[horde] ActiveSync login & client-side certificates

Jens-U. Mozdzen jmozdzen at nde.ag
Tue May 27 22:36:55 UTC 2014 

Hi Mike,

Zitat von Michael J Rubinsky <mrubinsk at horde.org>:
> Quoting "Jens-U. Mozdzen" <jmozdzen at nde.ag>:
> [...]
>> When I do not impose access restrictions on  
>> /Microsoft-Server-ActiveSync (via httpd.conf, see above), then  
>> obviously the username from the "User" parameter of the http  
>> request is used  
>> ("/Microsoft-Server-ActiveSync?Cmd=OPTIONS&User=***userid***&DeviceId=**devid***&DeviceType=***devicetype***") and the password is most probably "in-band" within the requests data. In horde's log I then see the corresponding "userid at mydomain has logged on" messages (this is no quote from the actual log ;) ). Apache httpd from then on logs all ActiveSync requests with the username in its access_log - although this username is nowhere defined in Apache's user datebase, so I guess that information is somehow retrieved from the PHP side of things after a successful login per the Horde ActiveSync  
>> module.
>
> If you are interested in where the username and password comes from:  
> ActiveSync uses the data from HTTP BASIC authentication. In  
> addition, the username is also passed in either (depending on the  
> EAS version) the GET parameters or in a base64 encoded POSTed value  
> that includes all of the other EAS required parameters.
>
>> Once I set up the above restriction (limit access to  
>> /Microsoft-Server-ActiveSync to DNs contained in an httpd user  
>> group), I see that Horde ActiveSync tries to log in the user via  
>> the certificate's DN, rather than the value from the "User"  
>> parameter of the actual request.
>
> Is is possible Apache is sending the DN in the HTTP Auth headers?

Yes, everything seems to point in that direction. I just don't  
understand why Horde's AS module uses that, instead of the username as  
passed in the GET parameter or POST value. Those latter values seem  
more "precise", and my case does indeed show the distinction between a  
web server authentication and the ActiveSync authentication. Of  
course, the EAS user & password is required for auth against the mail  
server, too.

As a matter of fact, the same holds true for the standard web  
interface: No matter if I need a ("client-side certificate"-based)  
authentication to the web server, there's the need to log in to Horde  
for the same reason.

>> What I'm looking for is a way to make Horde still use the username  
>> from the ActiveSync request, rather than the DN, even if the client  
>> used a certificate to successfully establish authentication with  
>> httpd.
>
> I'm pretty sure this is how it works in Horde 5.2 when you select  
> X509 certificates on top of normal HTTP Auth, but I'll have to  
> double check.

Again, I believe the right default way of doing this is to use the  
credentials passed in the AS request and to ignore any authentication  
established with the web server. Allowing to use the latter at the  
discretion of the admin, with all possible consequences, is of course  
something that may be helpful to some. So I'm not saying using  
pre-authentication by the web server should not be possible - just  
*optional*.

Concerning H5.2: Currently I have to stick to the PEAR releases, so I  
cannot say anything about the upcoming new release. But I'll try to  
find the time to look at 5.1's AS code to see if I find anything  
concerning this topic.

Regards,
Jens

More information about the horde mailing list