[sync] autodiscover/EAS email vs login

geoffroy desvernay dgeo at centrale-marseille.fr
Mon Nov 5 23:57:50 UTC 2012


On 05/11/2012 16:42, Michael J Rubinsky wrote:
> 
> Quoting geoffroy desvernay <dgeo at centrale-marseille.fr>:
> 
>> Le 11/04/2012 22:21, geoffroy desvernay a écrit :
>>> Hi all,
>>>
>>> Testing horde5 for some time, I managed to get:
>>>  - autodiscover (basically, it works, but the device use email to log in
>>> activesync service)
>>>  - users to be able to manage their devices (it works, if login is user
>>> instead of email - not with autodiscover)
>>>
>>> I tried:
>>>
>>>  - 'activesync_get_autodiscover_username' hook (not very documented as
>>> well), not sufficient with my devices (emulator 2.3, 4.0 and 4.1), but
>>> can this work since there is no 'login' attribute in M$'s schema ?
> 
> Correct. There is no 'login' attribute. In Exchange, the username is the
> mailbox portion of the email address. Period.
> 
> The hook exists so that horde can use the data INITIALLY entered into
> the client's configuration to authenticate to Horde during the
> AUTOCONFIGURE process. The point here is that ActiveSync will ONLY send
> the email address in the AUTOCONFIGURE request so we need to tell Horde
> how to turn that into a username.
> 
> Additionally, the ActiveSync client will assume that the mailbox name is
> equal to the username. Some clients display the final configuration data
> to the user for editing after the AUTODISCOVER process is complete. This
> gives the user the chance to tweak things. If yours does not, and your
> Horde installation uses the entire email address for authentication,
> then there is nothing Horde can do about that since that is a built in
> feature of the protocol. If your installation does not work this way,
> then autodiscover will not work. Period. It's a convenience only, and a
> good deal of clients (mostly Android) don't support it anyway.
> 
Thank you for these clarifications, I needed it :)

Concerning android, I'm (we are) using autodiscover with different
android devices (and IOS), against a no-so-free software we bought just
to support EAS some years ago, but this system *does* use complete email
adresses internally. This was only for a few "VIP's".
Our real (say, used by everyone here) webmail system has always been
horde since the first releases, and I'd be very happy to help it
continue to do his work, with the (now mandatory) mobile-sync-thing for
all our users.

>>>  - 'preauthenticate' hook to transform email to login - it works
>>> everywhere but activesync still registers the device with the email
>>> instead of the login, so the user doesn't get it in his prefs.
> 
> Not the correct hook. At least, not for ActiveSync.
> 
Would it be possible to let it be ?

Or at least to link the email address to an account to let it see (and
manage) his devices ?

>>> ps: Is there a documentation explaining that one have to add permissions
>>> to get that, I did read the code to catch this, did I search correctly
>>> before ?
> 
> Sorry, don't follow what you are asking here. Permissions to get what?

Sorry, that sentence was anything but understandable... a kind of
pre-written-post-scriptum-mis-pasted ;), let's write it again:

I had to add horde:activesync:provisioning permission to 'Allow' through
the admin interface to get any device in 'provisioned' state: without
adding this permission horde seems to ignore provisioning
(Horde_ActiveSync::PROVISIONING_NONE from what I caught in the code)

I didn't found anything in the wiki about this, and hoped to find this
in the configuration... anyway, I'd have liked to read a simple 'Add the
horde:activesync:provisionning permission to configure the kind of
provisionning you want' :)

I'm still trying to get how to configure activesync:provisioning:*
policies (as I read in _getPolicyFromPerms(),
Horde_ActiveSync_Policies::POLICY_ROAMING_NOPUSH for example).
The admin interface doesn't allow me to push these (may be a config
problem in my installs)

> 
> 
>>> Anyway, thank you really for this version, that may become *the*
>>> really-oss-and-working alternative for mobile groupware ;)
>>>
>>
>> Could someone tell me if (where?) I'm wrong here:
>>  - Autodiscover mechanism won't let us define the login used (I found
>> nothing in shema that could help in that - checked
>> http://msdn.microsoft.com/en-us/library/gg663411%28v=exchg.80%29.aspx )
> 
> This is correct. Exchange's ActiveSync autodiscovery ALWAYS uses the
> provided email address. In Horde, we *try* to determine the username
> from either the mailbox portion of the email address (if you choose
> "user" in the ActiveSync autodiscovery configuration), or by using a
> hook. Of course, if your users log in with their email address anyway,
> that is also an option.
> 
Of course this is an option, but I'm not that confident with our actual
horde3 DB to change ~2000 actual logins to emails while migrating to
horde5… And we use a (still-to-be-adapted-to-h5) CAS login that works
with logins in all our systems... but I will investigate a bit more this
way too :)

>>  - the 'preauthenticate' hook do change the login used for
>> authentication, but not for registering device (am I using the right
>> hook, is activesync an application or part of the Core ?
> 
> The hook name you want is activesync_get_autodiscover_username, in
> horde's hook.php file. It should take an email address, and return a
> username.
Yes I found this one, I hoped it would allow me to discover a "magic"
way to get the device understand that it should use the login, but it
works exactly as you say (and as you wrote it to work), and nothing
magic has happened with the limited xml schema ;)

> 
> I thought I provided an example hook in that file, or at least in the
> wiki but it looks like it either got lost, or my mind is lost.  I'll
> update both to make it easier to find in the future.
> 
Again, thank you for all the work and the support !

-- 
*Geoffroy Desvernay*
C.R.I - Administration systèmes et réseaux
Ecole Centrale de Marseille


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://lists.horde.org/archives/sync/attachments/20121106/a03c0156/attachment.bin>


More information about the sync mailing list