OIDC - Authorization failed

Karif

@fbartels Thanks for the advise Felix. I made the change;

ldap_loginname_attribute = mail

But it doesnt fix the problem…

I also changed;
/usr/share/kopano-webapp/config.php

define("LOGINNAME_STRIP_DOMAIN", true);

But it doesnt helped either.

“I would recommend against using the nightly builds and rather but a subscription to get access to actual release builds”

I would like to build a stable multi-tenant kopano system with oidc authorization, is this not possible with your open source packages? Shall i get subscription for this ?

Also i cant find a proper guide to accomplished this, is it me who cant find it or there is not any ?

Last time i struggle like this when i setup my openstack cluster :) Documents are there but feel like many dots not connected. Logs are a bit vague if you are not familiar with kopano. Luckily we have forum and @fbartels on this forum :) .

As an opensource believer hope i can have a working kopano server soon.

Thanks

Karif

==> /var/log/kopano/php-mapi.log <==
2020-12-02T06:37:59.803700: [error  ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed
2020-12-02T06:37:59.803807: [error  ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827)
2020-12-02T06:38:02.851056: [error  ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed
2020-12-02T06:38:02.851149: [error  ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827)
2020-12-02T06:38:05.898950: [error  ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed
2020-12-02T06:38:05.899048: [error  ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827)
2020-12-02T06:38:08.939214: [error  ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed
2020-12-02T06:38:08.939319: [error  ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827)
2020-12-02T06:38:11.979627: [error  ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed
2020-12-02T06:38:11.979747: [error  ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827)
2020-12-02T06:38:15.023726: [error  ] HrLogon server "http://localhost:236/kopano" user "AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAwAAABZbVZtTTJJME5qUXRZemd3TkMweE1ETmhMVGcxTUdNdE1Ea3hZMk5oT1RZMlptSmsAAAAA": logon failed
2020-12-02T06:38:15.023820: [error  ] MAPI error: logon failed (80040111) (method: zif_mapi_logon_zarafa, line: 827)

Karif

Any advise will be appreciated.
@fbartels @longsleep

Thanks!
-Karif

longsleep

@karif

Change

enable_sso = true

to

enable_sso = yes

in your server config. I know its stupid and we will fix it eventually - but for now yes it is. Otherwise SSO is not enabled.

Karif

@longsleep Not sure if i have to cry or smile :) . It worked! It took my 1 week. Thank you very much for the information, appreciated.

Is there any other place that i need to say yes instead of true? Or this is the only place?

Thanks,

Karif

longsleep

@karif said in OIDC - Authorization failed:

Is there any other place that i need to say yes instead of true? Or this is the only place?

There are other settings which only check for yes unfortunately.

Karif

@longsleep How can i find the list of them ?

Thanks

longsleep

@karif said in OIDC - Authorization failed:

@longsleep How can i find the list of them ?
Thanks

I am not aware of a real good way - so by looking at the source.

Something like

git grep 'yes' | grep -E 'strcmp|strcasecmp'
ECtools/admin/admin.cpp:                if (strcasecmp(response.c_str(), "y") != 0 && strcasecmp(response.c_str(), "yes") != 0) {
common/ECChannel.cpp:   if (strcmp(lpConfig->GetSetting("ssl_verify_client"), "yes") == 0)
common/StatsClient.cpp: if (v == nullptr || strcasecmp(v, "yes") != 0)
gateway/IMAP.cpp:               if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0)
gateway/IMAP.cpp:               if (idle && strcmp(idle, "yes") == 0)
gateway/IMAP.cpp:       if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0) {
gateway/IMAP.cpp:       if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0) {
gateway/POP3.cpp:               if (!(!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0))
gateway/POP3.cpp:       if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0) {
gateway/POP3.cpp:       if (!lpChannel->UsingSsl() && lpChannel->sslctx() && plain && strcmp(plain, "yes") == 0 && lpChannel->peer_is_local() <= 0) {
provider/libserver/ECAttachmentStorage.cpp:     m_sync_files = sync_files_par == nullptr || strcasecmp(sync_files_par, "yes") == 0;
provider/libserver/ECSession.cpp:       if (p != nullptr && strcasecmp(p, "yes") == 0)
provider/libserver/cmd.cpp:     if (!(lpszEnabled && strcasecmp(lpszEnabled, "yes") == 0))
provider/server/ECServer.cpp:   if (strcmp(cfg->GetSetting("server_pipe_enabled"), "yes") == 0) {
spooler/DAgent.cpp:     y = strcasecmp(rawmsg, "all") == 0 || strcasecmp(rawmsg, "yes") == 0 ||
spooler/DAgent.cpp:                     auto save_all = parseBool(rawmsg) && (strcasecmp(rawmsg, "all") == 0 || strcasecmp(rawmsg, "yes") == 0);
spooler/archive.cpp:    if (strcmp(lib, "yes") == 0)
spooler/mailer.cpp:     else if (strcmp(g_lpConfig->GetSetting("allow_redirect_spoofing"), "yes") == 0 &&
spooler/mailer.cpp:                     if (strcmp(g_lpConfig->GetSetting("always_send_delegates"), "yes") == 0) {
spooler/mailer.cpp:                     } else if(strcmp(g_lpConfig->GetSetting("allow_delegate_meeting_request"), "yes") == 0 &&
spooler/mailer.cpp:     if (lpRepStore != nullptr && (strcmp(cts, "yes") == 0 ||

Karif

@longsleep said in OIDC - Authorization failed:

git grep ‘yes’ | grep -E ‘strcmp|strcasecmp’

This will help, thank you very much!

Karif

longsleep

@karif

Glad i could help :)

thctlo

@Karif You pinged me.

Anything i can do? or is it fixed now?

Karif

Hey @thctlo , already fixed. Thanks for check in :)