[sync] autodiscover/EAS email vs login

Michael J Rubinsky mrubinsk at horde.org
Tue Nov 6 00:28:55 UTC 2012 

Quoting geoffroy desvernay <dgeo at centrale-marseille.fr>:

> On 05/11/2012 16:42, Michael J Rubinsky wrote:
>>
>> Quoting geoffroy desvernay <dgeo at centrale-marseille.fr>:
>>
>>> Le 11/04/2012 22:21, geoffroy desvernay a écrit :
>>>> Hi all,
>>>>
>>>> Testing horde5 for some time, I managed to get:
>>>>  - autodiscover (basically, it works, but the device use email to log in
>>>> activesync service)
>>>>  - users to be able to manage their devices (it works, if login is user
>>>> instead of email - not with autodiscover)
>>>>
>>>> I tried:
>>>>
>>>>  - 'activesync_get_autodiscover_username' hook (not very documented as
>>>> well), not sufficient with my devices (emulator 2.3, 4.0 and 4.1), but
>>>> can this work since there is no 'login' attribute in M$'s schema ?
>>
>> Correct. There is no 'login' attribute. In Exchange, the username is the
>> mailbox portion of the email address. Period.
>>
>> The hook exists so that horde can use the data INITIALLY entered into
>> the client's configuration to authenticate to Horde during the
>> AUTOCONFIGURE process. The point here is that ActiveSync will ONLY send
>> the email address in the AUTOCONFIGURE request so we need to tell Horde
>> how to turn that into a username.
>>
>> Additionally, the ActiveSync client will assume that the mailbox name is
>> equal to the username. Some clients display the final configuration data
>> to the user for editing after the AUTODISCOVER process is complete. This
>> gives the user the chance to tweak things. If yours does not, and your
>> Horde installation uses the entire email address for authentication,
>> then there is nothing Horde can do about that since that is a built in
>> feature of the protocol. If your installation does not work this way,
>> then autodiscover will not work. Period. It's a convenience only, and a
>> good deal of clients (mostly Android) don't support it anyway.
>>
> Thank you for these clarifications, I needed it :)
>
> Concerning android, I'm (we are) using autodiscover with different
> android devices (and IOS), against a no-so-free software we bought just
> to support EAS some years ago, but this system *does* use complete email
> adresses internally. This was only for a few "VIP's".
> Our real (say, used by everyone here) webmail system has always been
> horde since the first releases, and I'd be very happy to help it
> continue to do his work, with the (now mandatory) mobile-sync-thing for
> all our users.
>
>>>>  - 'preauthenticate' hook to transform email to login - it works
>>>> everywhere but activesync still registers the device with the email
>>>> instead of the login, so the user doesn't get it in his prefs.
>>
>> Not the correct hook. At least, not for ActiveSync.
>>
> Would it be possible to let it be ?

To let it be what? The correct hook to use for ActiveSync? No. That  
hook is horde-wide and has a completely different purpose.


>
> Or at least to link the email address to an account to let it see (and
> manage) his devices ?

I still don't see what the problem is for you. Are your users' email  
mailboxes not the same as their username? I.e., if a user logs into  
Horde with username_one, is the email address  
username_one at example.com?  If it is NOT, then autoconfigure will NOT  
work. Period. There is no mechanism to automatically report back a  
different username to the device. The user needs to edit it, or not  
use autoconfigure. If the email address DOES match like that, then  
there should be no problem using AUTOCONFIGURE with stripping  
everything after and including the '@' in the address.

>>>> ps: Is there a documentation explaining that one have to add permissions
>>>> to get that, I did read the code to catch this, did I search correctly
>>>> before ?
>>
>> Sorry, don't follow what you are asking here. Permissions to get what?
>
> Sorry, that sentence was anything but understandable... a kind of
> pre-written-post-scriptum-mis-pasted ;), let's write it again:
>
> I had to add horde:activesync:provisioning permission to 'Allow' through
> the admin interface to get any device in 'provisioned' state: without
> adding this permission horde seems to ignore provisioning
> (Horde_ActiveSync::PROVISIONING_NONE from what I caught in the code)

Ah, ok. Yes. You have to explicitly add it since it is the more  
restrictive choice and has the possibility of disallowing devices from  
connecting.


> I didn't found anything in the wiki about this, and hoped to find this
> in the configuration... anyway, I'd have liked to read a simple 'Add the
> horde:activesync:provisionning permission to configure the kind of
> provisionning you want' :)

Yes, I have a @TODO for exactly this on wiki.horde.org/ActiveSync


> I'm still trying to get how to configure activesync:provisioning:*
> policies (as I read in _getPolicyFromPerms(),
> Horde_ActiveSync_Policies::POLICY_ROAMING_NOPUSH for example).
> The admin interface doesn't allow me to push these (may be a config
> problem in my installs)

Not sure what you mean by "push these".  When you configure them, they  
will be transmitted as the policy the next time the device issues a  
PROVISIONING request.  You can force devices to reprovision by  
choosing "Reset All Policykeys" in the activesync administrative  
interface. It's also worth noting that not all devices honor all of  
these policies, and not all of them are available in older activesync  
versions.


>>>> Anyway, thank you really for this version, that may become *the*
>>>> really-oss-and-working alternative for mobile groupware ;)
>>>>
>>>
>>> Could someone tell me if (where?) I'm wrong here:
>>>  - Autodiscover mechanism won't let us define the login used (I found
>>> nothing in shema that could help in that - checked
>>> http://msdn.microsoft.com/en-us/library/gg663411%28v=exchg.80%29.aspx )
>>
>> This is correct. Exchange's ActiveSync autodiscovery ALWAYS uses the
>> provided email address. In Horde, we *try* to determine the username
>> from either the mailbox portion of the email address (if you choose
>> "user" in the ActiveSync autodiscovery configuration), or by using a
>> hook. Of course, if your users log in with their email address anyway,
>> that is also an option.
>>
> Of course this is an option, but I'm not that confident with our actual
> horde3 DB to change ~2000 actual logins to emails while migrating to
> horde5? And we use a (still-to-be-adapted-to-h5) CAS login that works
> with logins in all our systems... but I will investigate a bit more this
> way too :)

Didn't mean to suggest that you should use email addresses as your  
login, just stating that that should also work if that was what you  
were already using.

-- 
mike

The Horde Project (www.horde.org)
mrubinsk at horde.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6062 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.horde.org/archives/sync/attachments/20121105/9f1fbaa1/attachment-0001.bin>

More information about the sync mailing list