OIDC - Authorization failed

fbartels

@karif how is konnect configured. is it all on the same server? Which versions are you using? which os?

Karif

OS: Debian 10

Kopano versions;

ii  kopano-backup                 10.0.6.502.8b8baeb2a-0+275.1 amd64
ii  kopano-client                 10.0.6.502.8b8baeb2a-0+297.1 amd64
ii  kopano-common                 10.0.6.502.8b8baeb2a-0+297.1 amd64
ii  kopano-dagent                 10.0.6.502.8b8baeb2a-0+297.1 amd64
ii  kopano-dagent-pytils          10.0.6.502.8b8baeb2a-0+275.1 amd64
ii  kopano-gateway                10.0.6.502.8b8baeb2a-0+297.1 amd64
ii  kopano-grapi                  10.5.0+0.f3e0f35-0+37.3      amd64
ii  kopano-grapi-bin              10.5.0+0.f3e0f35-0+37.3      amd64
ii  kopano-grapi-i18n             10.5.0+0.f3e0f35-0+37.3      all  
ii  kopano-ical                   10.0.6.502.8b8baeb2a-0+297.1 amd64
ii  kopano-kapid                  0.15.0-0+343.2               amd64
ii  kopano-konnectd               0.33.8-0+354.1               amd64
ii  kopano-kwebd                  0.12.4-0+315.1               amd64
ii  kopano-kwmserverd             1.2.0-0+335.1                amd64
ii  kopano-lang                   10.0.6.502.8b8baeb2a-0+297.1 all  
ii  kopano-meet                   2.2.3-0+356.1                all  
ii  kopano-meet-packages          2.2.3-0+356.1                all  
ii  kopano-meet-webapp            2.2.3-0+356.1                all  
ii  kopano-monitor                10.0.6.502.8b8baeb2a-0+297.1 amd64
ii  kopano-python-utils           10.0.6.502.8b8baeb2a-0+275.1 amd64
ii  kopano-python3-extras         0.2.0+0-0+56.1               amd64
ii  kopano-search                 10.0.6.502.8b8baeb2a-0+275.1 amd64
ii  kopano-server                 10.0.6.502.8b8baeb2a-0+297.1 amd64
ii  kopano-server-packages        10.0.6.502.8b8baeb2a-0+297.1 all  
ii  kopano-spamd                  10.0.6.502.8b8baeb2a-0+275.1 amd64
ii  kopano-spooler                10.0.6.502.8b8baeb2a-0+297.1 amd64
ii  kopano-webapp                 5.0.0.36+1917.1              all  
ii  kopano-webapp-plugin-files    4.0.1.0+444.1                all  
ii  libgsoap-kopano-2.8.102       2.8.102-0+1.3                amd64
ii  libvmime-kopano3              0.9.2.96+3.8                 amd64
ii  python3-grapi.backend.kopano  10.5.0+0.f3e0f35-0+37.3      amd64
ii  python3-kopano                10.0.6.502.8b8baeb2a-0+275.1 all  
ii  python3-kopano-search         10.0.6.502.8b8baeb2a-0+275.1 all  
ii  python3-kopano-utils          10.0.6.502.8b8baeb2a-0+275.1 all  
ii  z-push-backend-kopano         2.6.0+0-0                    all  
ii  z-push-kopano                 2.6.0+0-0                    all

I just change the oidc_issuer_identifier in konnectd.cfg to my domain. And yes all on same server. Also i am using kweb not nginx or apache.

oidc_issuer_identifier=https://meet.domain.org

I follow this and a few other guides;

https://kb.kopano.io/display/WIKI/Kopano+One+on+Debian+10+-+quick+installation+instructions

Thank you!

fbartels

@karif said in OIDC - Authorization failed:

Now i receive this error in log.

does that mean that kopano-server wasn’t configured for sso before? Is that still the same user session in Konnect or did you log out and back in again?

It could be worthwhile checking the logging of kopano-server.

Karif

@fbartels said in OIDC - Authorization failed:

@karif said in OIDC - Authorization failed:

Now i receive this error in log.

does that mean that kopano-server wasn’t configured for sso before? Is that still the same user session in Konnect or did you log out and back in again?

It could be worthwhile checking the logging of kopano-server.

No it was configured, i was just using ldap backend for konnectd on before. But now i am using kc backend. While i was using ldap backend i didnt receive any error but problem was same. Now atleast i am getting an error in logs after i switch to kc backend.

It was always same user.

I am suspecting that the ldap login name and expected login name by konnectd is not same. I am logging by username@domain.org and i set server.cfg this way but OIDC also expecting this format from me ?

storename_format = %f (%c)
loginname_format = %u@%c

/etc/kopano/konnectd-identifier-scopes.yaml;

# This file contains additional scopes for Konnect. All of the scopes listed
# here are made available to clients upon request if not limited by other means.

---
scopes:
  kopano/kwm:
    description: "Access Kopano Meet"

  kopano/kvs:
    description: "Access Kopano Key Value Store"

  kopano/pubs:
    description: "Access Kopano Pub/Sub"
  
  kopano/gc:
    description: "Read and write your Kopano Groupware data"

Thanks

fbartels

@karif said in OIDC - Authorization failed:

i was just using ldap backend for konnectd on before

yes, that would not work. Konnect needs to use the Kopano backend for SSO in Kopano WebApp (and the RestAPI, and kopano-server in general).

Usually the loginname_format is left untouched in hosted offerings, and rather ldap_loginname_attribute is set to mail.

But if you are planning on hosting other users data on that system (which the multi tenant configuration implies) I would recommend against using the nightly builds and rather but a subscription to get access to actual release builds. On top if the above does not fix it for you you would have access to our support that could give your system a more closer look.

Karif

@fbartels Thanks for the advise Felix. I made the change;

ldap_loginname_attribute = mail

But it doesnt fix the problem…

I also changed;
/usr/share/kopano-webapp/config.php

define("LOGINNAME_STRIP_DOMAIN", true);

But it doesnt helped either.

“I would recommend against using the nightly builds and rather but a subscription to get access to actual release builds”

I would like to build a stable multi-tenant kopano system with oidc authorization, is this not possible with your open source packages? Shall i get subscription for this ?

Also i cant find a proper guide to accomplished this, is it me who cant find it or there is not any ?

Last time i struggle like this when i setup my openstack cluster :) Documents are there but feel like many dots not connected. Logs are a bit vague if you are not familiar with kopano. Luckily we have forum and @fbartels on this forum :) .

As an opensource believer hope i can have a working kopano server soon.

Thanks

Karif

==> /var/log/kopano/php-mapi.log <==
2020-12-02T06:37:59.803700: [error  ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed
2020-12-02T06:37:59.803807: [error  ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827)
2020-12-02T06:38:02.851056: [error  ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed
2020-12-02T06:38:02.851149: [error  ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827)
2020-12-02T06:38:05.898950: [error  ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed
2020-12-02T06:38:05.899048: [error  ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827)
2020-12-02T06:38:08.939214: [error  ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed
2020-12-02T06:38:08.939319: [error  ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827)
2020-12-02T06:38:11.979627: [error  ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed
2020-12-02T06:38:11.979747: [error  ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827)
2020-12-02T06:38:15.023726: [error  ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed
2020-12-02T06:38:15.023820: [error  ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827)

Karif

Any advise will be appreciated.
@fbartels @longsleep

Thanks!
-Karif

longsleep

@karif

Change

enable_sso = true

to

enable_sso = yes

in your server config. I know its stupid and we will fix it eventually - but for now yes it is. Otherwise SSO is not enabled.

Karif

@longsleep Not sure if i have to cry or smile :) . It worked! It took my 1 week. Thank you very much for the information, appreciated.

Is there any other place that i need to say yes instead of true? Or this is the only place?

Thanks,

Karif

longsleep

@karif said in OIDC - Authorization failed:

Is there any other place that i need to say yes instead of true? Or this is the only place?

There are other settings which only check for yes unfortunately.

Karif

@longsleep How can i find the list of them ?

Thanks

longsleep

@karif said in OIDC - Authorization failed:

@longsleep How can i find the list of them ?
Thanks

I am not aware of a real good way - so by looking at the source.

Something like

git grep 'yes' | grep -E 'strcmp|strcasecmp'
ECtools/admin/admin.cpp:                if (strcasecmp(response.c_str(), "y") != 0 && strcasecmp(response.c_str(), "yes") != 0) {
common/ECChannel.cpp:   if (strcmp(lpConfig->GetSetting("ssl_verify_client"), "yes") == 0)
common/StatsClient.cpp: if (v == nullptr || strcasecmp(v, "yes") != 0)
gateway/IMAP.cpp:               if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0)
gateway/IMAP.cpp:               if (idle && strcmp(idle, "yes") == 0)
gateway/IMAP.cpp:       if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0) {
gateway/IMAP.cpp:       if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0) {
gateway/POP3.cpp:               if (!(!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0))
gateway/POP3.cpp:       if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0) {
gateway/POP3.cpp:       if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0) {
provider/libserver/ECAttachmentStorage.cpp:     m_sync_files = sync_files_par == nullptr || strcasecmp(sync_files_par, "yes") == 0;
provider/libserver/ECSession.cpp:       if (p != nullptr && strcasecmp(p, "yes") == 0)
provider/libserver/cmd.cpp:     if (!(lpszEnabled && strcasecmp(lpszEnabled, "yes") == 0))
provider/server/ECServer.cpp:   if (strcmp(cfg->GetSetting("server_pipe_enabled"), "yes") == 0) {
spooler/DAgent.cpp:     y = strcasecmp(rawmsg, "all") == 0 || strcasecmp(rawmsg, "yes") == 0 ||
spooler/DAgent.cpp:                     auto save_all = parseBool(rawmsg) && (strcasecmp(rawmsg, "all") == 0 || strcasecmp(rawmsg, "yes") == 0);
spooler/archive.cpp:    if (strcmp(lib, "yes") == 0)
spooler/mailer.cpp:     else if (strcmp(g_lpConfig->GetSetting("allow_redirect_spoofing"), "yes") == 0 &&
spooler/mailer.cpp:                     if (strcmp(g_lpConfig->GetSetting("always_send_delegates"), "yes") == 0) {
spooler/mailer.cpp:                     } else if(strcmp(g_lpConfig->GetSetting("allow_delegate_meeting_request"), "yes") == 0 &&
spooler/mailer.cpp:     if (lpRepStore != nullptr && (strcmp(cts, "yes") == 0 ||

Karif

@longsleep said in OIDC - Authorization failed:

git grep ‘yes’ | grep -E ‘strcmp|strcasecmp’

This will help, thank you very much!

Karif

longsleep

@karif

Glad i could help :)

thctlo

@Karif You pinged me.

Anything i can do? or is it fixed now?

Karif

Hey @thctlo , already fixed. Thanks for check in :)