OIDC - Authorization failed

Karif

Hello,

I am trying to setup SSO/OIDC for my kopano setup but i am failing at Authorization. I couldnt find anything meaningful in the logs at least for me.

After i login to webapp i am getting this error;

Authorization failed
Logon failed. Please verify your credentials and try again.

I am also attaching the screenshot. You will notice that there is the signout button appears so i assume i did sign into kopano?

Please advise.

Thanks

Karif

fbartels

@karif did you configure kopano-server for openid sso?

Karif

Thank you for reply @fbartels

Now i receive this error in log.

/var/log/syslog;

Dec  1 10:40:39 mail kopano-konnectd[1417]: level=debug msg="kc identifier backend refresh session failed: kc identifier backend sso logon failed: KCERR_LOGON_FAILED (Logon Failed) (KC:0x80000009)" abeid=AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAkAAABNV1ZsTTJJNFlqWXRZemMwWWkweE1ETmhMVGxqTlRRdFpqazRPR1ZrTnpBd1lUa3cAAAAA id=MWVlM2I4YjYtYzc0Yi0xMDNhLTljNTQtZjk4OGVkNzAwYTkw
Dec  1 10:40:40 mail kopano-konnectd[1417]: level=debug msg="kc identifier backend refresh session failed: kc identifier backend sso logon failed: KCERR_LOGON_FAILED (Logon Failed) (KC:0x80000009)" abeid=AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAkAAABNV1ZsTTJJNFlqWXRZemMwWWkweE1ETmhMVGxqTlRRdFpqazRPR1ZrTnpBd1lUa3cAAAAA id=MWVlM2I4YjYtYzc0Yi0xMDNhLTljNTQtZjk4OGVkNzAwYTkw
Dec  1 10:40:40 mail kopano-konnectd[1417]: level=debug msg="kc identifier backend refresh session failed: kc identifier backend sso logon failed: KCERR_LOGON_FAILED (Logon Failed) (KC:0x80000009)" abeid=AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAkAAABNV1ZsTTJJNFlqWXRZemMwWWkweE1ETmhMVGxqTlRRdFpqazRPR1ZrTnpBd1lUa3cAAAAA id=MWVlM2I4YjYtYzc0Yi0xMDNhLTljNTQtZjk4OGVkNzAwYTkw
Dec  1 10:40:42 mail kopano-konnectd[1417]: level=debug msg="kc identifier backend logon" abeid=AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA id=YmVmM2I0NjQtYzgwNC0xMDNhLTg1MGMtMDkxY2NhOTY2ZmJk ref="identifier-kc:-:YmVmM2I0NjQtYzgwNC0xMDNhLTg1MGMtMDkxY2NhOTY2ZmJk" session="Session(1581284045969739298@R6gRlBNaSdaFwjsv8aq6lg==)" username=user1@domain.org
Dec  1 10:40:42 mail kopano-konnectd[1417]: level=debug msg="identifier client lookup" client_id=webapp-meet.domain.org known=false redirect_uri="https://meet.domain.org/webapp/#oidc-callback" trusted=true
Dec  1 10:40:42 mail kopano-konnectd[1417]: level=debug msg="identifier client lookup" client_id=webapp-meet.domain.org known=false redirect_uri="https://meet.domain.org/webapp/#oidc-callback" trusted=true
Dec  1 10:40:43 mail kopano-konnectd[1417]: level=debug msg="identifier client lookup" client_id=webapp-meet.domain.org known=false redirect_uri="https://meet.domain.org/webapp/#oidc-callback" trusted=true

/etc/kopano/server.cfg;

server_listen = *%lo:236
server_listen_tls = *%lo:237
server_ssl_key_file = /etc/kopano/ssl/server.pem
server_ssl_ca_file = /etc/ssl/certs/ca-certificates.crt
mysql_user = kopanodbadmin
mysql_password = pass
local_admin_users = root kopano
log_file = /var/log/kopano/server.log
log_level = 5
attachment_storage = s3
attachment_s3_hostname = s3-eu-central-1.amazonaws.com
attachment_s3_region = eu-central-1
attachment_s3_protocol = https
attachment_s3_uristyle = path
attachment_s3_accesskeyid = 
attachment_s3_secretaccesskey = 
attachment_s3_bucketname = kopano-mail
attachment_path = attachments
user_plugin = ldap
user_plugin_config = /etc/kopano/ldap.cfg
enable_sso = true
server_hostname = meet.domain.org
kcoidc_issuer_identifier = https://meet.domain.org
enable_hosted_kopano = true
storename_format = %f (%c)
loginname_format = %u@%c
enable_gab = yes
hide_everyone = yes
hide_system = yes
sync_gab_realtime = yes
search_enabled = yes
search_socket = file:///var/run/kopano/search.sock
search_timeout = 10
disabled_features = pop3

/etc/kopano/ldap.cfg;

!include /usr/share/kopano/ldap.openldap.cfg
ldap_uri = ldap://127.0.0.1:389
ldap_bind_user = cn=admin,dc=hosted,dc=local
ldap_bind_passwd = pass
ldap_search_base = dc=hosted,dc=local
ldap_last_modification_attribute = modifyTimestamp
 
 
ldap_user_type_attribute_value = kopano-user
ldap_group_type_attribute_value = kopano-group
 
 
ldap_user_search_filter = (objectClass=kopano-user)
ldap_user_unique_attribute = entryUUID
 
ldap_group_search_filter = (objectClass=kopano-group)
 
ldap_company_search_filter = (objectClass=kopano-company)
 
ldap_quota_multiplier = 1048576

user.ldif;

dn: uid=user1,ou=domain.org,dc=hosted,dc=local
objectClass: posixAccount
objectClass: top
objectClass: kopano-user
objectClass: inetOrgPerson
gidNumber: 1101
cn: User1 Surname
mail: user1@domain.org
uidNumber: 1101
homeDirectory: /home/user1
kopanoAliases: root@domain.org
kopanoUserServer: kopano
uid: user1
kopanoAccount: 1
kopanoAdmin: 0
sn: Surname
userPassword: pass
kopanoQuotaOverride: 1
kopanoEnabledFeatures: mobile outlook webapp imap
kopanoDisabledFeatures: pop3
kopanoQuotaWarn: 10000000000
kopanoQuotaSoft: 11000000000
kopanoQuotaHard: 12000000000

Thanks for the help!

-Karif

fbartels

@karif how is konnect configured. is it all on the same server? Which versions are you using? which os?

Karif

@fbartels

OS: Debian 10

Kopano versions;

ii  kopano-backup                 10.0.6.502.8b8baeb2a-0+275.1 amd64
ii  kopano-client                 10.0.6.502.8b8baeb2a-0+297.1 amd64
ii  kopano-common                 10.0.6.502.8b8baeb2a-0+297.1 amd64
ii  kopano-dagent                 10.0.6.502.8b8baeb2a-0+297.1 amd64
ii  kopano-dagent-pytils          10.0.6.502.8b8baeb2a-0+275.1 amd64
ii  kopano-gateway                10.0.6.502.8b8baeb2a-0+297.1 amd64
ii  kopano-grapi                  10.5.0+0.f3e0f35-0+37.3      amd64
ii  kopano-grapi-bin              10.5.0+0.f3e0f35-0+37.3      amd64
ii  kopano-grapi-i18n             10.5.0+0.f3e0f35-0+37.3      all  
ii  kopano-ical                   10.0.6.502.8b8baeb2a-0+297.1 amd64
ii  kopano-kapid                  0.15.0-0+343.2               amd64
ii  kopano-konnectd               0.33.8-0+354.1               amd64
ii  kopano-kwebd                  0.12.4-0+315.1               amd64
ii  kopano-kwmserverd             1.2.0-0+335.1                amd64
ii  kopano-lang                   10.0.6.502.8b8baeb2a-0+297.1 all  
ii  kopano-meet                   2.2.3-0+356.1                all  
ii  kopano-meet-packages          2.2.3-0+356.1                all  
ii  kopano-meet-webapp            2.2.3-0+356.1                all  
ii  kopano-monitor                10.0.6.502.8b8baeb2a-0+297.1 amd64
ii  kopano-python-utils           10.0.6.502.8b8baeb2a-0+275.1 amd64
ii  kopano-python3-extras         0.2.0+0-0+56.1               amd64
ii  kopano-search                 10.0.6.502.8b8baeb2a-0+275.1 amd64
ii  kopano-server                 10.0.6.502.8b8baeb2a-0+297.1 amd64
ii  kopano-server-packages        10.0.6.502.8b8baeb2a-0+297.1 all  
ii  kopano-spamd                  10.0.6.502.8b8baeb2a-0+275.1 amd64
ii  kopano-spooler                10.0.6.502.8b8baeb2a-0+297.1 amd64
ii  kopano-webapp                 5.0.0.36+1917.1              all  
ii  kopano-webapp-plugin-files    4.0.1.0+444.1                all  
ii  libgsoap-kopano-2.8.102       2.8.102-0+1.3                amd64
ii  libvmime-kopano3              0.9.2.96+3.8                 amd64
ii  python3-grapi.backend.kopano  10.5.0+0.f3e0f35-0+37.3      amd64
ii  python3-kopano                10.0.6.502.8b8baeb2a-0+275.1 all  
ii  python3-kopano-search         10.0.6.502.8b8baeb2a-0+275.1 all  
ii  python3-kopano-utils          10.0.6.502.8b8baeb2a-0+275.1 all  
ii  z-push-backend-kopano         2.6.0+0-0                    all  
ii  z-push-kopano                 2.6.0+0-0                    all  

I just change the oidc_issuer_identifier in konnectd.cfg to my domain. And yes all on same server. Also i am using kweb not nginx or apache.

oidc_issuer_identifier=https://meet.domain.org

I follow this and a few other guides;

https://kb.kopano.io/display/WIKI/Kopano+One+on+Debian+10+-+quick+installation+instructions

Thank you!

fbartels

@karif said in OIDC - Authorization failed:

Now i receive this error in log.

does that mean that kopano-server wasn’t configured for sso before? Is that still the same user session in Konnect or did you log out and back in again?

It could be worthwhile checking the logging of kopano-server.

Karif

@fbartels said in OIDC - Authorization failed:

@karif said in OIDC - Authorization failed:

Now i receive this error in log.

does that mean that kopano-server wasn’t configured for sso before? Is that still the same user session in Konnect or did you log out and back in again?

It could be worthwhile checking the logging of kopano-server.

No it was configured, i was just using ldap backend for konnectd on before. But now i am using kc backend. While i was using ldap backend i didnt receive any error but problem was same. Now atleast i am getting an error in logs after i switch to kc backend.

It was always same user.

I am suspecting that the ldap login name and expected login name by konnectd is not same. I am logging by username@domain.org and i set server.cfg this way but OIDC also expecting this format from me ?

storename_format = %f (%c)
loginname_format = %u@%c

/etc/kopano/konnectd-identifier-scopes.yaml;

# This file contains additional scopes for Konnect. All of the scopes listed
# here are made available to clients upon request if not limited by other means.

---
scopes:
  kopano/kwm:
    description: "Access Kopano Meet"

  kopano/kvs:
    description: "Access Kopano Key Value Store"

  kopano/pubs:
    description: "Access Kopano Pub/Sub"
  
  kopano/gc:
    description: "Read and write your Kopano Groupware data"

Thanks

fbartels

@karif said in OIDC - Authorization failed:

i was just using ldap backend for konnectd on before

yes, that would not work. Konnect needs to use the Kopano backend for SSO in Kopano WebApp (and the RestAPI, and kopano-server in general).

Usually the loginname_format is left untouched in hosted offerings, and rather ldap_loginname_attribute is set to mail.

But if you are planning on hosting other users data on that system (which the multi tenant configuration implies) I would recommend against using the nightly builds and rather but a subscription to get access to actual release builds. On top if the above does not fix it for you you would have access to our support that could give your system a more closer look.

Karif

@fbartels Thanks for the advise Felix. I made the change;

ldap_loginname_attribute = mail

But it doesnt fix the problem…

I also changed;
/usr/share/kopano-webapp/config.php

define("LOGINNAME_STRIP_DOMAIN", true);

But it doesnt helped either.

“I would recommend against using the nightly builds and rather but a subscription to get access to actual release builds”

I would like to build a stable multi-tenant kopano system with oidc authorization, is this not possible with your open source packages? Shall i get subscription for this ?

Also i cant find a proper guide to accomplished this, is it me who cant find it or there is not any ?

Last time i struggle like this when i setup my openstack cluster :) Documents are there but feel like many dots not connected. Logs are a bit vague if you are not familiar with kopano. Luckily we have forum and @fbartels on this forum :) .

As an opensource believer hope i can have a working kopano server soon.

Thanks

Karif

==> /var/log/kopano/php-mapi.log <==
2020-12-02T06:37:59.803700: [error  ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed
2020-12-02T06:37:59.803807: [error  ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827)
2020-12-02T06:38:02.851056: [error  ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed
2020-12-02T06:38:02.851149: [error  ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827)
2020-12-02T06:38:05.898950: [error  ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed
2020-12-02T06:38:05.899048: [error  ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827)
2020-12-02T06:38:08.939214: [error  ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed
2020-12-02T06:38:08.939319: [error  ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827)
2020-12-02T06:38:11.979627: [error  ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed
2020-12-02T06:38:11.979747: [error  ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827)
2020-12-02T06:38:15.023726: [error  ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed
2020-12-02T06:38:15.023820: [error  ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827)

Karif

Any advise will be appreciated.
@fbartels @longsleep

Thanks!
-Karif

longsleep

@karif

Change

enable_sso = true

to

enable_sso = yes

in your server config. I know its stupid and we will fix it eventually - but for now yes it is. Otherwise SSO is not enabled.

Karif

@longsleep Not sure if i have to cry or smile :) . It worked! It took my 1 week. Thank you very much for the information, appreciated.

Is there any other place that i need to say yes instead of true? Or this is the only place?

Thanks,

Karif

longsleep

@karif said in OIDC - Authorization failed:

Is there any other place that i need to say yes instead of true? Or this is the only place?

There are other settings which only check for yes unfortunately.

Karif

@longsleep How can i find the list of them ?

Thanks

longsleep

@karif said in OIDC - Authorization failed:

@longsleep How can i find the list of them ?
Thanks

I am not aware of a real good way - so by looking at the source.

Something like

git grep 'yes' | grep -E 'strcmp|strcasecmp'
ECtools/admin/admin.cpp:                if (strcasecmp(response.c_str(), "y") != 0 && strcasecmp(response.c_str(), "yes") != 0) {
common/ECChannel.cpp:   if (strcmp(lpConfig->GetSetting("ssl_verify_client"), "yes") == 0)
common/StatsClient.cpp: if (v == nullptr || strcasecmp(v, "yes") != 0)
gateway/IMAP.cpp:               if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0)
gateway/IMAP.cpp:               if (idle && strcmp(idle, "yes") == 0)
gateway/IMAP.cpp:       if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0) {
gateway/IMAP.cpp:       if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0) {
gateway/POP3.cpp:               if (!(!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0))
gateway/POP3.cpp:       if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0) {
gateway/POP3.cpp:       if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0) {
provider/libserver/ECAttachmentStorage.cpp:     m_sync_files = sync_files_par == nullptr || strcasecmp(sync_files_par, "yes") == 0;
provider/libserver/ECSession.cpp:       if (p != nullptr && strcasecmp(p, "yes") == 0)
provider/libserver/cmd.cpp:     if (!(lpszEnabled && strcasecmp(lpszEnabled, "yes") == 0))
provider/server/ECServer.cpp:   if (strcmp(cfg->GetSetting("server_pipe_enabled"), "yes") == 0) {
spooler/DAgent.cpp:     y = strcasecmp(rawmsg, "all") == 0 || strcasecmp(rawmsg, "yes") == 0 ||
spooler/DAgent.cpp:                     auto save_all = parseBool(rawmsg) && (strcasecmp(rawmsg, "all") == 0 || strcasecmp(rawmsg, "yes") == 0);
spooler/archive.cpp:    if (strcmp(lib, "yes") == 0)
spooler/mailer.cpp:     else if (strcmp(g_lpConfig->GetSetting("allow_redirect_spoofing"), "yes") == 0 &&
spooler/mailer.cpp:                     if (strcmp(g_lpConfig->GetSetting("always_send_delegates"), "yes") == 0) {
spooler/mailer.cpp:                     } else if(strcmp(g_lpConfig->GetSetting("allow_delegate_meeting_request"), "yes") == 0 &&
spooler/mailer.cpp:     if (lpRepStore != nullptr && (strcmp(cts, "yes") == 0 ||

Karif

@longsleep said in OIDC - Authorization failed:

git grep ‘yes’ | grep -E ‘strcmp|strcasecmp’

This will help, thank you very much!

Karif

longsleep

@karif

Glad i could help :)

thctlo

@Karif You pinged me.

Anything i can do? or is it fixed now?

Karif

Hey @thctlo , already fixed. Thanks for check in :)