecmp' ECtools/admin/admin.cpp: if (strcasecmp(response.c_str(), "y") != 0 && strcasecmp(response.c_str(), "yes") != 0) { common/ECChannel.cpp: if (strcmp(lpConfig->GetSetting("ssl_verify_client"), "yes") == 0) common/StatsClient.cpp: if (v == nullptr || strcasecmp(v, "yes") != 0) gateway/IMAP.cpp: if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0) gateway/IMAP.cpp: if (idle && strcmp(idle, "yes") == 0) gateway/IMAP.cpp: if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0) { gateway/IMAP.cpp: if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0) { gateway/POP3.cpp: if (!(!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0)) gateway/POP3.cpp: if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0) { gateway/POP3.cpp: if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0) { provider/libserver/ECAttachmentStorage.cpp: m_sync_files = sync_files_par == nullptr || strcasecmp(sync_files_par, "yes") == 0; provider/libserver/ECSession.cpp: if (p != nullptr && strcasecmp(p, "yes") == 0) provider/libserver/cmd.cpp: if (!(lpszEnabled && strcasecmp(lpszEnabled, "yes") == 0)) provider/server/ECServer.cpp: if (strcmp(cfg->GetSetting("server_pipe_enabled"), "yes") == 0) { spooler/DAgent.cpp: y = strcasecmp(rawmsg, "all") == 0 || strcasecmp(rawmsg, "yes") == 0 || spooler/DAgent.cpp: auto save_all = parseBool(rawmsg) && (strcasecmp(rawmsg, "all") == 0 || strcasecmp(rawmsg, "yes") == 0); spooler/archive.cpp: if (strcmp(lib, "yes") == 0) spooler/mailer.cpp: else if (strcmp(g_lpConfig->GetSetting("allow_redirect_spoofing"), "yes") == 0 && spooler/mailer.cpp: if (strcmp(g_lpConfig->GetSetting("always_send_delegates"), "yes") == 0) { spooler/mailer.cpp: } else if(strcmp(g_lpConfig->GetSetting("allow_delegate_meeting_request"), "yes") == 0 && spooler/mailer.cpp: if (lpRepStore != nullptr && (strcmp(cts, "yes") == 0 ||
-
@longsleep said in OIDC - Authorization failed:
git grep ‘yes’ | grep -E ‘strcmp|strcasecmp’
This will help, thank you very much!
Karif
-
Glad i could help :)
-
@Karif You pinged me.
Anything i can do? or is it fixed now?
-
Hey @thctlo , already fixed. Thanks for check in :)