Navigation

    Kopano
    • Register
    • Login
    • Search
    • Categories
    • Get Official Kopano Support
    • Recent
    Statement regarding the closure of the Kopano community forum and the end of the community edition

    Login with valid username and any password possible

    Kopano WebApp
    4
    23
    1043
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • klausade
      klausade last edited by

      @darootl I’m interested in your two working examples for the apache webserver without the need to have two WebApp instances running, I guess someone in the future finding this post might also be, could you paste them here?

      darootler 1 Reply Last reply Reply Quote 0
      • darootler
        darootler @klausade last edited by darootler

        @klausade

        This example falls back to basic authentication if Kerberos SSO is not working:

        <DirectoryMatch "/usr/share/kopano-webapp">
	AuthName "XXXInfo for userXXX"
	AuthType Kerberos
	Krb5Keytab /etc/krb5.keytab
	KrbAuthRealms MY.REALM
        KrbMethodK5Passwd On
	KrbServiceName HTTP/my.website.com
	Require valid-user
</DirectoryMatch>

        “KrbMethodK5Passwd” is set to “On” by default. If you set this to “Off” there is no fallback to basic authentication.

        This example decides wich authentication mode is used based on the ip address of the client:

        RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 192.168.X.X

<DirectoryMatch "/usr/share/kopano-webapp">
	<If "-R '192.168'">
		AuthType Kerberos
		Krb5Keytab /etc/krb5.keytab
		KrbAuthRealms MY.REALM
		KrbServiceName HTTP/my.website.com
		Require valid-user
	</If>
	<Else>
		AuthBasicProvider ldap
		AuthType Basic
		AuthName "XXXInfo for userXXX"
		AuthLDAPUrl ldaps://mydc.myinternaldomain.local:636/DC=myinternaldomain,DC=local?sAMAccountName
		AuthLDAPBindDN "CN=myldapuser,OU=,you,DC=myinternaldomain,DC=local"
		AuthLDAPBindPassword "MYPWD"
		Require valid-user
	</Else>
</DirectoryMatch>

        “RemoteIPHeader” and “RemoteIPInternalProxy” is needed if you use a reverse proxy in front of your WebApp instance. In this example all clients from the subnet “192.168” will authenticate through Kerberos SSO, all other will authenticate through basic ldap.

        I strongly recommend to only use https, no matter what config you are using. If your WebApp instance is available through the internet i strongly recommend to use a reverse proxy with some security features, also a fail2ban service or a similiar one must be in place. Let me know if you need more help regarding this configuration.

        Regards
        Richard

        fbartels 1 Reply Last reply Reply Quote 1
        • fbartels
          fbartels Kopano @darootler last edited by

          @darootler said in Login with valid username and any password possible:

          “KrbMethodK5Passwd” is set to “On” by default. If you set this to “Off” there is no fallback to basic authentication.

          Ah, yes indeed. This is the important piece here. The manual indeed specified this as KrbMethodK5Passwd=off, but to have a password fallback it needs to be set to on. I have removed this from the manual (as its on in the default and there is no use defining it, if you use the default value).

          Thanks for bringing it up.

          Regards Felix

          Resources:
          https://kopano.com/blog/how-to-get-kopano/
          https://documentation.kopano.io/
          https://kb.kopano.io/

          Support overview:
          https://kopano.com/support/

          1 Reply Last reply Reply Quote 0
          • First post
            Last post