[horde] Activesync auth problems with GIT since X.509 certificate commit ?

Michael J Rubinsky mrubinsk at horde.org
Mon Sep 9 18:29:02 UTC 2013 

Quoting Tomi Orava <Tomi.Orava at ncircle.nullnet.fi>:

> On 09/09/2013 08:56 PM, Michael J Rubinsky wrote:
>> Moving back to the list after receiving config.
>>
>> Quoting Tomi Orava <Tomi.Orava at ncircle.nullnet.fi>:
>>
>>> On 09/09/2013 08:00 PM, Michael J Rubinsky wrote:
>>>>
>>>> Quoting Tomi Orava <Tomi.Orava at ncircle.nullnet.fi>:
>>>>
>>>>> Quoting Michael J Rubinsky <mrubinsk at horde.org>:
>>>>>
>>>>>> Quoting Tomi Orava <Tomi.Orava at ncircle.nullnet.fi>:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I'd rather not post my conf.php for public view, so I'll send
>>>>>>> to you personally.
>>>>>>>
>>>>>>>>>
>>>>>>>>> Has anyone else seen authentication problems with mobile
>>>>>>>>> devices (android & wp8) after the commit:
>>>>>>>>>
>>>>>>>>> commit fe9ec485c31bef4566f6451c9aafd8c780c41cd9 Author:
>>>>>>>>> Michael J Rubinsky <mrubinsk at horde.org> Date:   Sat Aug 31
>>>>>>>>> 15:07:17 2013 -0400
>>>>>>>>>
>>>>>>>>> Fully support X509 certificates for ActiveSync.
>>>>>>>>>
>>>>>>>>> Allow separate configuration for ActiveSync Authentication
>>>>>>>>> methods. Emulates Exchange server's ability to accept
>>>>>>>>> either: HTTP Basic only, client certificate only, or to
>>>>>>>>> require both HTTP Basic AND client certificates. If
>>>>>>>>> configured to require both, horde-wide Auth driver is used
>>>>>>>>> to authenticate using the HTTP Basic credentials, and the
>>>>>>>>> X509 driver is used to to authenticate with the client
>>>>>>>>> certificate. Obviously requires webserver config/support
>>>>>>>>> for the certificates.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> The Web interface works just fine with the imap login auth,
>>>>>>>>> but it seems that I'm missing something from the
>>>>>>>>> configuration as none of the mobile devices are able to
>>>>>>>>> login anymore (I'm using private certificate with my own ca
>>>>>>>>> certificate).
>>>>>>>>>
>>>>>>>>> Everything is back to normal if I revert back to the
>>>>>>>>> previous commit.
>>>>>>>>>
>>>>>>>>> Regards, Tomi Orava
>>>>>>>>
>>>>>>>> So, you are trying to use X509 certificates with your device?
>>>>>>>> Can you post your configuration?
>>>>>>>
>>>>>>> Well, this is just a normal ssl setup, although I'd like to use
>>>>>>> also the client certificates if the Samsung Galaxy S3 wouldn't
>>>>>>> disable those from the account.
>>>>>>>
>>>>>>> I did not see any new configuration blocks for the auth setup
>>>>>>> or something.
>>>>>>>
>>>>>>> Regards, Tomi Orava
>>>>>>
>>>>>>
>>>>>> Are you running the most up to date git code?
>>>>>
>>>>> Yes, just updated before trying again after yesterday:
>>>>>
>>>>> I'm on commit: 0fa5b22537e55728862b83d1f3d4f70cc0c7731d
>>>>
>>>> Not sure. There was a problem in
>>>> Horde_Core_ActiveSync_Driver::authenticate() for a short time after
>>>> the initial commit was made, but that was fixed. Anything in the
>>>> logs? This works fine for me here. Just to be clear, we are talking
>>>> about normal authentication from the activesync client and the
>>>> webserver itself does not require certificates to be authenticated,
>>>> right?
>>>
>>> The only logs are:
>>>
>>> 2013-09-09T20:14:31+03:00 DEBUG: HORDE [horde] Load config file  
>>> (conf.php; app: horde) [pid 18319 on line 409 of  
>>> "/usr/local/share/git/horde/framework/Core/lib/Horde.php"]
>>> 2013-09-09T20:14:31+03:00 NOTICE: HORDE [horde] Login failed from  
>>> ActiveSync client for user kaisa. [pid 18319 on line 567 of  
>>> "/usr/local/share/git/horde/framework/ActiveSync/lib/Horde/ActiveSync.php"]
>>> 2013-09-09T20:14:31+03:00 DEBUG: HORDE [horde] Max memory usage:  
>>> 22282240 bytes [pid 18319 on line 566 of  
>>> "/usr/local/share/git/horde/framework/Core/lib/Horde/Registry.php"]
>>> 2013-09-09T20:14:32+03:00 DEBUG: HORDE Load config file (conf.php;  
>>> app: horde) [pid 19382 on line 409 of  
>>> "/usr/local/share/git/horde/framework/Core/lib/Horde.php"]
>>>
>>>
>>> Ok, now when you mention about it ...
>>> Yes, you can't access my horde installation without
>>> username & password (basic authentication), except these files:
>>>
>>>         <Files rpc.php>
>>>             Order Allow,Deny
>>>             Allow from all
>>>             Satisfy Any
>>>         </Files>
>>>
>>>         <Files fb.php>
>>>             Order Allow,Deny
>>>             Allow from all
>>>             Satisfy Any
>>>         </Files>
>>>
>>> This has never caused any problems in here, though.
>>
>> This shouldn't matter, as far as activesync goes. rpc.php is the  
>> only page it interfaces with.
>>
>>
>>> I'm using the EAS 14.1 and using Nexus 7, Galaxy S3 and Lumia 820
>>> all with the latest firmwares.
>>>
>>> If I take the X509 commit into use, none of those is able to login
>>> via activesync, normal web pages work just fine though (as they should).
>>>
>>> The horde authentication system is using imap server for password checking
>>> (cyrus imapd), in case this matters.
>>
>> Do you see the authentication attempt in the imap server log?
>
> No, normal https logins work fine, but according to imap debug log,
> none of the activesync connections ever reach to the imap login phase at all.

Since I can't reproduce this, you are going to have to track down the  
failure point. In Horde_Core_ActiveSync_Driver::authenticate, your  
failing the conditional on line 196/197. You need to figure out why.

Based on what you told me, $this->_auth should be a  
Horde_Core_ActiveSync_Auth:: object with a Horde_Auth_Imap:: object  
set as the 'base_driver' parameter. You can use Horde::debug() to  
verify this.

Based on the config you sent me you are running git master, so  
$conf['activesync']['auth']['type'] should indeed be empty, so the  
code should be calling $this->_auth->authenticate(), which since you  
are not using X.509, should pass the call to the imap authentication  
driver.

Check the $username and $password variables with Horde::debug() to be  
sure they contain the values you expect.


-- 
mike

The Horde Project (www.horde.org)
mrubinsk at horde.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5849 bytes
Desc: S/MIME Signature
URL: <http://lists.horde.org/archives/horde/attachments/20130909/b3fe5b5b/attachment-0001.bin>

More information about the horde mailing list