Not able to get Webapp working fully with Konnectd over TCP



  • So I’ve been struggling with this now for many days. Hunting down various various errors, having to manually create the user store for the users and so on. But in the end, I’m now completely stuck. So I have all the components up and running to some extent. I was able to log in… Once. However, logging out didn’t work and selecting it, got me to the Goodbye screen, but from there going back to /webapp, still opened the full UI, with access to everything, not just cached or anything. Waiting a while, letting the token time out, and going to /webapp, well now I am logged out, but Webapp seems to be unaware of this fact as it tries to log in with the old token. This results in the console with error that ofc, not logged in

    oidc signin silent failed ErrorResponse: IdentifierIdentityManager: not signed in
        at new ErrorResponse (ErrorResponse.js:14)
        at ResponseValidator._processSigninParams (ResponseValidator.js:104)
        at ResponseValidator.validateSigninResponse (ResponseValidator.js:29)
        at OidcClient.js:113
    

    With a HTTP code of 500 for /webapp/ as the response code.

    The webapp logs has multiple errors, which the only thing I can understand from it seems to indicate not being able to open a store… But why is it even trying to open a store here? It should be presenting me with a login.

    10.45.0.1 - - [04/May/2020:11:04:14 +0000] "GET /webapp/ HTTP/1.1" 500 2317647
    10.45.0.1 - - [04/May/2020:11:04:15 +0000] "POST /webapp/kopano.php?service=fingerprint HTTP/1.1" 200 0
    10.45.0.1 - - [04/May/2020:11:04:15 +0000] "POST /webapp/kopano.php?service=fingerprint&type=keepalive HTTP/1.1" 200 0
    10.45.0.1 - - [04/May/2020:11:04:16 +0000] "GET /webapp/?oidc-silent-refresh HTTP/1.1" 200 2306220
    [ERROR 0 /webapp/] PHP message: Failed to open store with entryid PHP message: MAPIException: MAPI error  in /usr/share/kopano-webapp/server/includes/core/class.mapisession.php:584
    Stack trace:
    #0 /usr/share/kopano-webapp/server/includes/core/class.mapisession.php(584): mapi_openmsgstore(Resource id #1, '\x00\x00\x00\x008\xA1\xBB\x10\x05\xE5\x10\x1A\xA1\xBB\x08...')
    #1 /usr/share/kopano-webapp/server/includes/core/class.mapisession.php(483): MAPISession->openMessageStore('\x00\x00\x00\x008\xA1\xBB\x10\x05\xE5\x10\x1A\xA1\xBB\x08...', 'Default store')
    #2 /usr/share/kopano-webapp/server/includes/core/class.mapisession.php(116): MAPISession->getDefaultMessageStore()
    #3 /usr/share/kopano-webapp/server/includes/core/class.mapisession.php(357): MAPISession->getUser()
    #4 /usr/share/kopano-webapp/server/includes/core/class.mapisession.php(366): MAPISession->getDisabledFeatures()
    #5 /usr/share/kopano-webapp/index.php(203): MAPISession->isWebappDisableAsFeature()
    #6 {main}PHP message: Failed to open store with entryid PHP message: MAPIException: MAPI error  in /usr/share/kopano-webapp/server/includes/core/class.mapisession.php:584
    Stack trace:
    #0 /usr/share/kopano-webapp/server/includes/core/class.mapisession.php(584): mapi_openmsgstore(Resource id #1, '\x00\x00\x00\x008\xA1\xBB\x10\x05\xE5\x10\x1A\xA1\xBB\x08...')
    #1 /usr/share/kopano-webapp/server/includes/core/class.mapisession.php(483): MAPISession->openMessageStore('\x00\x00\x00\x008\xA1\xBB\x10\x05\xE5\x10\x1A\xA1\xBB\x08...', 'Default store')
    #2 /usr/share/kopano-webapp/server/includes/core/class.settings.php(92): MAPISession->getDefaultMessageStore()
    #3 /usr/share/kopano-webapp/server/includes/core/class.settings.php(120): Settings->Init()
    #4 /usr/share/kopano-webapp/server/includes/core/class.settings.php(505): Settings->get('zarafa/v1/main/...', 'en_US.UTF-8')
    #5 /usr/share/kopano-webapp/index.php(221): Settings->getSessionSettings(Object(Language))
    #6 {main}PHP message: Failed to open store with entryid PHP message: MAPIException: MAPI error  in /usr/share/kopano-webapp/server/includes/core/class.mapisession.php:584
    Stack trace:
    #0 /usr/share/kopano-webapp/server/includes/core/class.mapisession.php(584): mapi_openmsgstore(Resource id #1, '\x00\x00\x00\x008\xA1\xBB\x10\x05\xE5\x10\x1A\xA1\xBB\x08...')
    #1 /usr/share/kopano-webapp/server/includes/core/class.mapisession.php(483): MAPISession->openMessageStore('\x00\x00\x00\x008\xA1\xBB\x10\x05\xE5\x10\x1A\xA1\xBB\x08...', 'Default store')
    #2 /usr/share/kopano-webapp/server/includes/util.php(622): MAPISession->getDefaultMessageStore()
    #3 /usr/share/kopano-webapp/index.php(283): updateHierarchyCounters()
    #4 {main}PHP message: Failed to open store with entryid PHP message: MAPIException: MAPI error  in /usr/share/kopano-webapp/server/includes/core/class.mapisession.php:584
    Stack trace:
    #0 /usr/share/kopano-webapp/server/includes/core/class.mapisession.php(584): mapi_openmsgstore(Resource id #1, '\x00\x00\x00\x008\xA1\xBB\x10\x05\xE5\x10\x1A\xA1\xBB\x08...')
    #1 /usr/share/kopano-webapp/server/includes/core/class.mapisession.php(483): MAPISession->openMessageStore('\x00\x00\x00\x008\xA1\xBB\x10\x05\xE5\x10\x1A\xA1\xBB\x08...', 'Default store')
    #2 /usr/share/kopano-webapp/server/includes/util.php(218): MAPISession->getDefaultMessageStore()
    #3 /usr/share/kopano-webapp/index.php(287): cleanSearchFolders()
    #4 {main}PHP message: Failed to open store with entryid PHP message: MAPIException: MAPI error  in /usr/share/kopano-webapp/server/includes/core/class.mapisession.php:584
    Stack trace:
    #0 /usr/share/kopano-webapp/server/includes/core/class.mapisession.php(584): mapi_openmsgstore(Resource id #1, '\x00\x00\x00\x008\xA1\xBB\x10\x05\xE5\x10\x1A\xA1\xBB\x08...')
    #1 /usr/share/kopano-webapp/server/includes/core/class.mapisession.php(483): MAPISession->openMessageStore('\x00\x00\x00\x008\xA1\xBB\x10\x05\xE5\x10\x1A\xA1\xBB\x08...', 'Default store')
    #2 /usr/share/kopano-webapp/server/includes/core/class.mapisession.php(1052): MAPISession->getDefaultMessageStore()
    #3 /usr/share/kopano-webapp/server/includes/templates/serverinfo.php(3): MAPISession->getServerVersion()
    #4 /usr/share/kopano-webapp/server/includes/templates/webclient.php(3): include('/usr/share/kopa...')
    #5 /usr/share/kopano-webapp/index.php(293): include('/usr/share/kopa...')
    #6 {main}PHP message: Failed to open store with entryid PHP message: MAPIException: MAPI error  in /usr/share/kopano-webapp/server/includes/core/class.mapisession.php:584
    Stack trace:
    #0 /usr/share/kopano-webapp/server/includes/core/class.mapisession.php(584): mapi_openmsgstore(Resource id #1, '\x00\x00\x00\x008\xA1\xBB\x10\x05\xE5\x10\x1A\xA1\xBB\x08...')
    #1 /usr/share/kopano-webapp/server/includes/core/class.mapisession.php(483): MAPISession->openMessageStore('\x00\x00\x00\x008\xA1\xBB\x10\x05\xE5\x10\x1A\xA1\xBB\x08...', 'Default store')
    #2 /usr/share/kopano-webapp/server/includes/core/class.mapisession.php(145): MAPISession->getDefaultMessageStore()
    #3 /usr/share/kopano-webapp/server/includes/core/class.mapisession.php(313): MAPISession->retrieveUserData()
    #4 /usr/share/kopano-webapp/server/includes/core/class.mapisession.php(404): MAPISession->getFullName()
    #5 /usr/share/kopano-webapp/server/includes/templates/webclient.php(120): MAPISession->getUserInfo()
    #6 /usr/share/kopano-webapp/index.php(293): include('/usr/share/kopa...')
    #7 {main}PHP message: Failed to open store with entryid PHP message: MAPIException: MAPI error  in /usr/share/kopano-webapp/server/includes/core/class.mapisession.php:584
    Stack trace:
    #0 /usr/share/kopano-webapp/server/includes/core/class.mapisession.php(584): mapi_openmsgstore(Resource id #1, '\x00\x00\x00\x008\xA1\xBB\x10\x05\xE5\x10\x1A\xA1\xBB\x08...')
    #1 /usr/share/kopano-webapp/server/includes/core/class.mapisession.php(483): MAPISession->openMessageStore('\x00\x00\x00\x008\xA1\xBB\x10\x05\xE5\x10\x1A\xA1\xBB\x08...', 'Default store')
    #2 /usr/share/kopano-webapp/server/includes/core/class.properties.php(136): MAPISession->getDefaultMessageStore()
    #3 /usr/share/kopano-webapp/server/includes/core/class.properties.php(71): Properties->getStore()
    #4 /usr/share/kopano-webapp/server/includes/core/class.properties.php(811): Properties->Init()
    #5 /usr/share/kopano-webapp/server/includes/core/class.mapisession.php(152): Properties->getAddressBookItemMailuserProperties()
    #6 /usr/share/kopano-webapp/server/includes/core/class.mapisession.php(313): MAPISessi...PHP message: PHP Fatal error:  Uncaught Exception: Method getGivenName does not exist given_name in /usr/share/kopano-webapp/server/includes/core/class.mapisession.php:390
    Stack trace:
    #0 /usr/share/kopano-webapp/server/includes/core/class.mapisession.php(410): MAPISession->__call('getGivenName', Array)
    #1 /usr/share/kopano-webapp/server/includes/templates/webclient.php(120): MAPISession->getUserInfo()
    #2 /usr/share/kopano-webapp/index.php(293): include('/usr/share/kopa...')
    #3 {main}
      thrown in /usr/share/kopano-webapp/server/includes/core/class.mapisession.php on line 390
    10.45.0.1 - - [04/May/2020:11:05:50 +0000] "GET /webapp/ HTTP/1.1" 500 2317647
    10.45.0.1 - - [04/May/2020:11:05:52 +0000] "POST /webapp/kopano.php?service=fingerprint HTTP/1.1" 200 0
    10.45.0.1 - - [04/May/2020:11:05:52 +0000] "GET /webapp/client/resources/images/favicon.ico?kv2.2.0 HTTP/1.1" 200 1150
    10.45.0.1 - - [04/May/2020:11:05:52 +0000] "POST /webapp/kopano.php?service=fingerprint&type=keepalive HTTP/1.1" 200 0
    10.45.0.1 - - [04/May/2020:11:05:52 +0000] "GET /webapp/?oidc-silent-refresh HTTP/1.1" 200 2306220
    

    Server only gives two lines of log for it.

    2020-05-04T12:04:13.978998: [debug  ] Accepted incoming SSL connection on 10.42.0.3
    2020-05-04T12:04:13.989204: [error  ] KCOIDC validate error 264
    

    And konnectd, logs nothing. Not sure if that’s because it’s not even connected to or what but communication does work. I can even use a different browser, and log in. But as soon as it’s been logged in, it cannot log out, and ends up in the same state in the end.

    Any ideas as to what config I’ve messed up? I’m completely out of ideas here :/


  • Kopano

    @EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

    Hunting down various various errors, having to manually create the user store for the users and so on

    There was an error in a nightly build a while back where stores would not be auto created. Are you still on that version? Which versions (kopano-server, kopano-webapp, kopano-konnect) are you using at all?

    I just did a quick test with the containers produced through (which also auto configured sso via Konnect) and could successfully log in and out with the latest containers.



  • Using the latest images on dockerhub so that’s not the issue at least. More specifically, it’s using:

    kopano/kopano_core 4e4c34e51b32a935f5dfc4a2d73cfbc5da8169da99023be0ade7482150e2e9ca
    kopano/kopano_konnect b465e0245e2c6016eb7985b432b27d3b4c87651aa2c69944a777c76989b11fbd
    kopano/kopano_webapp 3787e3f46faa79becd2cb067b6678192c972c952ebcf7c895ec1d4cff7771b82
    

    These all correspond(ed) to the :latest tag (up until a few seconds ago as of this writing since I see a new image was pushed to core at least). What versions of kopano that corresponds to behind that, I’m not entirely sure.



  • Ok so I’ve updated to the latest image now as well and tested and still the same. I did notice now though that after logging out. Even though it does let me in. The dev tools console still does have the error that I’m not logged in. So it is detecting to some extent that I’m not logged in anymore. It just for some reason is letting me in anyway

    (index):22089 oidc signin silent failed ErrorResponse: IdentifierIdentityManager: not signed in
        at new ErrorResponse (ErrorResponse.js:14)
        at ResponseValidator._processSigninParams (ResponseValidator.js:104)
        at ResponseValidator.validateSigninResponse (ResponseValidator.js:29)
        at OidcClient.js:113
    

  • Kopano

    Hi @EtherMan,

    ah based on your earlier posts I was 100% expecting that you are building your own containers. Can you share your configuration?



  • server.cfg:

    root@kopano-server-586845f56b-lr2qg:/kopano/path# cat /tmp/kopano/server.cfg
    # See the kopano-server.cfg(5) manpage for details and more directives.
    
    # If a directive is not used (i.e. commented out), the built-in server default
    # is used, so to disable certain features, the empty string value must explicitly be
    # set on them.
    
    # Space-separated list of address:port specifiers with optional %interface
    # infix for where the server should listen for connections.
    server_listen = 0.0.0.0:236
    server_listen_tls = 0.0.0.0:237
    server_ssl_key_file = /certs/server/combo.pem
    #server_ssl_key_pass =
    server_ssl_ca_file = /certs/ca/ca.crt
    #server_ssl_ca_path =
    #server_tls_min_proto = tls1.2
    # Path of SSL Public keys of clients
    sslkeys_path = /certs/clients/
    
    # Name for identifying the server in a multi-server environment. Need
    # not be a DNS name, but this name needs to be present on a LDAP
    # kopano-server object's cn value.
    server_name = kopano
    # Multi-server
    #enable_distributed_kopano = false
    database_engine = mysql
    mysql_host = mysql-cluster1.pxc
    mysql_port = 3306
    mysql_user = kopano
    mysql_password = <hidden>
    mysql_database = kopano
    
    # Allow connections from normal users through the Unix socket
    #allow_local_users = yes
    
    # Space-separated list of users that are considered Kopano admins.
    local_admin_users = root kopano
    
    #log_method = auto
    #log_file = -
    # Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug))
    log_level = 6
    #log_timestamp = yes
    
    # Attachment backend driver type: "database", "files", "files_v2", "s3"
    #attachment_storage = files
    #attachment_path = /var/lib/kopano/attachments
    
    #attachment_s3_hostname = s3-eu-west-1.amazonaws.com
    # The region where the bucket is located, e.g. "eu-west-1"
    #attachment_s3_region =
    # The protocol that should be used to connect to S3, 'http' or 'https' (preferred)
    #attachment_s3_protocol =
    # The URL style of the bucket, "virtualhost" or "path"
    #attachment_s3_uristyle =
    # The access key id of your S3 account
    #attachment_s3_accesskeyid =
    # The secret access key of your S3 account
    #attachment_s3_secretaccesskey =
    # The bucket name in which the files will be stored
    #attachment_s3_bucketname =
    
    # User backend driver type: "db", "unix", "ldap"
    user_plugin = ldap
    #user_plugin_config = /etc/kopano/ldap.cfg
    enable_sso = yes
    # Hostname override for Kerberos SSO
    server_hostname = <hidden>
    
    # scripts which create stores for users from an external source
    #createuser_script = /usr/lib/kopano/userscripts/createuser
    #deleteuser_script = /usr/lib/kopano/userscripts/deleteuser
    #creategroup_script = /usr/lib/kopano/userscripts/creategroup
    #deletegroup_script = /usr/lib/kopano/userscripts/deletegroup
    #createcompany_script = /usr/lib/kopano/userscripts/createcompany
    #deletecompany_script = /usr/lib/kopano/userscripts/deletecompany
    # Skip creation/deletion of users for testing purposes, instead log it.
    #user_safe_mode = no
    
    # Multi-tenancy
    #enable_hosted_kopano = false
    # Display format of store name
    # Allowed variables:
    #  %u Username
    #  %f Full name
    #  %c Tenant's name
    storename_format = %u
    
    # Loginname format for multi-tenancy installations
    # When the user does not login through a system-wide unique
    # username (like the email address) a unique name is created
    # by combining the username and the tenantname.
    # With this configuration option you can set how the
    # loginname should be built up.
    #
    # Note: Do not use the = character in the format.
    #
    # Allowed variables:
    #  %u Username
    #  %c Teantname
    #
    #loginname_format = %u
    
    #enable_gab = yes
    # Whether to hide/show the special GAB "Everyone" group that contains
    # every user and group for non-admins.
    hide_everyone = yes
    # Whether to hide/show the special GAB "SYSTEM" user for non-admins.
    #hide_system = yes
    # Synchronize GAB users on every open of the GAB (otherwise, only on
    # kopano-admin --sync)
    #sync_gab_realtime = yes
    
    # Use indexing service for faster searching.
    # Enabling this option requires kopano-indexd or kopano-search to be active.
    #search_enabled = yes
    search_socket = https://kopano-search:239
    #search_timeout = 10
    
    # Disable features for users. This list is space separated.
    # Currently valid values: imap pop3 mobile outlook webapp
    disabled_features = imap pop3
    
    coredump_enabled = false
    audit_log_enabled = yes
    enable_sql_procedures = yes
    softdelete_lifetime = 7
    attachment_compression = 0
    system_email_address = postmaster@<hidden>
    restrict_admin_permissions = yes
    kcoidc_issuer_identifier = https://<hidden>
    embedded_attachment_limit = 10
    server_pipe_enabled = true
    session_ip_check = no
    

    config.php:

    <?php
            // The config file for the webapp.
            // All possible web client settings can be set in this file. Some settings
            // (language) can also be set per user or logon.
    
            // Comment next line to disable the config check (or set FALSE to log the config errors)
            define("CONFIG_CHECK", TRUE);
    
            // Use these options to optionally disable some PHP configuration checks.
            // WARNING: these checks will disable checks regarding the security of the WebApp site configuration,
            // only change them if you know the consequences - improper use will lead to an insecure installation!
            define("CONFIG_CHECK_COOKIES_HTTP", FALSE);
            define("CONFIG_CHECK_COOKIES_SSL", FALSE);
    
            // Depending on your setup, it might be advisable to change the lines below to one defined with your
            // default socket location.
            // Normally "default:" points to the default setting ("file:///var/run/kopano/server.sock")
            // Examples:    define('DEFAULT_SERVER', 'https://kopano-server:237');
            //      define('DEFAULT_SERVER', 'https://kopano-server:237');
            //      define('DEFAULT_SERVER', 'https://kopano-server:237');
            //      define('DEFAULT_SERVER', 'https://kopano-server:237');
            define('DEFAULT_SERVER', 'https://kopano-server:237');
    
            // When using a single-signon system on your webserver, but Kopano Core is on another server
            // you can use https to access the Kopano server, and authenticate using an SSL certificate.
            define('SSLCERT_FILE', '/certs/webapp/combo.pem');
            define('SSLCERT_PASS', '');
    
            // Set to true to disable login with Single Sign-On (SSO) on SSO environments.
            define("DISABLE_REMOTE_USER_LOGIN", false);
    
            // OIDC Server Configuration, introduced in Kopano Core 8.7.0
            define('OIDC_ISS', '<hidden>');
            define('OIDC_CLIENT_ID', 'kopano-webapp');
            define('OIDC_SCOPE', 'openid profile email kopano/gc');
    
            // set to 'true' to strip domain from login name found from Single Sign-On webservers
            define("LOGINNAME_STRIP_DOMAIN", false);
    
            // Name of the cookie that is used for the session
            define('COOKIE_NAME', 'KOPANO_WEBAPP');
    
            // Set to 'true' to disable secure session cookies and to allow log-in without HTTPS.
            define('INSECURE_COOKIES', true);
    
            // Use Kopano Core for HTML filtering, introduced in 8.5.0
            define("KC_FILTERED_BODY", false);
    
            // Use DOMPurify to filter HTML
            define("ENABLE_DOMPURIFY_FILTER", false);
    
            // The timeout (in seconds) for the session. User will be logged out of WebApp
            // when he has not actively used the WebApp for this time.
            // Set to 0 (or remove) for no timeout during browser session.
            define("CLIENT_TIMEOUT", 0);
    
            // Defines the domains from which cross domain authentication requests
            // are allowed. E.g. if WebMeetings runs under a different domain than
            // the WebApp then add this domain here. Add http(s):// to the domains
            // and separate domains with spaces.
            // Set to empty string (default) to only allow authentication requests
            // from within the same domain.
            // Set to "*" to allow authentication requests from any domain. (not
            // recommended)
            define('CROSS_DOMAIN_AUTHENTICATION_ALLOWED_DOMAINS', 'https://<hidden>');
    
            // Defines the domains to which redirection after login is allowed.
            // Add http(s):// to the domains and separate domains with spaces.
            // Note: The domain under which WebApp runs, is always allowed and does
            // not need to be added here.
            define("REDIRECT_ALLOWED_DOMAINS", "");
    
            // Defines the base url and end with a slash.
            $base_url = dirname($_SERVER["PHP_SELF"]);
            if(substr($base_url,-1)!="/") $base_url .="/";
            define("BASE_URL", $base_url);
    
            // Defines the temp path (absolute). Here uploaded attachments will be saved.
            // The web client doesn't work without this directory.
            define("TMP_PATH", "/var/lib/kopano-webapp/tmp");
    
            // Define the path to the plugin directory (No slash at the end)
            define("PATH_PLUGIN_DIR", "plugins");
    
            // Enable the plugins
            define("ENABLE_PLUGINS", true);
    
            // Define list of disabled plugins separated by semicolon
            // Plugin directory name should be used in this list.
            define("DISABLED_PLUGINS_LIST", "");
    
            // Define a list of plugins that cannot be disabled by users.
            // Plugins should be seperated by a semicolon (;). A wildcard (*)
            // can be used to identify multiple plugins.
            // Plugin directory name should be used in this list.
            define("ALWAYS_ENABLED_PLUGINS_LIST", "");
    
            // General WebApp theme. This will be loaded by default for every user
            // (if the theme is installed as a plugin)
            // Users can override the 'logged-in' theme in the settings.
            define("THEME", "");
    
            // General WebApp icon set. This will be loaded by default for every user.
            // Users can override the iconset in the settings.
            define("ICONSET", "breeze");
    
            // The title that will be shown in the title bar of the browser
            define("WEBAPP_TITLE", "Kopano WebApp");
    
            // Set addressbook for GAB not to show any users unless searching for a specific user
            define("DISABLE_FULL_GAB", false);
    
            // Set a maximum number of (search) results for the addressbook
            // When more results are found no results will be displayed in the client.
            // Set to 0 to disable this feature and show all results.
            define("MAX_GAB_RESULTS", 0);
    
            // Set true to hide public contact folders in address-book folder list,
            // false will show public contact folders in address-book folder list.
            define('DISABLE_PUBLIC_CONTACT_FOLDERS', false);
    
            // Set true to show public folders in hierarchy, false will disable public folders in hierarchy.
            define("ENABLE_PUBLIC_FOLDERS", true);
    
            // Set true to hide shared contact folders in address-book folder list,
            // false will show shared contact folders in address-book folder list.
            define('DISABLE_SHARED_CONTACT_FOLDERS', false);
    
            // Set to true to give users the option to enable conversation view in their settings
            // Set to false to hide the setting and disable conversation view for all users
            define("ENABLE_CONVERSATION_VIEW", false);
    
            // Set to true to give users the possiblity to edit, create, and delete mail filters on the store
            // of other users. The user needs owner permissions on the store of the other user.
            define('ENABLE_SHARED_RULES', true);
    
            // Booking method (true = direct booking, false = send meeting request)
            define("ENABLE_DIRECT_BOOKING", true);
    
            // Enable GZIP compression for responses
            define("ENABLE_RESPONSE_COMPRESSION", true);
    
            // When set to true this disables the welcome screen to be shown for first time users.
            define('DISABLE_WELCOME_SCREEN', true);
    
            // Set to true to disable the "What's new dialog" that will be shown to users to introduce new features.
            define("DISABLE_WHATS_NEW_DIALOG", false);
    
            // When set to false it will disable showing of advanced settings.
            define('ENABLE_ADVANCED_SETTINGS', true);
    
            // Freebusy start offset that will be used to load freebusy data in appointments, number is subtracted from current time
            define("FREEBUSY_LOAD_START_OFFSET", 7);
    
            // Freebusy end offset that will be used to load freebusy data in appointments, number is added to current time
            define("FREEBUSY_LOAD_END_OFFSET", 90);
    
            // Maximum eml files to be included in a single ZIP archive
            define("MAX_EML_FILES_IN_ZIP", 50);
    
            // Set true to default soft delete the shared store items
            define("ENABLE_DEFAULT_SOFT_DELETE", false);
    
            // Additional color schemes for the calendars can be added by uncommenting and editing the following define.
            // The format is the same as the format of COLOR_SCHEMES which is defined in default.php
            // To change the default colors, COLOR_SCHEMES can also be defined here.
            // Note: Every color should have a unique name, because it is used to identify the color
            // define("ADDITIONAL_COLOR_SCHEMES", json_encode(array(
            //              array(
            //                      'name' => 'pink',
            //                      'displayName' => _('Pink'),
            //                      'base' => '#ff0099'
            //              )
            // )));
    
            // Additional categories can be added by uncommenting and editing the following define.
            // The format is the same as the format of DEFAULT_CATEGORIES which is defined in default.php
            // To change the default categories, DEFAULT_CATEGORIES can also be defined here.
            // Note: Every category should have a unique name, because it is used to identify the category
            // define("ADDITIONAL_CATEGORIES", json_encode(array(
            //              array(
            //                      'name' => _('Family'),
            //                      'color' => '#000000',
            //                      'quickAccess' => true,
            //                      'sortIndex' => 10
            //              )
            // )));
    
            // Additional Prefix for the Contact name can be added by uncommenting and editing the following define.
            // define("CONTACT_PREFIX", json_encode(array(
            //      array(_('Er.')),
            //      array(_('Gr.'))
            // )));
    
            // Additional Suffix for the Contact name can be added by uncommenting and editing the following define.
            // define("CONTACT_SUFFIX", json_encode(array(
            //      array(_('A')),
            //      array(_('B'))
            // )));
    
            // Define the polling interval in minutes for unread mail in shared stores.
            define("SHARED_STORE_POLLING_INTERVAL", 15);
    
            // Define the amount of emails to load in the background, in batches of 10 emails per request every x seconds
            // defined by PREFETCH_EMAIL_INTERVAL until the defined amount of items is loaded. Setting this value to zero
            // disables this feature.
            define("PREFETCH_EMAIL_COUNT", 10);
    
            // Define the interval between loading of new emails in the background.
            define("PREFETCH_EMAIL_INTERVAL", 30);
    
            /**************************************\
            * Memory usage and timeouts            *
            \**************************************/
    
            // This sets the maximum time in seconds that is allowed to run before it is terminated by the parser.
            ini_set("max_execution_time", 300); // 5 minutes
    
            // BLOCK_SIZE (in bytes) is used for attachments by mapi_stream_read/mapi_stream_write
            define("BLOCK_SIZE", 1048576);
    
            // Time that static files may exist in the client's cache (13 weeks)
            define("EXPIRES_TIME", 60*60*24*7*13);
    
            // Time that the state files are allowed to survive (in seconds)
            // For filesystems on which relatime is used, this value should be larger then the relatime_interval
            // for kernels 2.6.30 and above relatime is enabled by default, and the relatime_interval is set to
            // 24 hours.
            define("STATE_FILE_MAX_LIFETIME", 28*60*60);
    
            // Time that attachments are allowed to survive (in seconds)
            define("UPLOADED_ATTACHMENT_MAX_LIFETIME", 6*60*60);
    
            /**********************************************************************************
             *  Logging settings
             *
             *  Possible LOG_USER_LEVEL values are:
             *  LOGLEVEL_OFF            - no logging
             *  LOGLEVEL_FATAL          - log only critical errors
             *  LOGLEVEL_ERROR          - logs events which might require corrective actions
             *  LOGLEVEL_WARN           - might lead to an error or require corrective actions in the future
             *  LOGLEVEL_INFO           - usually completed actions
             *  LOGLEVEL_DEBUG          - debugging information, typically only meaningful to developers
             *
             *  The verbosity increases from top to bottom. More verbose levels include less verbose
             *  ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR,
             *  LOGLEVEL_WARN and LOGLEVEL_INFO level entries.
             *
             **************************************************************************************/
            define('LOG_USER_LEVEL', 'LOGLEVEL_WARN');
    
            // To save e.g. user activity data only for selected users, provide the username followed by semicolon.
            // The data will be saved into a dedicated file per user in the LOG_FILE_DIR
            // Users have to be encapsulated in quotes, several users are semicolon separated, like:
            // define('LOG_USERS', 'user1;user2;user3');
            define("LOG_USERS", "");
    
            // Location of the log directory
            // e.g /var/log/webapp-userslog/users/
            // The directory will be created when it does not exist.
            // Webserver user should have permissions to write in this folder
            define("LOG_FILE_DIR", "");
    
            /**************************************\
            * Languages                            *
            \**************************************/
    
            // Location to the translations
            define("LANGUAGE_DIR", "server/language/");
    
            // Defines the default interface language. This can be overridden by the user.
            if (isset($_ENV['LANG']) && $_ENV['LANG']!="C") {
                    define('LANG', $_ENV["LANG"]); // This means the server environment language determines the web client language.
            } else {
                    define('LANG', 'en_US.UTF-8'); // default fallback language
            }
    
            // List of languages that should be enabled in the logon
            // screen's language drop down.  Languages should be specified
            // using <languagecode>_<regioncode>[.UTF-8], and separated with
            // semicolon.  A list of available languages can be found in
            // the manual or by looking at the list of directories in
            // /usr/share/kopano-webapp/server/language .
            define("ENABLED_LANGUAGES", "cs_CZ;da_DK;de_DE;en_GB;en_US;es_CA;es_ES;fi_FI;fr_FR;hu_HU;it_IT;ja_JP;nb_NO;nl_NL;pl_PL;pt_BR;ru_RU;sl_SI;tr_TR;zh_TW");
    
            // Defines the default time zone
            if (!ini_get('date.timezone')) {
                    date_default_timezone_set('Europe/Amsterdam');
            }
    
            /**************************************\
            * Powerpaste                           *
            \**************************************/
    
            // Options for TinyMCE's powerpaste plugin, see https://www.tiny.cloud/docs/plugins/powerpaste/#configurationoptions
            // for more details.
            define("POWERPASTE_WORD_IMPORT", "merge");
            define("POWERPASTE_HTML_IMPORT", "merge");
            define("POWERPASTE_ALLOW_LOCAL_IMAGES", true);
    
            /**************************************\
            * Debugging                            *
            \**************************************/
    
            // Do not log errors into stdout, since this generates faulty JSON responses.
            ini_set("display_errors", false);
    
            ini_set("log_errors", true);
            error_reporting(E_ERROR);
    
            // Log successful logins
            define("LOG_SUCCESSFUL_LOGINS", false);
    
            if (file_exists('debug.php')) {
                    include_once('debug.php');
            } else {
                    // define empty dump function in case we still use it somewhere
                    function dump(){}
            }
    ?>
    

    Konnectd, since that isn’t using a config file for some reason, but this is the commandline it uses.

    konnectd serve --signing-private-key=/extras/konnectd-signing-private-key.pem --encryption-secret=/extras/konnectd-encryption-secret.key --identifier-registration-conf /cm/konnectd-identifier-registration.yaml --identifier-scopes-conf /etc/kopano/konnectd-identifier-scopes.yaml --iss=https://<hidden> --log-level=debug kc
    

    konnectd-identifier-registration.yaml

    clients:
      - id: kopano-webapp
        trusted: yes
        application_type: web
        redirect_uris:
          - https://<hidden>/webapp/
          - https://<hidden>/webapp/index.php
          - https://<hidden>/webapp/index.php?logout
          - https://<hidden>/webapp/oidc-silent-refresh.php
        origins:
          - https://<hidden>/webapp
    

    Hopfully I’ve censored all the sensitive stuff and only the sensitive stuff. And that those are all the configs used. Don’t remember any more at the top of my head at least :/


  • Kopano

    Hi @EtherMan,

    this is the reason you get logged in without having a Token from Konnect:

    @EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

    define(‘SSLCERT_FILE’, ‘/certs/webapp/combo.pem’);

    WebApp uses the ssl certificate to log into your server. The When using a single-signon comment only applies when authentication is enforced on the webserver level, e.g. when using mod_kerberos or shibboleth.

    You only need to remove the cert and should be fine afterwards.

    @EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

    konnectd-identifier-registration.yaml

    This is technically not necessary, when <hidden> is also the domain that is set as the issuer in connect. apps running on the same domain are automatically trusted.



  • Eh? Now you’re making me REALLY confused here. So without that line… How does Webapp communicate with Server? It also doesn’t match description since description basically says it’s needed when using SSO (which I am since I’m using konnectd), and speak to the kopano-server using SSL, which I am.

    Testing it with that line removed though, does work in so far as it still allows me to log in… Though I’m not sure why it would allow that. It has had absolutely zero effect on what happens after logging out though. It has made one change it seems though. I’m now getting an error in konnectd that “time=“2020-05-05T12:17:44Z” level=debug msg=“IdentifierIdentityManager: id_token_hint does not match request” error=“invalid origin: https://<webapp base domain url>””


  • Kopano

    @EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

    It also doesn’t match description since description basically says it’s needed when using SSO (which I am since I’m using konnectd), and speak to the kopano-server using SSL,

    the important part comes after the above two statements “and authenticate using an SSL certificate.” You don’t authenticate with an ssl certificate when doing an oidc login. you actually authenticate through oidc. And like I said before login with an ssl certificate is only needed when your webserver is your gatekeeper (e.g. when using kerberos or saml). Although I have not checked, I would be surprised if the documentation tells you something different.

    @EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

    https://<webapp base domain url>

    So is <webapp base domain url> the same domain that you have Konnect listening under? Is it the same domain that you have prevously masked with <hidden>?



  • Err… The Webapp system is authing using SSL certs no? Every other component is after all. And I don’t get what you mean by webserver being the gatekeeper… Ofc it is? It’s the webserver serving the content so ofc it’s the gatekeeper? That would be the case regardless of who or what is lending you to the key.

    And webapp base domain url and all <hidden> domains are the same domain, but not all the same subdomains. Konnect is on oidc.domain.tld while webapp is on webapp.domain.tld, server on kopano.domain.tld


  • Kopano

    @EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

    The Webapp system is authing using SSL certs no?

    No. The users authenticate through oidc. It is not WebApp that is authenticating itself to the server (which is what components such as dagent or search are doing).

    Ok just pretend I did not say “domain”, but “fully qualified domain name”. You must use the precise domain and any subdomain or toplevel domain in the identifier registration.



  • Right, so fqdn. Then those are different… But so then, what is needed to be different? The issuer identifier in Server, is oidc.domain.tld. The issuer identifier in konnect is oidc.domain.tld, the issuer identifier in webapp is oidc.domain.tld, the konnectd-identifier-registration.yaml urls, are all webapp.domain.tld. Though technically, I’d prefer components not communicating in between them over those urls because then they go over the reverse proxy, so just more points of failures. Hence why they’re defined with just the internal hostnames of kopano-server in that case. The invalid origin line of the log from konnect though, does not even have the /webapp at the end though, but I’ve not specified any such url anywhere.


  • Kopano

    It needs to be a publicly reachable domain, because that is what users use to reach WebApp and make use of oidc.



  • Hmm… I tried adding another origin to the konnectd-identifier-registration.yaml without the /webapp at the end… And now it works to log out it seems. I got that file layout from the guides somewhere though which didn’t have any entry for without /webapp

    So much confusing stuff in this. It’s still not auto creating stores for users though. So have to manually go into the server container and run kopano-cli commands, which randomly fail, and when they fail, I have to detach, delete and recreate the store because it creates them in a faulty state for whatever reason… It’s weird… But for now at least, it works.

    And webapp and oidc are both publicly accessible domains. And server is also on a publicly accessible domain. Webapp and konnectd just isn’t speaking to server over that.



  • Hmm nope. No no no no… Very very wrong now. Two major errors. Logging in and out currently works (sort of). But first issue is that passwords are not verified… Like, at all. As long as username is provided, it logs you in as that user regardless of password provided. The second issue is that while it works in Brave, Chrome and Firefox, but Internet Explorer does not.

    Navigation Event Separator
    
    DOM7011: The code on this page disabled back and forward caching. For more information, see: http://go.microsoft.com/fwlink/?LinkID=291337
    identifier
    HTML1300: Navigation occurred.
    webapp
    DOM7011: The code on this page disabled back and forward caching. For more information, see: http://go.microsoft.com/fwlink/?LinkID=291337
    identifier
    UserManager.ctor: monitorSession is configured, setting up session monitor
    WebStorageStateStore.get user:https://oidc.domain.tld:kopano-webapp
    OidcClient.clearStaleState
    WebStorageStateStore.getAllKeys
    WebStorageStateStore.get user:https://oidc.domain.tld:kopano-webapp
    UserManager._loadUser: no user storageString
    State.clearStaleState: got keys 90bfa86e086f45ab9622a73e06a8de4c,b5939eabb4524f6dbf5bc5b878a8eb22,3fe4607b89af4b4cb9b386c926f5624c,040c38c35ea84605b3497181cec670f8,ebfd152f0a8e43ac86ccf3a4364ebaf5
       "State.clearStaleState: got keys"
       [
          0: "90bfa86e086f45ab9622a73e06a8de4c",
          1: "b5939eabb4524f6dbf5bc5b878a8eb22",
          2: "3fe4607b89af4b4cb9b386c926f5624c",
          3: "040c38c35ea84605b3497181cec670f8",
          4: "ebfd152f0a8e43ac86ccf3a4364ebaf5",
          length: 5
       ]
    
    WebStorageStateStore.get 90bfa86e086f45ab9622a73e06a8de4c
    WebStorageStateStore.get b5939eabb4524f6dbf5bc5b878a8eb22
    WebStorageStateStore.get 3fe4607b89af4b4cb9b386c926f5624c
    WebStorageStateStore.get 040c38c35ea84605b3497181cec670f8
    WebStorageStateStore.get ebfd152f0a8e43ac86ccf3a4364ebaf5
    State.clearStaleState: waiting on promise count: 5
    UserManager._loadUser: no user storageString
    UserManager.getUser: user not found in storage
    State.fromStorageString
    State.clearStaleState: got item from key:  90bfa86e086f45ab9622a73e06a8de4c 1588690106
    State.clearStaleState: removed item for key:  90bfa86e086f45ab9622a73e06a8de4c
    WebStorageStateStore.remove 90bfa86e086f45ab9622a73e06a8de4c
    State.fromStorageString
    State.clearStaleState: got item from key:  b5939eabb4524f6dbf5bc5b878a8eb22 1588690944
    State.fromStorageString
    State.clearStaleState: got item from key:  3fe4607b89af4b4cb9b386c926f5624c 1588690954
    State.fromStorageString
    State.clearStaleState: got item from key:  040c38c35ea84605b3497181cec670f8 1588690997
    State.fromStorageString
    State.clearStaleState: got item from key:  ebfd152f0a8e43ac86ccf3a4364ebaf5 1588691007
    UserManager.getUser: user not found in storage
    WebStorageStateStore.get user:https://oidc.domain.tld:kopano-webapp
    UserManager._loadUser: no user storageString
    UserManager._signinStart: got navigator window handle
    OidcClient.createSigninRequest
    MetadataService.getMetadataProperty for: authorization_endpoint
    MetadataService.getMetadata: getting metadata from https://oidc.domain.tld/.well-known/openid-configuration
    JsonService.getJson, url:  https://oidc.domain.tld/.well-known/openid-configuration
    JsonService.getJson: HTTP response received, status 200
    MetadataService.getMetadata: json received
    MetadataService.getMetadataProperty: metadata recieved
    OidcClient.createSigninRequest: Received authorization endpoint https://oidc.domain.tld/signin/v1/identifier/_/authorize
    SigninState.toStorageString
    WebStorageStateStore.set 8093038336874e04847b6bee5349a740
    UserManager._signinStart: got signin request
    IFrameWindow.navigate: Using timeout of: 10000
    SCRIPT1002: Syntax error
    webapp (22066,31)
    IFrameWindow.timeout
    IFrameWindow: cleanup
    Frame window timed out
    UserManager._signinStart: Error after preparing navigator, closing navigator window
    oidc signin silent failed Error: Frame window timed out
       "oidc signin silent failed"
       {
          [functions]: ,
          __proto__: { },
          description: "Frame window timed out",
          message: "Frame window timed out",
          name: "Error",
          stack: "Error: Frame window timed out
       at Anonymous function (https://webapp.domain.tld/webapp/:21341:17)
       at run (https://webapp.domain.tld/webapp/:13361:13)
       at Anonymous function (https://webapp.domain.tld/webapp/:13378:30)
       at flush (https://webapp.domain.tld/webapp/:9195:9)"
       }
    
    Navigation Event Separator
    
    oidc signin silent did not return a user
    UserManager._signinStart: got navigator window handle
    OidcClient.createSigninRequest
    MetadataService.getMetadataProperty for: authorization_endpoint
    MetadataService.getMetadata: Returning metadata from settings
    MetadataService.getMetadataProperty: metadata recieved
    OidcClient.createSigninRequest: Received authorization endpoint https://oidc.domain.tld/signin/v1/identifier/_/authorize
    SigninState.toStorageString
    WebStorageStateStore.set ba0f70623489445ba330a55be4c0b43e
    UserManager._signinStart: got signin request
    DOM7011: The code on this page disabled back and forward caching. For more information, see: http://go.microsoft.com/fwlink/?LinkID=291337
    webapp
    HTML1300: Navigation occurred.
    authorize
    UserManager.signinRedirect: successful
    oidc signing redirect undefined
    DOM7011: The code on this page disabled back and forward caching. For more information, see: http://go.microsoft.com/fwlink/?LinkID=291337
    webapp
    Kopano Identifier build version: 0.33.0
    Kopano Kpop build version: 2.2.0
    SCRIPT5009: 'Promise' is undefined
    main.23aaf6b8.chunk.js (1,384)
    
    

    The errors keep getting weirder and weirder @fbartels >_<


  • Kopano

    @EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

    but Internet Explorer does not.

    Who still wants to use Internet Explorer?

    You have not specified it about but my bet would be that you also use an SSL client certificate in Konnect. In that case the described behaviour is expected (you have seen the exact same with WebApp if you remember).

    You only need an SSL certificate for services that need to authenticate themselves. In Konnect the user provides the authentication.



  • Ok that did indeed solve that one. Though I don’t quite understand this… Because basically, this means Server is accepting and speaking with… Well, anything? As in, anyone could set up say a webapp server that serves from my server, even if they themselves don’t even have an account? I understand they wouldn’t have user access to actually log in without an account and such, but it seems a pretty big deal to me that just anyone is allowed to set up frontends nilly willy. Especially considering that’s essentially giving people permission to do mitm attacks against users, with a live system that for all intents and purposes does work. Different components should auth themselves, as themselves, and have user authentication done inside of that authentication :/

    As for who wants to use IE. Well, my parents do for one. I’m not about to teach two 80+ year olds about the wonders of new browsers. You’re not going to tell me that konnectd doesn’t work for IE are you? Please don’t >_<


  • Kopano

    @EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

    Because basically, this means Server is accepting and speaking with… Well, anything?

    Yeah. Just like connecting with an imap server, a webserver. If you can reach it, you can authenticate, you can use it. If you don’t want other to connect to it, you need to close it to the external world.

    @EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

    You’re not going to tell me that konnectd doesn’t work for IE are you? Please don’t >_<

    https://documentation.kopano.io/support_lifecycle_policy/webapp_support_lifecycle.html#browser-support



  • Oh yea, it’s Edge that is the normal browser in Windows these days. And that works. Will have to check if they perhaps use that these days or they really are still using IE. Same icon so what is IE to them, may actually be Edge. Though “WebApp is supported for all production versions of Firefox, Chrome, Internet Explorer, Edge and Safari” does indicate that IE should still be supported, since it still is being shipped and updated.

    As for imap comparison. The difference there is that if I use an IMAP client, I authenticate to the server, as myself, for myself. If I set up a Webapp frontend, I’m letting other users authenticate as themselves, to another service. A service I don’t need any account to in order to set up Webapp for. As in, there is no “you can authenticate”, because without client certificates being used by webapp to auth itself, setting up webapp does NOT require you to authenticate yourself to kopano, it just requires that the user wanting to log in does. And closing it to the world isn’t an option, since ofc, I still need to have my own webapp.


  • Kopano

    @EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

    Though “[…]” does indicate that IE should still be supported, since it still is being shipped and updated.

    Have a look at the bottom note.

    @EtherMan said in Not able to get Webapp working fully with Konnectd over TCP:

    The difference there is that if I use an IMAP client, I authenticate to the server, as myself, for myself

    Not quite. You can also install e.g. roundcube on a server and as long as the server is the php imap module you can use this roundcube to log into the imap server that the admin configured in its configuration file.

    I don’t fully understand your argument. Additionally you could host your own webapp at a location where this port can be reached, it just does not need to be publicly reachable.


Log in to reply