[horde] Horde ActiveSync and Client Certificates

Michael J Rubinsky mrubinsk at horde.org
Sat Aug 24 13:49:25 UTC 2013


Quoting Christian Felsing <pug at felsing.net>:

> Hello,
>
> I got an authentication problem on ActiveSync if client certificates
> should be used. Horde accepts clients certs with following config and
> takes login name from HTTP_SSL_CLIENT_S_DN_EMAIL which contains e-mail
> address from user. This works with Horde itself, imp, kronolith and
> others w/o problems.

This config is for 'Auto' authentication, with requestuser = false, so  
as-is, this will cause everyone to be logged in 'Administrator'. I  
assume you are running a hook that you did not mention?


> Now I exported a p12 file to an iPad including an Exchange profile.
> Safari authenticates to Horde but ActiveSync complains about a wrong
> password.

Yup, because right now, it fails if there is no PHP_AUTH_PW or  
AUTHORIZATION values in $_SERVER.

> Is rpc.php not using $conf['auth']['params']['username'] ?

ActiveSync (and, in fact all RPC related requests) handle their own  
authorization. It's not done in rpc.php. In the case of ActiveSync, it  
looks at the PHP_AUTH_PW and PHP_AUTH_USER variables (or  
AUTHORIZATION), along with the GET passed username from the ActiveSync  
client.

> Does it support client certificates?

Apparently not ;)

Shouldn't be too much work to get it to work though, please create a  
ticket on bugs.horde.org so the request doesn't get lost...


> Horde version is 5.1.2 (latest updates are installed by pear)
> My conf.php:
>
> <?php
> /* CONFIG START. DO NOT CHANGE ANYTHING IN OR AFTER THIS LINE. */
> // $Id: *** $
> $conf['vhosts'] = false;
> $conf['debug_level'] = E_ALL & ~E_NOTICE;
> $conf['max_exec_time'] = 0;
> $conf['compress_pages'] = true;
> $conf['secret_key'] = '***';
> $conf['umask'] = 077;
> $conf['testdisable'] = true;
> $conf['use_ssl'] = 1;
> $conf['server']['name'] = "www.example.net";
> $conf['server']['port'] = 443;
> $conf['urls']['token_lifetime'] = 30;
> $conf['urls']['hmac_lifetime'] = 30;
> $conf['urls']['pretty'] = false;
> $conf['safe_ips'] = array('*');
> $conf['session']['name'] = 'Horde';
> $conf['session']['use_only_cookies'] = true;
> $conf['session']['timeout'] = 0;
> $conf['session']['cache_limiter'] = 'nocache';
> $conf['session']['max_time'] = 72000;
> $conf['cookie']['domain'] = "www.example.net";
> $conf['cookie']['path'] = '/webmail';
> $conf['sql']['persistent'] = false;
> $conf['sql']['username'] = 'horde5';
> $conf['sql']['password'] = '***';
> $conf['sql']['hostspec'] = 'pgserver';
> $conf['sql']['port'] = 5432;
> $conf['sql']['protocol'] = 'tcp';
> $conf['sql']['database'] = 'horde5';
> $conf['sql']['charset'] = 'utf-8';
> $conf['sql']['splitread'] = false;
> $conf['sql']['phptype'] = 'pgsql';
> $conf['nosql']['phptype'] = false;
> $conf['ldap']['useldap'] = false;
> $conf['auth']['admins'] = array('root at example.net');
> $conf['auth']['checkip'] = true;
> $conf['auth']['checkbrowser'] = true;
> $conf['auth']['resetpassword'] = true;
> $conf['auth']['alternate_login'] = false;
> $conf['auth']['redirect_on_logout'] = 'http://google.com';
> $conf['auth']['list_users'] = 'list';
> $conf['auth']['params']['username'] = 'Administrator';
> $conf['auth']['params']['requestuser'] = false;
> $conf['auth']['driver'] = 'auto';
> $conf['auth']['params']['count_bad_logins'] = false;
> $conf['auth']['params']['login_block'] = false;
> $conf['auth']['params']['login_block_count'] = 5;
> $conf['auth']['params']['login_block_time'] = 5;
> $conf['signup']['allow'] = false;
> $conf['log']['priority'] = 'INFO';
> $conf['log']['ident'] = 'HORDE';
> $conf['log']['name'] = LOG_USER;
> $conf['log']['type'] = 'syslog';
> $conf['log']['enabled'] = true;
> $conf['log_accesskeys'] = false;
> $conf['prefs']['params']['driverconfig'] = 'horde';
> $conf['prefs']['driver'] = 'Sql';
> $conf['alarms']['params']['driverconfig'] = 'horde';
> $conf['alarms']['params']['ttl'] = 300;
> $conf['alarms']['driver'] = 'Sql';
> $conf['group']['driverconfig'] = 'horde';
> $conf['group']['driver'] = 'Sql';
> $conf['perms']['driverconfig'] = 'horde';
> $conf['perms']['driver'] = 'Sql';
> $conf['share']['no_sharing'] = false;
> $conf['share']['auto_create'] = true;
> $conf['share']['world'] = true;
> $conf['share']['any_group'] = false;
> $conf['share']['hidden'] = false;
> $conf['share']['cache'] = false;
> $conf['share']['driver'] = 'Sqlng';
> $conf['cache']['default_lifetime'] = 86400;
> $conf['cache']['params']['sub'] = 0;
> $conf['cache']['driver'] = 'File';
> $conf['cache']['use_memorycache'] = '';
> $conf['cachecssparams']['url_version_param'] = true;
> $conf['cachecss'] = false;
> $conf['cachejsparams']['url_version_param'] = true;
> $conf['cachejs'] = false;
> $conf['cachethemes'] = false;
> $conf['lock']['params']['driverconfig'] = 'horde';
> $conf['lock']['driver'] = 'Sql';
> $conf['token']['params']['driverconfig'] = 'horde';
> $conf['token']['driver'] = 'Sql';
> $conf['davstorage']['params']['driverconfig'] = 'horde';
> $conf['davstorage']['driver'] = 'Sql';
> $conf['mailer']['params']['host'] = 'dovecot.lan';
> $conf['mailer']['params']['localhost'] = 'webmail.lan';
> $conf['mailer']['params']['auth'] = false;
> $conf['mailer']['type'] = 'smtp';
> $conf['mailformat']['brokenrfc2231'] = false;
> $conf['vfs']['params']['driverconfig'] = 'horde';
> $conf['vfs']['type'] = 'Sql';
> $conf['sessionhandler']['type'] = 'Builtin';
> $conf['sessionhandler']['hashtable'] = false;
> $conf['spell']['driver'] = '';
> $conf['gnupg']['path'] = '/usr/bin/gpg';
> $conf['gnupg']['keyserver'] = array('pool.sks-keyservers.net');
> $conf['gnupg']['timeout'] = 10;
> $conf['openssl']['cafile'] = '/etc/ssl/certs';
> $conf['openssl']['path'] = '/usr/bin/openssl';
> $conf['nobase64_img'] = false;
> $conf['image']['driver'] = false;
> $conf['exif']['driver'] = 'Bundled';
> $conf['timezone']['location'] =
> 'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz';
> $conf['problems']['email'] = 'webmaster at example.net';
> $conf['problems']['maildomain'] = 'example.net';
> $conf['problems']['tickets'] = false;
> $conf['problems']['attachments'] = true;
> $conf['menu']['links']['help'] = 'all';
> $conf['menu']['links']['prefs'] = 'authenticated';
> $conf['menu']['links']['problem'] = 'all';
> $conf['menu']['links']['login'] = 'all';
> $conf['menu']['links']['logout'] = 'authenticated';
> $conf['portal']['fixed_blocks'] = array();
> $conf['accounts']['driver'] = 'null';
> $conf['user']['verify_from_addr'] = false;
> $conf['user']['select_view'] = true;
> $conf['facebook']['enabled'] = false;
> $conf['twitter']['enabled'] = false;
> $conf['urlshortener'] = false;
> $conf['weather']['provider'] = false;
> $conf['imap']['enabled'] = false;
> $conf['imsp']['enabled'] = false;
> $conf['kolab']['enabled'] = false;
> $conf['hashtable']['driver'] = 'none';
> $conf['activesync']['emailsync'] = true;
> $conf['activesync']['version'] = '14.1';
> $conf['activesync']['autodiscovery'] = 'full';
> $conf['activesync']['outlookdiscovery'] = false;
> $conf['activesync']['logging']['type'] = 'horde';
> $conf['activesync']['ping']['heartbeatmin'] = 60;
> $conf['activesync']['ping']['heartbeatmax'] = 2700;
> $conf['activesync']['ping']['heartbeatdefault'] = 480;
> $conf['activesync']['ping']['deviceping'] = true;
> $conf['activesync']['ping']['waitinterval'] = 15;
> $conf['activesync']['enabled'] = true;
> /* CONFIG END. DO NOT CHANGE ANYTHING IN OR BEFORE THIS LINE. */
> $conf['auth']['params']['username'] =
> $_SERVER["HTTP_SSL_CLIENT_S_DN_EMAIL"];
>
> best regards
> Christian Felsing
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org


-- 
mike

The Horde Project (www.horde.org)
mrubinsk at horde.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-keys
Size: 2200 bytes
Desc: PGP Public Key
URL: <http://lists.horde.org/archives/horde/attachments/20130824/64775344/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6062 bytes
Desc: S/MIME Signature
URL: <http://lists.horde.org/archives/horde/attachments/20130824/64775344/attachment-0001.bin>


More information about the horde mailing list