[horde] ActiveSync login & client-side certificates
Jens-U. Mozdzen
jmozdzen at nde.ag
Mon May 26 14:23:17 UTC 2014
Hi Mike,
Zitat von Michael J Rubinsky <mrubinsk at horde.org>:
> Quoting "Jens-U. Mozdzen" <jmozdzen at nde.ag>:
>
>> Hi *,
>>
>> I tried to add a rule to our web server so that ActiveSync access
>> requires not only a client-side certificate, but is limited to a
>> pre-defined list of certificates:
>>
>> --- cut here ---
>> <Location /Microsoft-Server-ActiveSync>
>> SSLOptions +StrictRequire +ExportCertData +FakeBasicAuth
>> AuthName "nonsense message here"
>> AuthType Basic
>> AuthUserFile /etc/apache2/vhosts.d/passwd
>> AuthGroupFile /etc/apache2/vhosts.d/groups
>> Require group activesync
>> </Location>
>> --- cut here ---
>>
>> Before adding that rule, any ActiveSync request was logged in
>> Apache's access log via the user name. After the change, I can see
>> that both the client presents the proper certificate and that the
>> cert name is used during httpd's logging.
>>
>> Unfortunately, somehow the Horde ActiveSync code does use the
>> certifate name as the user name to authenticate, which will not
>> work, of course. I see in Horde's log:
>>
>> ==> /var/log/horde/horde5.log <==
>> 2014-05-26T14:49:02+02:00 ERR: HORDE [horde] [pid 30911 on line 62
>> of "/usr/share/php5/PEAR/Horde/Core/ActiveSync/Auth.php"]
>> 2014-05-26T14:49:02+02:00 NOTICE: HORDE [horde] Login failed from
>> ActiveSync client for user ***certificate DN redacted for
>> security***. [pid 30911 on line 542 of
>> "/usr/share/php5/PEAR/Horde/ActiveSync.php"]
>>
>> The corresponding entry in httpd' access_log shows the expected 401 error:
>>
>> ==> /var/log/apache2/access_log.ssl <==
>> 192.168.102.4 - ***certificate DN redacted for security***
>> [26/May/2014:14:49:02 +0200] "OPTIONS
>> /Microsoft-Server-ActiveSync?Cmd=OPTIONS&User=***userid***&DeviceId=**devid***&DeviceType=***devicetype*** HTTP/1.1" 401
>> -
>>
>> Activating (or deactivating) the following settings according to
>> the Wiki doesn't change anything:
>>
>> --- cut here ---
>> RewriteRule .* -
>> [E=HTTP_MS_ASPROTOCOLVERSION:%{HTTP:Ms-Asprotocolversion}]
>> RewriteRule .* - [E=HTTP_X_MS_POLICYKEY:%{HTTP:X-Ms-Policykey}]
>> RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
>> --- cut here ---
>>
>> The login name part of the ActiveSync request
>> (User=***username***), so can't Horde use that user name for
>> validation? Is it some hook on my side that interferes with this?
>> Looking at the hooks below /horde/config or /horde/imp/config
>> didn't reveal anything that seems relevant...
>>
>> Thank you for any pointers.
>
>
> What versions of Horde and pertinent libraries are you using? Horde
> 5.2 (which is currently in beta) has native support for using X509
> client certs for ActiveSync either in lieu of, or in addition to
> normal username/password auth. There are also a number of hooks that
> can be used to customize the behavior.
This should be an almost up-to-date PEAR/stable install of Horde, so
it'd be 5.1:
# pear list -c horde
Installed packages, channel pear.horde.org:
===========================================
Package Version State
Horde_ActiveSync 2.16.1 stable
Horde_Alarm 2.2.1 stable
Horde_Argv 2.0.9 stable
Horde_Auth 2.1.4 stable
Horde_Autoloader 2.1.0 stable
Horde_Autoloader_Cache 2.1.0 stable
Horde_Browser 2.0.7 stable
Horde_Cache 2.5.0 stable
Horde_Cli 2.0.5 stable
Horde_Compress 2.0.8 stable
Horde_Compress_Fast 1.0.2 stable
Horde_Constraint 2.0.1 stable
Horde_Controller 2.0.1 stable
Horde_Core 2.11.1 stable
Horde_Crypt 2.4.3 stable
Horde_Crypt_Blowfish 1.0.2 stable
Horde_Css_Parser 1.0.4 stable
Horde_Data 2.0.5 stable
Horde_Date 2.0.10 stable
Horde_Date_Parser 2.0.2 stable
Horde_Dav 1.0.5 stable
Horde_Db 2.1.2 stable
Horde_Editor 2.0.4 stable
Horde_ElasticSearch 1.0.2 stable
Horde_Exception 2.0.4 stable
Horde_Feed 2.0.2 stable
Horde_Form 2.0.8 stable
Horde_Group 2.0.3 stable
Horde_HashTable 1.1.2 stable
Horde_History 2.3.1 stable
Horde_Http 2.1.1 stable
Horde_Icalendar 2.0.8 stable
Horde_Image 2.0.8 stable
Horde_Imap_Client 2.20.0 stable
Horde_Imsp 2.0.5 stable
Horde_Injector 2.0.3 stable
Horde_Itip 2.0.6 stable
Horde_Kolab_Format 2.0.5 stable
Horde_Kolab_Server 2.0.2 stable
Horde_Kolab_Session 2.0.1 stable
Horde_Kolab_Storage 2.1.0 stable
Horde_Ldap 2.0.5 stable
Horde_ListHeaders 1.1.2 stable
Horde_Lock 2.1.1 stable
Horde_Log 2.1.0 stable
Horde_LoginTasks 2.0.3 stable
Horde_Mail 2.3.0 stable
Horde_Mapi 1.0.2 stable
Horde_Memcache 2.0.5 stable
Horde_Mime 2.3.5 stable
Horde_Mime_Viewer 2.0.7 stable
Horde_Mongo 1.0.2 stable
Horde_Nls 2.0.4 stable
Horde_Notification 2.0.1 stable
Horde_Oauth 2.0.1 stable
Horde_Pack 1.0.1 stable
Horde_Pdf 2.0.3 stable
Horde_Perms 2.1.2 stable
Horde_Prefs 2.6.0 stable
Horde_Queue 1.1.1 stable
Horde_Rdo 2.0.2 stable
Horde_Role 1.0.1 stable
Horde_Routes 2.0.2 stable
Horde_Rpc 2.1.1 stable
Horde_Scheduler 2.0.1 stable
Horde_Scribe 2.0.1 stable
Horde_Secret 2.0.2 stable
Horde_Serialize 2.0.2 stable
Horde_Service_Facebook 2.0.6 stable
Horde_Service_Twitter 2.1.1 stable
Horde_Service_Weather 2.1.1 stable
Horde_SessionHandler 2.2.4 stable
Horde_Share 2.0.5 stable
Horde_Smtp 1.5.0 stable
Horde_Socket_Client 1.1.1 stable
Horde_SpellChecker 2.1.1 stable
Horde_Stream 1.6.1 stable
Horde_Stream_Filter 2.0.2 stable
Horde_Stream_Wrapper 2.1.0 stable
Horde_Support 2.1.1 stable
Horde_SyncMl 2.0.3 stable
Horde_Template 2.0.1 stable
Horde_Text_Diff 2.0.2 stable
Horde_Text_Filter 2.2.1 stable
Horde_Text_Filter_Csstidy 2.0.1 stable
Horde_Text_Filter_Jsmin 1.0.1 stable
Horde_Text_Flowed 2.0.1 stable
Horde_Thrift 2.0.1 stable
Horde_Timezone 1.0.6 stable
Horde_Token 2.0.5 stable
Horde_Translation 2.1.0 stable
Horde_Tree 2.0.2 stable
Horde_Url 2.2.2 stable
Horde_Util 2.4.0 stable
Horde_Vfs 2.2.0 stable
Horde_View 2.0.4 stable
Horde_Xml_Element 2.0.1 stable
Horde_Xml_Wbxml 2.0.1 stable
content 2.0.3 stable
gollem 3.0.2 stable
horde 5.1.6 stable
horde_lz4 1.0.3 stable
imp 6.1.7 stable
ingo 3.1.4 stable
kronolith 4.1.5 stable
mnemo 4.1.3 stable
nag 4.1.4 stable
timeobjects 2.1.0 stable
trean 1.0.3 stable
turba 4.1.4 stable
> That being said, I'm not 100% sure I follow your example. What
> username/password is being passed to Horde, where does it come from?
I'm using the native email client on an SGS4 to connect via EAS to our
Horde server. The client both has the user credentials
(username/password to authenticate against Horde) and is using a
client-side certificate (to be granted access via https).
When I do not impose access restrictions on
/Microsoft-Server-ActiveSync (via httpd.conf, see above), then
obviously the username from the "User" parameter of the http request
is used
("/Microsoft-Server-ActiveSync?Cmd=OPTIONS&User=***userid***&DeviceId=**devid***&DeviceType=***devicetype***") and the password is most probably "in-band" within the requests data. In horde's log I then see the corresponding "userid at mydomain has logged on" messages (this is no quote from the actual log ;) ). Apache httpd from then on logs all ActiveSync requests with the username in its access_log - although this username is nowhere defined in Apache's user datebase, so I guess that information is somehow retrieved from the PHP side of things after a successful login per the Horde ActiveSync
module.
Once I set up the above restriction (limit access to
/Microsoft-Server-ActiveSync to DNs contained in an httpd user group),
I see that Horde ActiveSync tries to log in the user via the
certificate's DN, rather than the value from the "User" parameter of
the actual request.
What I'm looking for is a way to make Horde still use the username
from the ActiveSync request, rather than the DN, even if the client
used a certificate to successfully establish authentication with httpd.
With regards,
Jens
More information about the horde
mailing list