[horde] Activesync auth problems with GIT since X.509 certificate commit ?

Michael J Rubinsky mrubinsk at horde.org
Mon Sep 9 18:33:02 UTC 2013 

Quoting Michael J Rubinsky <mrubinsk at horde.org>:

> Quoting Tomi Orava <Tomi.Orava at ncircle.nullnet.fi>:
>
>> On 09/09/2013 08:56 PM, Michael J Rubinsky wrote:
>>> Moving back to the list after receiving config.
>>>
>>> Quoting Tomi Orava <Tomi.Orava at ncircle.nullnet.fi>:
>>>
>>>> On 09/09/2013 08:00 PM, Michael J Rubinsky wrote:
>>>>>
>>>>> Quoting Tomi Orava <Tomi.Orava at ncircle.nullnet.fi>:
>>>>>
>>>>>> Quoting Michael J Rubinsky <mrubinsk at horde.org>:
>>>>>>
>>>>>>> Quoting Tomi Orava <Tomi.Orava at ncircle.nullnet.fi>:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I'd rather not post my conf.php for public view, so I'll send
>>>>>>>> to you personally.
>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Has anyone else seen authentication problems with mobile
>>>>>>>>>> devices (android & wp8) after the commit:
>>>>>>>>>>
>>>>>>>>>> commit fe9ec485c31bef4566f6451c9aafd8c780c41cd9 Author:
>>>>>>>>>> Michael J Rubinsky <mrubinsk at horde.org> Date:   Sat Aug 31
>>>>>>>>>> 15:07:17 2013 -0400
>>>>>>>>>>
>>>>>>>>>> Fully support X509 certificates for ActiveSync.
>>>>>>>>>>
>>>>>>>>>> Allow separate configuration for ActiveSync Authentication
>>>>>>>>>> methods. Emulates Exchange server's ability to accept
>>>>>>>>>> either: HTTP Basic only, client certificate only, or to
>>>>>>>>>> require both HTTP Basic AND client certificates. If
>>>>>>>>>> configured to require both, horde-wide Auth driver is used
>>>>>>>>>> to authenticate using the HTTP Basic credentials, and the
>>>>>>>>>> X509 driver is used to to authenticate with the client
>>>>>>>>>> certificate. Obviously requires webserver config/support
>>>>>>>>>> for the certificates.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> The Web interface works just fine with the imap login auth,
>>>>>>>>>> but it seems that I'm missing something from the
>>>>>>>>>> configuration as none of the mobile devices are able to
>>>>>>>>>> login anymore (I'm using private certificate with my own ca
>>>>>>>>>> certificate).
>>>>>>>>>>
>>>>>>>>>> Everything is back to normal if I revert back to the
>>>>>>>>>> previous commit.
>>>>>>>>>>
>>>>>>>>>> Regards, Tomi Orava
>>>>>>>>>
>>>>>>>>> So, you are trying to use X509 certificates with your device?
>>>>>>>>> Can you post your configuration?
>>>>>>>>
>>>>>>>> Well, this is just a normal ssl setup, although I'd like to use
>>>>>>>> also the client certificates if the Samsung Galaxy S3 wouldn't
>>>>>>>> disable those from the account.
>>>>>>>>
>>>>>>>> I did not see any new configuration blocks for the auth setup
>>>>>>>> or something.
>>>>>>>>
>>>>>>>> Regards, Tomi Orava
>>>>>>>
>>>>>>>
>>>>>>> Are you running the most up to date git code?
>>>>>>
>>>>>> Yes, just updated before trying again after yesterday:
>>>>>>
>>>>>> I'm on commit: 0fa5b22537e55728862b83d1f3d4f70cc0c7731d
>>>>>
>>>>> Not sure. There was a problem in
>>>>> Horde_Core_ActiveSync_Driver::authenticate() for a short time after
>>>>> the initial commit was made, but that was fixed. Anything in the
>>>>> logs? This works fine for me here. Just to be clear, we are talking
>>>>> about normal authentication from the activesync client and the
>>>>> webserver itself does not require certificates to be authenticated,
>>>>> right?
>>>>
>>>> The only logs are:
>>>>
>>>> 2013-09-09T20:14:31+03:00 DEBUG: HORDE [horde] Load config file  
>>>> (conf.php; app: horde) [pid 18319 on line 409 of  
>>>> "/usr/local/share/git/horde/framework/Core/lib/Horde.php"]
>>>> 2013-09-09T20:14:31+03:00 NOTICE: HORDE [horde] Login failed from  
>>>> ActiveSync client for user kaisa. [pid 18319 on line 567 of  
>>>> "/usr/local/share/git/horde/framework/ActiveSync/lib/Horde/ActiveSync.php"]
>>>> 2013-09-09T20:14:31+03:00 DEBUG: HORDE [horde] Max memory usage:  
>>>> 22282240 bytes [pid 18319 on line 566 of  
>>>> "/usr/local/share/git/horde/framework/Core/lib/Horde/Registry.php"]
>>>> 2013-09-09T20:14:32+03:00 DEBUG: HORDE Load config file  
>>>> (conf.php; app: horde) [pid 19382 on line 409 of  
>>>> "/usr/local/share/git/horde/framework/Core/lib/Horde.php"]
>>>>
>>>>
>>>> Ok, now when you mention about it ...
>>>> Yes, you can't access my horde installation without
>>>> username & password (basic authentication), except these files:
>>>>
>>>>       <Files rpc.php>
>>>>           Order Allow,Deny
>>>>           Allow from all
>>>>           Satisfy Any
>>>>       </Files>
>>>>
>>>>       <Files fb.php>
>>>>           Order Allow,Deny
>>>>           Allow from all
>>>>           Satisfy Any
>>>>       </Files>
>>>>
>>>> This has never caused any problems in here, though.
>>>
>>> This shouldn't matter, as far as activesync goes. rpc.php is the  
>>> only page it interfaces with.
>>>
>>>
>>>> I'm using the EAS 14.1 and using Nexus 7, Galaxy S3 and Lumia 820
>>>> all with the latest firmwares.
>>>>
>>>> If I take the X509 commit into use, none of those is able to login
>>>> via activesync, normal web pages work just fine though (as they should).
>>>>
>>>> The horde authentication system is using imap server for password checking
>>>> (cyrus imapd), in case this matters.
>>>
>>> Do you see the authentication attempt in the imap server log?
>>
>> No, normal https logins work fine, but according to imap debug log,
>> none of the activesync connections ever reach to the imap login  
>> phase at all.
>
> Since I can't reproduce this, you are going to have to track down  
> the failure point. In Horde_Core_ActiveSync_Driver::authenticate,  
> your failing the conditional on line 196/197. You need to figure out  
> why.
>
> Based on what you told me, $this->_auth should be a  
> Horde_Core_ActiveSync_Auth:: object with a Horde_Auth_Imap:: object  
> set as the 'base_driver' parameter. You can use Horde::debug() to  
> verify this.
>
> Based on the config you sent me you are running git master, so  
> $conf['activesync']['auth']['type'] should indeed be empty, so the  
> code should be calling $this->_auth->authenticate(), which since you  
> are not using X.509, should pass the call to the imap authentication  
> driver.
>
> Check the $username and $password variables with Horde::debug() to  
> be sure they contain the values you expect.


....and on a more simple note, make sure you ran install_dev since that  
commit and cleared the autoloader cache since a new file was introduced.

-- 
mike

The Horde Project (www.horde.org)
mrubinsk at horde.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5849 bytes
Desc: S/MIME Signature
URL: <http://lists.horde.org/archives/horde/attachments/20130909/6f7aaed8/attachment.bin>

More information about the horde mailing list