[horde] Activesync auth problems with GIT since X.509 certificate commit ?

Michael J Rubinsky mrubinsk at horde.org
Wed Sep 11 17:22:17 UTC 2013


Quoting Tomi Orava <Tomi.Orava at ncircle.nullnet.fi>:

> Quoting Michael J Rubinsky <mrubinsk at horde.org>:
>
>> Quoting Michael J Rubinsky <mrubinsk at horde.org>:
>>
>>> Quoting Tomi Orava <Tomi.Orava at ncircle.nullnet.fi>:
>>>
>>>> On 09/09/2013 08:56 PM, Michael J Rubinsky wrote:
>>>>> Moving back to the list after receiving config.
>>>>>
>>>>> Quoting Tomi Orava <Tomi.Orava at ncircle.nullnet.fi>:
>>>>>
>>>>>> On 09/09/2013 08:00 PM, Michael J Rubinsky wrote:
>>>>>>>
>>>>>>> Quoting Tomi Orava <Tomi.Orava at ncircle.nullnet.fi>:
>>>>>>>
>>>>>>>> Quoting Michael J Rubinsky <mrubinsk at horde.org>:
>>>>>>>>
>>>>>>>>> Quoting Tomi Orava <Tomi.Orava at ncircle.nullnet.fi>:
>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> I'd rather not post my conf.php for public view, so I'll send
>>>>>>>>>> to you personally.
>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Has anyone else seen authentication problems with mobile
>>>>>>>>>>>> devices (android & wp8) after the commit:
>>>>>>>>>>>>
>>>>>>>>>>>> commit fe9ec485c31bef4566f6451c9aafd8c780c41cd9 Author:
>>>>>>>>>>>> Michael J Rubinsky <mrubinsk at horde.org> Date:   Sat Aug 31
>>>>>>>>>>>> 15:07:17 2013 -0400
>>>>>>>>>>>>
>>>>>>>>>>>> Fully support X509 certificates for ActiveSync.
>>>>>>>>>>>>
>>>>>>>>>>>> Allow separate configuration for ActiveSync Authentication
>>>>>>>>>>>> methods. Emulates Exchange server's ability to accept
>>>>>>>>>>>> either: HTTP Basic only, client certificate only, or to
>>>>>>>>>>>> require both HTTP Basic AND client certificates. If
>>>>>>>>>>>> configured to require both, horde-wide Auth driver is used
>>>>>>>>>>>> to authenticate using the HTTP Basic credentials, and the
>>>>>>>>>>>> X509 driver is used to to authenticate with the client
>>>>>>>>>>>> certificate. Obviously requires webserver config/support
>>>>>>>>>>>> for the certificates.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> The Web interface works just fine with the imap login auth,
>>>>>>>>>>>> but it seems that I'm missing something from the
>>>>>>>>>>>> configuration as none of the mobile devices are able to
>>>>>>>>>>>> login anymore (I'm using private certificate with my own ca
>>>>>>>>>>>> certificate).
>>>>>>>>>>>>
>>>>>>>>>>>> Everything is back to normal if I revert back to the
>>>>>>>>>>>> previous commit.
>>>>>>>>>>>>
>>>>>>>>>>>> Regards, Tomi Orava
>>>>>>>>>>>
>>>>>>>>>>> So, you are trying to use X509 certificates with your device?
>>>>>>>>>>> Can you post your configuration?
>>>>>>>>>>
>>>>>>>>>> Well, this is just a normal ssl setup, although I'd like to use
>>>>>>>>>> also the client certificates if the Samsung Galaxy S3 wouldn't
>>>>>>>>>> disable those from the account.
>>>>>>>>>>
>>>>>>>>>> I did not see any new configuration blocks for the auth setup
>>>>>>>>>> or something.
>>>>>>>>>>
>>>>>>>>>> Regards, Tomi Orava
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Are you running the most up to date git code?
>>>>>>>>
>>>>>>>> Yes, just updated before trying again after yesterday:
>>>>>>>>
>>>>>>>> I'm on commit: 0fa5b22537e55728862b83d1f3d4f70cc0c7731d
>>>>>>>
>>>>>>> Not sure. There was a problem in
>>>>>>> Horde_Core_ActiveSync_Driver::authenticate() for a short time after
>>>>>>> the initial commit was made, but that was fixed. Anything in the
>>>>>>> logs? This works fine for me here. Just to be clear, we are talking
>>>>>>> about normal authentication from the activesync client and the
>>>>>>> webserver itself does not require certificates to be authenticated,
>>>>>>> right?
>>>>>>
>>>>>> The only logs are:
>>>>>>
>>>>>> 2013-09-09T20:14:31+03:00 DEBUG: HORDE [horde] Load config file  
>>>>>> (conf.php; app: horde) [pid 18319 on line 409 of  
>>>>>> "/usr/local/share/git/horde/framework/Core/lib/Horde.php"]
>>>>>> 2013-09-09T20:14:31+03:00 NOTICE: HORDE [horde] Login failed  
>>>>>> from ActiveSync client for user kaisa. [pid 18319 on line 567  
>>>>>> of  
>>>>>> "/usr/local/share/git/horde/framework/ActiveSync/lib/Horde/ActiveSync.php"]
>>>>>> 2013-09-09T20:14:31+03:00 DEBUG: HORDE [horde] Max memory  
>>>>>> usage: 22282240 bytes [pid 18319 on line 566 of  
>>>>>> "/usr/local/share/git/horde/framework/Core/lib/Horde/Registry.php"]
>>>>>> 2013-09-09T20:14:32+03:00 DEBUG: HORDE Load config file  
>>>>>> (conf.php; app: horde) [pid 19382 on line 409 of  
>>>>>> "/usr/local/share/git/horde/framework/Core/lib/Horde.php"]
>>>>>>
>>>>>>
>>>>>> Ok, now when you mention about it ...
>>>>>> Yes, you can't access my horde installation without
>>>>>> username & password (basic authentication), except these files:
>>>>>>
>>>>>>     <Files rpc.php>
>>>>>>         Order Allow,Deny
>>>>>>         Allow from all
>>>>>>         Satisfy Any
>>>>>>     </Files>
>>>>>>
>>>>>>     <Files fb.php>
>>>>>>         Order Allow,Deny
>>>>>>         Allow from all
>>>>>>         Satisfy Any
>>>>>>     </Files>
>>>>>>
>>>>>> This has never caused any problems in here, though.
>>>>>
>>>>> This shouldn't matter, as far as activesync goes. rpc.php is the  
>>>>> only page it interfaces with.
>>>>>
>>>>>
>>>>>> I'm using the EAS 14.1 and using Nexus 7, Galaxy S3 and Lumia 820
>>>>>> all with the latest firmwares.
>>>>>>
>>>>>> If I take the X509 commit into use, none of those is able to login
>>>>>> via activesync, normal web pages work just fine though (as they should).
>>>>>>
>>>>>> The horde authentication system is using imap server for  
>>>>>> password checking
>>>>>> (cyrus imapd), in case this matters.
>>>>>
>>>>> Do you see the authentication attempt in the imap server log?
>>>>
>>>> No, normal https logins work fine, but according to imap debug log,
>>>> none of the activesync connections ever reach to the imap login  
>>>> phase at all.
>>>
>>> Since I can't reproduce this, you are going to have to track down  
>>> the failure point. In Horde_Core_ActiveSync_Driver::authenticate,  
>>> your failing the conditional on line 196/197. You need to figure  
>>> out why.
>>>
>>> Based on what you told me, $this->_auth should be a  
>>> Horde_Core_ActiveSync_Auth:: object with a Horde_Auth_Imap::  
>>> object set as the 'base_driver' parameter. You can use  
>>> Horde::debug() to verify this.
>>>
>>> Based on the config you sent me you are running git master, so  
>>> $conf['activesync']['auth']['type'] should indeed be empty, so the  
>>> code should be calling $this->_auth->authenticate(), which since  
>>> you are not using X.509, should pass the call to the imap  
>>> authentication driver.
>>>
>>> Check the $username and $password variables with Horde::debug() to  
>>> be sure they contain the values you expect.
>
> The username, password and domain are all ok. The problem is somewhere here:
>
> diff --git  
> a/framework/Core/lib/Horde/Core/Factory/ActiveSyncBackend.php  
> b/framework/Core/lib/Horde/Core/Factory/ActiveSyncBackend.php
> index cc05050..a35e2de 100644
> --- a/framework/Core/lib/Horde/Core/Factory/ActiveSyncBackend.php
> +++ b/framework/Core/lib/Horde/Core/Factory/ActiveSyncBackend.php
> @@ -19,7 +19,8 @@ class Horde_Core_Factory_ActiveSyncBackend extends  
> Horde_Core_Factory_Injector
>                  : null,
>              'ping' => $conf['activesync']['ping'],
>              'state' => $injector->getInstance('Horde_ActiveSyncState'),
> -            'auth' => $this->_getAuth());
> +            // 'auth' => $this->_getAuth());
> +            'auth' =>  
> $injector->getInstance('Horde_Core_Factory_Auth')->create());
>
>          return new Horde_Core_ActiveSync_Driver($driver_params);
>      }
> @@ -32,18 +33,25 @@ class Horde_Core_Factory_ActiveSyncBackend  
> extends Horde_Core_Factory_Injector
>      protected function _getAuth()
>      {
>          global $conf, $injector;
> +        $logger = new Horde_Log_Logger($this->handler);
>
>          $params = array(
>              'base_driver' =>  
> $injector->getInstance('Horde_Core_Factory_Auth')->create(),
>          );
>
> +         
> $logger->debug(sprintf("Horde_Core_Factory_ActiveSyncBackend::_getAuth()  
> Called!"));
> +
> +
>          if (!empty($conf['activesync']['auth']['type']) &&
>              $conf['activesync']['auth']['type'] != 'basic') {
> +             
> $this->_logger->debug(sprintf("Horde_Core_Factory_ActiveSyncBackend::_getAuth() Using X.509  
> setup!"));
>
>              $x_params = $conf['activesync']['auth']['params'];
>              $x_params['default_user'] = $GLOBALS['registry']->getAuth();
>              $x_params['logger'] =  
> $this->_injector->getInstance('Horde_Log_Logger');
>              $params['transparent_driver'] =  
> Horde_Auth::factory('Horde_Core_Auth_X509', $x_params);
> +        } else {
> +           
> $this->_logger->debug(sprintf("Horde_Core_Factory_ActiveSyncBackend::_getAuth() Skipped X.509  
> setup!"));
>          }
>
>          $obj = new Horde_Core_ActiveSync_Auth($params);
>
> Ie. by using the old type 'auth' =>  
> $injector->getInstance('Horde_Core_Factory_Auth')->create());
> instead of the new _getauth() function, I'm able to login by using  
> activesync (all devices).


Sounds like there might be a problem locating the new  
Horde_Core_ActiveSync_Auth class.


> However, my debug lines are obviously not done correctly, as I'm  
> unable to get any debug lines out of this
> newer _getAuth() function at will. I'm sure you have some hints how  
> to accomplish that.

Yeah, the logger is not being instantiated correctly. However, it's  
just easier to use Horde::debug() for this type of stuff. It will dump  
the output into a file called horde_debug.txt located in your system's  
tmp directory.

So, after you change back to using $this->_getAuth(), add this right  
before the final return statement in _getAuth method:

Horde::debug($obj);


This should dump the auth object to the horde_debug.txt file.
-- 
mike

The Horde Project (www.horde.org)
mrubinsk at horde.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5849 bytes
Desc: S/MIME Signature
URL: <http://lists.horde.org/archives/horde/attachments/20130911/ad790e62/attachment-0001.bin>


More information about the horde mailing list