Navigation

    Kopano
    • Register
    • Login
    • Search
    • Categories
    • Get Official Kopano Support
    • Recent
    Statement regarding the closure of the Kopano community forum and the end of the community edition

    Login with valid username and any password possible

    Kopano WebApp
    4
    23
    5478
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • darootler
      darootler @fbartels last edited by

      @fbartels

      Okay, i think i understand that part with the admin rights.

      Lets assume a user/customer follows the manual. For whatever reason the kerberos authentication fails (browser not sending kerberos ticket for example), the user just gets the WebApp login page and is not automatically logged in. From this point you just have to guess a valid user and you are able to access his mailbox.

      Imho this is a security and a design issue and has either to be fixed or the apache configuration in the manual must be updated to avoid this behavior.

      Regards
      Richard

      fbartels 1 Reply Last reply Reply Quote 0
      • fbartels
        fbartels Kopano @darootler last edited by

        @darootler said in Login with valid username and any password possible:

        browser not sending kerberos ticket for example

        in that case afaik you get a password prompt from your browser. its still the webserver needing to verify the user.

        Regards Felix

        Resources:
        https://kopano.com/blog/how-to-get-kopano/
        https://documentation.kopano.io/
        https://kb.kopano.io/

        Support overview:
        https://kopano.com/support/

        darootler 1 Reply Last reply Reply Quote 0
        • darootler
          darootler @fbartels last edited by

          @fbartels

          No, that’s not the case. I am getting the WebApp login page and there i just need to enter a valid user and any password.

          Regards
          Richard

          1 Reply Last reply Reply Quote 0
          • fbartels
            fbartels Kopano last edited by

            Again: if you add a certificate in webapp then you need to delegate authentication to the webserver. So at the least you need to remove that bit that Kerberos auth is only using inside of your local network.

            But seeing that you have the need to provide SSO with Kerberos, you probably have an environment with enough budget to buy a subscription. So please buy a subscription and get in touch with the Kopano support if you want to discuss further.

            /unsubscribe

            Regards Felix

            Resources:
            https://kopano.com/blog/how-to-get-kopano/
            https://documentation.kopano.io/
            https://kb.kopano.io/

            Support overview:
            https://kopano.com/support/

            darootler 1 Reply Last reply Reply Quote 0
            • darootler
              darootler @fbartels last edited by

              @fbartels

              I just followed the manual with this Apache config:

              <Directory /usr/share/kopano-webapp>
                AuthType Kerberos
                AuthName "Kerberos Login"
                KrbMethodNegotiate On
                KrbMethodK5Passwd Off
                KrbServiceName HTTP
                KrbAuthRealms ADSDOMAIN.EXAMPLE
                Krb5KeyTab /etc/httpd/keytab.apache
                require valid-user
              </Directory>
              

              I am a home user with 3 people using my infrastructure, i will not buy a subscription.

              Please just follow your manual and test if there is a fallback to a basic auth pop up.

              Regards
              Richard

              1 Reply Last reply Reply Quote 0
              • robing
                robing Kopano (Inactive) last edited by

                @darootler,

                It’s just not possible to create a fallback method if the kerberos authentication is failing.
                WebApp needs to have the SSL certificates so it can login as anyone on the server as you are fully trusting the kerberos authentication and not sending the credentials.
                What you want can only be achieved with 2 instances of WebApp configure one with the certificates that kerberos is using and the other one without.
                This is what our (enterprise) customer our doing normally.

                Regards Robin,

                Need support?
                Have a look at https://kopano.com/support/ for options.

                Helpful resources:
                https://kopano.com/blog/how-to-get-kopano/
                https://documentation.kopano.io/
                https://kb.kopano.io/

                darootler 1 Reply Last reply Reply Quote 0
                • darootler
                  darootler @robing last edited by

                  @robing

                  I think you should update the documentation with this information. My mailaccounts were (maybe over years) accessible from the internet with just entering a correct username and any password. For me it was not clear that with the configuration provided in the documents there is no fallback and someone could just login with only an existing username and any password.

                  Anyway i think there is a way to configure the webserver to decide how users are authenticated based on their location (intranet or internet).

                  Regards
                  Richard

                  1 Reply Last reply Reply Quote 1
                  • darootler
                    darootler last edited by

                    For everyone who is interested i have two working examples for the apache webserver without the need to have two WebApp instances running. One will choose wich authentication method is used based on the client location and one with a fallback to Basic Auth if Kerberos SSO is not working. I am using the last one, but this is only recommandable if the WebApp instance is communicating over HTTPS.

                    Regards
                    Richard

                    1 Reply Last reply Reply Quote 0
                    • klausade
                      klausade last edited by

                      @darootl I’m interested in your two working examples for the apache webserver without the need to have two WebApp instances running, I guess someone in the future finding this post might also be, could you paste them here?

                      darootler 1 Reply Last reply Reply Quote 0
                      • darootler
                        darootler @klausade last edited by darootler

                        @klausade

                        This example falls back to basic authentication if Kerberos SSO is not working:

                        <DirectoryMatch "/usr/share/kopano-webapp">
                        	AuthName "XXXInfo for userXXX"
                        	AuthType Kerberos
                        	Krb5Keytab /etc/krb5.keytab
                        	KrbAuthRealms MY.REALM
                                KrbMethodK5Passwd On
                        	KrbServiceName HTTP/my.website.com
                        	Require valid-user
                        </DirectoryMatch>
                        
                        

                        “KrbMethodK5Passwd” is set to “On” by default. If you set this to “Off” there is no fallback to basic authentication.

                        This example decides wich authentication mode is used based on the ip address of the client:

                        RemoteIPHeader X-Forwarded-For
                        RemoteIPInternalProxy 192.168.X.X
                        
                        <DirectoryMatch "/usr/share/kopano-webapp">
                        	<If "-R '192.168'">
                        		AuthType Kerberos
                        		Krb5Keytab /etc/krb5.keytab
                        		KrbAuthRealms MY.REALM
                        		KrbServiceName HTTP/my.website.com
                        		Require valid-user
                        	</If>
                        	<Else>
                        		AuthBasicProvider ldap
                        		AuthType Basic
                        		AuthName "XXXInfo for userXXX"
                        		AuthLDAPUrl ldaps://mydc.myinternaldomain.local:636/DC=myinternaldomain,DC=local?sAMAccountName
                        		AuthLDAPBindDN "CN=myldapuser,OU=,you,DC=myinternaldomain,DC=local"
                        		AuthLDAPBindPassword "MYPWD"
                        		Require valid-user
                        	</Else>
                        </DirectoryMatch>
                        

                        “RemoteIPHeader” and “RemoteIPInternalProxy” is needed if you use a reverse proxy in front of your WebApp instance. In this example all clients from the subnet “192.168” will authenticate through Kerberos SSO, all other will authenticate through basic ldap.

                        I strongly recommend to only use https, no matter what config you are using. If your WebApp instance is available through the internet i strongly recommend to use a reverse proxy with some security features, also a fail2ban service or a similiar one must be in place. Let me know if you need more help regarding this configuration.

                        Regards
                        Richard

                        fbartels 1 Reply Last reply Reply Quote 1
                        • fbartels
                          fbartels Kopano @darootler last edited by

                          @darootler said in Login with valid username and any password possible:

                          “KrbMethodK5Passwd” is set to “On” by default. If you set this to “Off” there is no fallback to basic authentication.

                          Ah, yes indeed. This is the important piece here. The manual indeed specified this as KrbMethodK5Passwd=off, but to have a password fallback it needs to be set to on. I have removed this from the manual (as its on in the default and there is no use defining it, if you use the default value).

                          Thanks for bringing it up.

                          Regards Felix

                          Resources:
                          https://kopano.com/blog/how-to-get-kopano/
                          https://documentation.kopano.io/
                          https://kb.kopano.io/

                          Support overview:
                          https://kopano.com/support/

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post