[horde] Activesync auth problems with GIT since X.509 certificate commit ?

Tomi Orava Tomi.Orava at ncircle.nullnet.fi
Wed Sep 11 17:05:44 UTC 2013 

Quoting Michael J Rubinsky <mrubinsk at horde.org>:

> Quoting Michael J Rubinsky <mrubinsk at horde.org>:
>
>> Quoting Tomi Orava <Tomi.Orava at ncircle.nullnet.fi>:
>>
>>> On 09/09/2013 08:56 PM, Michael J Rubinsky wrote:
>>>> Moving back to the list after receiving config.
>>>>
>>>> Quoting Tomi Orava <Tomi.Orava at ncircle.nullnet.fi>:
>>>>
>>>>> On 09/09/2013 08:00 PM, Michael J Rubinsky wrote:
>>>>>>
>>>>>> Quoting Tomi Orava <Tomi.Orava at ncircle.nullnet.fi>:
>>>>>>
>>>>>>> Quoting Michael J Rubinsky <mrubinsk at horde.org>:
>>>>>>>
>>>>>>>> Quoting Tomi Orava <Tomi.Orava at ncircle.nullnet.fi>:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I'd rather not post my conf.php for public view, so I'll send
>>>>>>>>> to you personally.
>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Has anyone else seen authentication problems with mobile
>>>>>>>>>>> devices (android & wp8) after the commit:
>>>>>>>>>>>
>>>>>>>>>>> commit fe9ec485c31bef4566f6451c9aafd8c780c41cd9 Author:
>>>>>>>>>>> Michael J Rubinsky <mrubinsk at horde.org> Date:   Sat Aug 31
>>>>>>>>>>> 15:07:17 2013 -0400
>>>>>>>>>>>
>>>>>>>>>>> Fully support X509 certificates for ActiveSync.
>>>>>>>>>>>
>>>>>>>>>>> Allow separate configuration for ActiveSync Authentication
>>>>>>>>>>> methods. Emulates Exchange server's ability to accept
>>>>>>>>>>> either: HTTP Basic only, client certificate only, or to
>>>>>>>>>>> require both HTTP Basic AND client certificates. If
>>>>>>>>>>> configured to require both, horde-wide Auth driver is used
>>>>>>>>>>> to authenticate using the HTTP Basic credentials, and the
>>>>>>>>>>> X509 driver is used to to authenticate with the client
>>>>>>>>>>> certificate. Obviously requires webserver config/support
>>>>>>>>>>> for the certificates.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> The Web interface works just fine with the imap login auth,
>>>>>>>>>>> but it seems that I'm missing something from the
>>>>>>>>>>> configuration as none of the mobile devices are able to
>>>>>>>>>>> login anymore (I'm using private certificate with my own ca
>>>>>>>>>>> certificate).
>>>>>>>>>>>
>>>>>>>>>>> Everything is back to normal if I revert back to the
>>>>>>>>>>> previous commit.
>>>>>>>>>>>
>>>>>>>>>>> Regards, Tomi Orava
>>>>>>>>>>
>>>>>>>>>> So, you are trying to use X509 certificates with your device?
>>>>>>>>>> Can you post your configuration?
>>>>>>>>>
>>>>>>>>> Well, this is just a normal ssl setup, although I'd like to use
>>>>>>>>> also the client certificates if the Samsung Galaxy S3 wouldn't
>>>>>>>>> disable those from the account.
>>>>>>>>>
>>>>>>>>> I did not see any new configuration blocks for the auth setup
>>>>>>>>> or something.
>>>>>>>>>
>>>>>>>>> Regards, Tomi Orava
>>>>>>>>
>>>>>>>>
>>>>>>>> Are you running the most up to date git code?
>>>>>>>
>>>>>>> Yes, just updated before trying again after yesterday:
>>>>>>>
>>>>>>> I'm on commit: 0fa5b22537e55728862b83d1f3d4f70cc0c7731d
>>>>>>
>>>>>> Not sure. There was a problem in
>>>>>> Horde_Core_ActiveSync_Driver::authenticate() for a short time after
>>>>>> the initial commit was made, but that was fixed. Anything in the
>>>>>> logs? This works fine for me here. Just to be clear, we are talking
>>>>>> about normal authentication from the activesync client and the
>>>>>> webserver itself does not require certificates to be authenticated,
>>>>>> right?
>>>>>
>>>>> The only logs are:
>>>>>
>>>>> 2013-09-09T20:14:31+03:00 DEBUG: HORDE [horde] Load config file  
>>>>> (conf.php; app: horde) [pid 18319 on line 409 of  
>>>>> "/usr/local/share/git/horde/framework/Core/lib/Horde.php"]
>>>>> 2013-09-09T20:14:31+03:00 NOTICE: HORDE [horde] Login failed  
>>>>> from ActiveSync client for user kaisa. [pid 18319 on line 567 of  
>>>>> "/usr/local/share/git/horde/framework/ActiveSync/lib/Horde/ActiveSync.php"]
>>>>> 2013-09-09T20:14:31+03:00 DEBUG: HORDE [horde] Max memory usage:  
>>>>> 22282240 bytes [pid 18319 on line 566 of  
>>>>> "/usr/local/share/git/horde/framework/Core/lib/Horde/Registry.php"]
>>>>> 2013-09-09T20:14:32+03:00 DEBUG: HORDE Load config file  
>>>>> (conf.php; app: horde) [pid 19382 on line 409 of  
>>>>> "/usr/local/share/git/horde/framework/Core/lib/Horde.php"]
>>>>>
>>>>>
>>>>> Ok, now when you mention about it ...
>>>>> Yes, you can't access my horde installation without
>>>>> username & password (basic authentication), except these files:
>>>>>
>>>>>      <Files rpc.php>
>>>>>          Order Allow,Deny
>>>>>          Allow from all
>>>>>          Satisfy Any
>>>>>      </Files>
>>>>>
>>>>>      <Files fb.php>
>>>>>          Order Allow,Deny
>>>>>          Allow from all
>>>>>          Satisfy Any
>>>>>      </Files>
>>>>>
>>>>> This has never caused any problems in here, though.
>>>>
>>>> This shouldn't matter, as far as activesync goes. rpc.php is the  
>>>> only page it interfaces with.
>>>>
>>>>
>>>>> I'm using the EAS 14.1 and using Nexus 7, Galaxy S3 and Lumia 820
>>>>> all with the latest firmwares.
>>>>>
>>>>> If I take the X509 commit into use, none of those is able to login
>>>>> via activesync, normal web pages work just fine though (as they should).
>>>>>
>>>>> The horde authentication system is using imap server for  
>>>>> password checking
>>>>> (cyrus imapd), in case this matters.
>>>>
>>>> Do you see the authentication attempt in the imap server log?
>>>
>>> No, normal https logins work fine, but according to imap debug log,
>>> none of the activesync connections ever reach to the imap login  
>>> phase at all.
>>
>> Since I can't reproduce this, you are going to have to track down  
>> the failure point. In Horde_Core_ActiveSync_Driver::authenticate,  
>> your failing the conditional on line 196/197. You need to figure  
>> out why.
>>
>> Based on what you told me, $this->_auth should be a  
>> Horde_Core_ActiveSync_Auth:: object with a Horde_Auth_Imap:: object  
>> set as the 'base_driver' parameter. You can use Horde::debug() to  
>> verify this.
>>
>> Based on the config you sent me you are running git master, so  
>> $conf['activesync']['auth']['type'] should indeed be empty, so the  
>> code should be calling $this->_auth->authenticate(), which since  
>> you are not using X.509, should pass the call to the imap  
>> authentication driver.
>>
>> Check the $username and $password variables with Horde::debug() to  
>> be sure they contain the values you expect.

The username, password and domain are all ok. The problem is somewhere here:

diff --git  
a/framework/Core/lib/Horde/Core/Factory/ActiveSyncBackend.php  
b/framework/Core/lib/Horde/Core/Factory/ActiveSyncBackend.php
index cc05050..a35e2de 100644
--- a/framework/Core/lib/Horde/Core/Factory/ActiveSyncBackend.php
+++ b/framework/Core/lib/Horde/Core/Factory/ActiveSyncBackend.php
@@ -19,7 +19,8 @@ class Horde_Core_Factory_ActiveSyncBackend extends  
Horde_Core_Factory_Injector
                  : null,
              'ping' => $conf['activesync']['ping'],
              'state' => $injector->getInstance('Horde_ActiveSyncState'),
-            'auth' => $this->_getAuth());
+            // 'auth' => $this->_getAuth());
+            'auth' =>  
$injector->getInstance('Horde_Core_Factory_Auth')->create());

          return new Horde_Core_ActiveSync_Driver($driver_params);
      }
@@ -32,18 +33,25 @@ class Horde_Core_Factory_ActiveSyncBackend extends  
Horde_Core_Factory_Injector
      protected function _getAuth()
      {
          global $conf, $injector;
+        $logger = new Horde_Log_Logger($this->handler);

          $params = array(
              'base_driver' =>  
$injector->getInstance('Horde_Core_Factory_Auth')->create(),
          );

+         
$logger->debug(sprintf("Horde_Core_Factory_ActiveSyncBackend::_getAuth()  
Called!"));
+
+
          if (!empty($conf['activesync']['auth']['type']) &&
              $conf['activesync']['auth']['type'] != 'basic') {
+             
$this->_logger->debug(sprintf("Horde_Core_Factory_ActiveSyncBackend::_getAuth() Using X.509  
setup!"));

              $x_params = $conf['activesync']['auth']['params'];
              $x_params['default_user'] = $GLOBALS['registry']->getAuth();
              $x_params['logger'] =  
$this->_injector->getInstance('Horde_Log_Logger');
              $params['transparent_driver'] =  
Horde_Auth::factory('Horde_Core_Auth_X509', $x_params);
+        } else {
+           
$this->_logger->debug(sprintf("Horde_Core_Factory_ActiveSyncBackend::_getAuth() Skipped X.509  
setup!"));
          }

          $obj = new Horde_Core_ActiveSync_Auth($params);

Ie. by using the old type 'auth' =>  
$injector->getInstance('Horde_Core_Factory_Auth')->create());
instead of the new _getauth() function, I'm able to login by using  
activesync (all devices).

However, my debug lines are obviously not done correctly, as I'm  
unable to get any debug lines out of this
newer _getAuth() function at will. I'm sure you have some hints how to  
accomplish that.

Tomi O.

More information about the horde mailing list