[sync] autodiscover/EAS email vs login

Mon Nov 5 15:42:56 UTC 2012

Quoting geoffroy desvernay <dgeo at centrale-marseille.fr>:

> Le 11/04/2012 22:21, geoffroy desvernay a écrit :
>> Hi all,
>>
>> Testing horde5 for some time, I managed to get:
>>  - autodiscover (basically, it works, but the device use email to log in
>> activesync service)
>>  - users to be able to manage their devices (it works, if login is user
>> instead of email - not with autodiscover)
>>
>> I tried:
>>
>>  - 'activesync_get_autodiscover_username' hook (not very documented as
>> well), not sufficient with my devices (emulator 2.3, 4.0 and 4.1), but
>> can this work since there is no 'login' attribute in M$'s schema ?

Correct. There is no 'login' attribute. In Exchange, the username is  
the mailbox portion of the email address. Period.

The hook exists so that horde can use the data INITIALLY entered into  
the client's configuration to authenticate to Horde during the  
AUTOCONFIGURE process. The point here is that ActiveSync will ONLY  
send the email address in the AUTOCONFIGURE request so we need to tell  
Horde how to turn that into a username.

Additionally, the ActiveSync client will assume that the mailbox name  
is equal to the username. Some clients display the final configuration  
data to the user for editing after the AUTODISCOVER process is  
complete. This gives the user the chance to tweak things. If yours  
does not, and your Horde installation uses the entire email address  
for authentication, then there is nothing Horde can do about that  
since that is a built in feature of the protocol. If your installation  
does not work this way, then autodiscover will not work. Period. It's  
a convenience only, and a good deal of clients (mostly Android) don't  
support it anyway.

>>  - 'preauthenticate' hook to transform email to login - it works
>> everywhere but activesync still registers the device with the email
>> instead of the login, so the user doesn't get it in his prefs.

Not the correct hook. At least, not for ActiveSync.

>> It's a simple horde5 pear install, with r/o LDAP auth backend but I'm
>> not sure it changes anything to this problem, can it ?
>>
>> ps: Is there a documentation explaining that one have to add permissions
>> to get that, I did read the code to catch this, did I search correctly
>> before ?

Sorry, don't follow what you are asking here. Permissions to get what?

>> Anyway, thank you really for this version, that may become *the*
>> really-oss-and-working alternative for mobile groupware ;)
>>
>
> Could someone tell me if (where?) I'm wrong here:
>  - Autodiscover mechanism won't let us define the login used (I found
> nothing in shema that could help in that - checked
> http://msdn.microsoft.com/en-us/library/gg663411%28v=exchg.80%29.aspx )

This is correct. Exchange's ActiveSync autodiscovery ALWAYS uses the  
provided email address. In Horde, we *try* to determine the username  
from either the mailbox portion of the email address (if you choose  
"user" in the ActiveSync autodiscovery configuration), or by using a  
hook. Of course, if your users log in with their email address anyway,  
that is also an option.

>  - the 'preauthenticate' hook do change the login used for
> authentication, but not for registering device (am I using the right
> hook, is activesync an application or part of the Core ?

The hook name you want is activesync_get_autodiscover_username, in  
horde's hook.php file. It should take an email address, and return a  
username.

I thought I provided an example hook in that file, or at least in the  
wiki but it looks like it either got lost, or my mind is lost.  I'll  
update both to make it easier to find in the future.

-- 
mike

The Horde Project (www.horde.org)
mrubinsk at horde.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6062 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.horde.org/archives/sync/attachments/20121105/4b15547e/attachment.bin>