OIDC - Authorization failed
-
OS: Debian 10
Kopano versions;
ii kopano-backup 10.0.6.502.8b8baeb2a-0+275.1 amd64 ii kopano-client 10.0.6.502.8b8baeb2a-0+297.1 amd64 ii kopano-common 10.0.6.502.8b8baeb2a-0+297.1 amd64 ii kopano-dagent 10.0.6.502.8b8baeb2a-0+297.1 amd64 ii kopano-dagent-pytils 10.0.6.502.8b8baeb2a-0+275.1 amd64 ii kopano-gateway 10.0.6.502.8b8baeb2a-0+297.1 amd64 ii kopano-grapi 10.5.0+0.f3e0f35-0+37.3 amd64 ii kopano-grapi-bin 10.5.0+0.f3e0f35-0+37.3 amd64 ii kopano-grapi-i18n 10.5.0+0.f3e0f35-0+37.3 all ii kopano-ical 10.0.6.502.8b8baeb2a-0+297.1 amd64 ii kopano-kapid 0.15.0-0+343.2 amd64 ii kopano-konnectd 0.33.8-0+354.1 amd64 ii kopano-kwebd 0.12.4-0+315.1 amd64 ii kopano-kwmserverd 1.2.0-0+335.1 amd64 ii kopano-lang 10.0.6.502.8b8baeb2a-0+297.1 all ii kopano-meet 2.2.3-0+356.1 all ii kopano-meet-packages 2.2.3-0+356.1 all ii kopano-meet-webapp 2.2.3-0+356.1 all ii kopano-monitor 10.0.6.502.8b8baeb2a-0+297.1 amd64 ii kopano-python-utils 10.0.6.502.8b8baeb2a-0+275.1 amd64 ii kopano-python3-extras 0.2.0+0-0+56.1 amd64 ii kopano-search 10.0.6.502.8b8baeb2a-0+275.1 amd64 ii kopano-server 10.0.6.502.8b8baeb2a-0+297.1 amd64 ii kopano-server-packages 10.0.6.502.8b8baeb2a-0+297.1 all ii kopano-spamd 10.0.6.502.8b8baeb2a-0+275.1 amd64 ii kopano-spooler 10.0.6.502.8b8baeb2a-0+297.1 amd64 ii kopano-webapp 5.0.0.36+1917.1 all ii kopano-webapp-plugin-files 4.0.1.0+444.1 all ii libgsoap-kopano-2.8.102 2.8.102-0+1.3 amd64 ii libvmime-kopano3 0.9.2.96+3.8 amd64 ii python3-grapi.backend.kopano 10.5.0+0.f3e0f35-0+37.3 amd64 ii python3-kopano 10.0.6.502.8b8baeb2a-0+275.1 all ii python3-kopano-search 10.0.6.502.8b8baeb2a-0+275.1 all ii python3-kopano-utils 10.0.6.502.8b8baeb2a-0+275.1 all ii z-push-backend-kopano 2.6.0+0-0 all ii z-push-kopano 2.6.0+0-0 all
I just change the oidc_issuer_identifier in konnectd.cfg to my domain. And yes all on same server. Also i am using kweb not nginx or apache.
oidc_issuer_identifier=https://meet.domain.org
I follow this and a few other guides;
https://kb.kopano.io/display/WIKI/Kopano+One+on+Debian+10+-+quick+installation+instructions
Thank you!
-
@karif said in OIDC - Authorization failed:
Now i receive this error in log.
does that mean that kopano-server wasn’t configured for sso before? Is that still the same user session in Konnect or did you log out and back in again?
It could be worthwhile checking the logging of kopano-server.
-
@fbartels said in OIDC - Authorization failed:
@karif said in OIDC - Authorization failed:
Now i receive this error in log.
does that mean that kopano-server wasn’t configured for sso before? Is that still the same user session in Konnect or did you log out and back in again?
It could be worthwhile checking the logging of kopano-server.
No it was configured, i was just using ldap backend for konnectd on before. But now i am using kc backend. While i was using ldap backend i didnt receive any error but problem was same. Now atleast i am getting an error in logs after i switch to kc backend.
It was always same user.
I am suspecting that the ldap login name and expected login name by konnectd is not same. I am logging by username@domain.org and i set server.cfg this way but OIDC also expecting this format from me ?
storename_format = %f (%c) loginname_format = %u@%c
/etc/kopano/konnectd-identifier-scopes.yaml;
# This file contains additional scopes for Konnect. All of the scopes listed # here are made available to clients upon request if not limited by other means. --- scopes: kopano/kwm: description: "Access Kopano Meet" kopano/kvs: description: "Access Kopano Key Value Store" kopano/pubs: description: "Access Kopano Pub/Sub" kopano/gc: description: "Read and write your Kopano Groupware data"
Thanks
-
@karif said in OIDC - Authorization failed:
i was just using ldap backend for konnectd on before
yes, that would not work. Konnect needs to use the Kopano backend for SSO in Kopano WebApp (and the RestAPI, and kopano-server in general).
Usually the
loginname_format
is left untouched in hosted offerings, and ratherldap_loginname_attribute
is set to mail.But if you are planning on hosting other users data on that system (which the multi tenant configuration implies) I would recommend against using the nightly builds and rather but a subscription to get access to actual release builds. On top if the above does not fix it for you you would have access to our support that could give your system a more closer look.
-
@fbartels Thanks for the advise Felix. I made the change;
ldap_loginname_attribute = mail
But it doesnt fix the problem…
I also changed;
/usr/share/kopano-webapp/config.phpdefine("LOGINNAME_STRIP_DOMAIN", true);
But it doesnt helped either.
“I would recommend against using the nightly builds and rather but a subscription to get access to actual release builds”
I would like to build a stable multi-tenant kopano system with oidc authorization, is this not possible with your open source packages? Shall i get subscription for this ?
Also i cant find a proper guide to accomplished this, is it me who cant find it or there is not any ?
Last time i struggle like this when i setup my openstack cluster :) Documents are there but feel like many dots not connected. Logs are a bit vague if you are not familiar with kopano. Luckily we have forum and @fbartels on this forum :) .
As an opensource believer hope i can have a working kopano server soon.
Thanks
Karif
==> /var/log/kopano/php-mapi.log <== 2020-12-02T06:37:59.803700: [error ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed 2020-12-02T06:37:59.803807: [error ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827) 2020-12-02T06:38:02.851056: [error ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed 2020-12-02T06:38:02.851149: [error ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827) 2020-12-02T06:38:05.898950: [error ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed 2020-12-02T06:38:05.899048: [error ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827) 2020-12-02T06:38:08.939214: [error ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed 2020-12-02T06:38:08.939319: [error ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827) 2020-12-02T06:38:11.979627: [error ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed 2020-12-02T06:38:11.979747: [error ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827) 2020-12-02T06:38:15.023726: [error ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed 2020-12-02T06:38:15.023820: [error ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827)
-
Any advise will be appreciated.
@fbartels @longsleepThanks!
-Karif -
Change
enable_sso = true
to
enable_sso = yes
in your server config. I know its stupid and we will fix it eventually - but for now
yes
it is. Otherwise SSO is not enabled. -
@longsleep Not sure if i have to cry or smile :) . It worked! It took my 1 week. Thank you very much for the information, appreciated.
Is there any other place that i need to say yes instead of true? Or this is the only place?
Thanks,
Karif
-
@karif said in OIDC - Authorization failed:
Is there any other place that i need to say yes instead of true? Or this is the only place?
There are other settings which only check for
yes
unfortunately. -
@longsleep How can i find the list of them ?
Thanks
-
@karif said in OIDC - Authorization failed:
@longsleep How can i find the list of them ?
ThanksI am not aware of a real good way - so by looking at the source.
Something like
git grep 'yes' | grep -E 'strcmp|strcasecmp' ECtools/admin/admin.cpp: if (strcasecmp(response.c_str(), "y") != 0 && strcasecmp(response.c_str(), "yes") != 0) { common/ECChannel.cpp: if (strcmp(lpConfig->GetSetting("ssl_verify_client"), "yes") == 0) common/StatsClient.cpp: if (v == nullptr || strcasecmp(v, "yes") != 0) gateway/IMAP.cpp: if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0) gateway/IMAP.cpp: if (idle && strcmp(idle, "yes") == 0) gateway/IMAP.cpp: if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0) { gateway/IMAP.cpp: if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0) { gateway/POP3.cpp: if (!(!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0)) gateway/POP3.cpp: if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0) { gateway/POP3.cpp: if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0) { provider/libserver/ECAttachmentStorage.cpp: m_sync_files = sync_files_par == nullptr || strcasecmp(sync_files_par, "yes") == 0; provider/libserver/ECSession.cpp: if (p != nullptr && strcasecmp(p, "yes") == 0) provider/libserver/cmd.cpp: if (!(lpszEnabled && strcasecmp(lpszEnabled, "yes") == 0)) provider/server/ECServer.cpp: if (strcmp(cfg->GetSetting("server_pipe_enabled"), "yes") == 0) { spooler/DAgent.cpp: y = strcasecmp(rawmsg, "all") == 0 || strcasecmp(rawmsg, "yes") == 0 || spooler/DAgent.cpp: auto save_all = parseBool(rawmsg) && (strcasecmp(rawmsg, "all") == 0 || strcasecmp(rawmsg, "yes") == 0); spooler/archive.cpp: if (strcmp(lib, "yes") == 0) spooler/mailer.cpp: else if (strcmp(g_lpConfig->GetSetting("allow_redirect_spoofing"), "yes") == 0 && spooler/mailer.cpp: if (strcmp(g_lpConfig->GetSetting("always_send_delegates"), "yes") == 0) { spooler/mailer.cpp: } else if(strcmp(g_lpConfig->GetSetting("allow_delegate_meeting_request"), "yes") == 0 && spooler/mailer.cpp: if (lpRepStore != nullptr && (strcmp(cts, "yes") == 0 ||
-
@longsleep said in OIDC - Authorization failed:
git grep ‘yes’ | grep -E ‘strcmp|strcasecmp’
This will help, thank you very much!
Karif
-
Glad i could help :)
-
@Karif You pinged me.
Anything i can do? or is it fixed now?
-
Hey @thctlo , already fixed. Thanks for check in :)