[sync] autodiscover/EAS email vs login

[geoffroy desvernay]

Le 11/06/2012 01:28, Michael J Rubinsky a écrit :
> 
> Quoting geoffroy desvernay <dgeo at centrale-marseille.fr>:
> 
>> On 05/11/2012 16:42, Michael J Rubinsky wrote:
>>>
>>> Quoting geoffroy desvernay <dgeo at centrale-marseille.fr>:
>>>
>>>> Le 11/04/2012 22:21, geoffroy desvernay a écrit :
>>>>> Hi all,
>>>>>
>>>>> Testing horde5 for some time, I managed to get:
>>>>>  - autodiscover (basically, it works, but the device use email to
>>>>> log in
>>>>> activesync service)
>>>>>  - users to be able to manage their devices (it works, if login is
>>>>> user
>>>>> instead of email - not with autodiscover)
>>>>>
>>>>> I tried:
>>>>>
>>>>>  - 'activesync_get_autodiscover_username' hook (not very documented as
>>>>> well), not sufficient with my devices (emulator 2.3, 4.0 and 4.1), but
>>>>> can this work since there is no 'login' attribute in M$'s schema ?
>>>
>>> Correct. There is no 'login' attribute. In Exchange, the username is the
>>> mailbox portion of the email address. Period.
>>>
>>> The hook exists so that horde can use the data INITIALLY entered into
>>> the client's configuration to authenticate to Horde during the
>>> AUTOCONFIGURE process. The point here is that ActiveSync will ONLY send
>>> the email address in the AUTOCONFIGURE request so we need to tell Horde
>>> how to turn that into a username.
>>>
>>> Additionally, the ActiveSync client will assume that the mailbox name is
>>> equal to the username. Some clients display the final configuration data
>>> to the user for editing after the AUTODISCOVER process is complete. This
>>> gives the user the chance to tweak things. If yours does not, and your
>>> Horde installation uses the entire email address for authentication,
>>> then there is nothing Horde can do about that since that is a built in
>>> feature of the protocol. If your installation does not work this way,
>>> then autodiscover will not work. Period. It's a convenience only, and a
>>> good deal of clients (mostly Android) don't support it anyway.
>>>
>> Thank you for these clarifications, I needed it :)
>>
>> Concerning android, I'm (we are) using autodiscover with different
>> android devices (and IOS), against a no-so-free software we bought just
>> to support EAS some years ago, but this system *does* use complete email
>> adresses internally. This was only for a few "VIP's".
>> Our real (say, used by everyone here) webmail system has always been
>> horde since the first releases, and I'd be very happy to help it
>> continue to do his work, with the (now mandatory) mobile-sync-thing for
>> all our users.
>>
>>>>>  - 'preauthenticate' hook to transform email to login - it works
>>>>> everywhere but activesync still registers the device with the email
>>>>> instead of the login, so the user doesn't get it in his prefs.
>>>
>>> Not the correct hook. At least, not for ActiveSync.
>>>
>> Would it be possible to let it be ?
> 
> To let it be what? The correct hook to use for ActiveSync? No. That hook
> is horde-wide and has a completely different purpose.
> 
> 
>>
>> Or at least to link the email address to an account to let it see (and
>> manage) his devices ?
> 
> I still don't see what the problem is for you. Are your users' email
> mailboxes not the same as their username? I.e., if a user logs into
> Horde with username_one, is the email address username_one at example.com? 
> If it is NOT, then autoconfigure will NOT work. Period. There is no
> mechanism to automatically report back a different username to the
> device. The user needs to edit it, or not use autoconfigure. If the
> email address DOES match like that, then there should be no problem
> using AUTOCONFIGURE with stripping everything after and including the
> '@' in the address.
> 
In this test case : what works:
 - userlogin matches the local part of the mail.
 - userlogin is used as internal uid in horde
 - userlogin at domain CAN be used to login in horde (thanks to
preauthenticate hook)
 - userlogin at domain *is used* by the mobile device (because of
autodiscover), and synchronized data *is* userlogin's

The only problem is that the user 'userlogin' doesn't see the device in
his preferences, and is not able to wipe/remove it. (horde's admin can,
seeing the device owned by 'userlogin at domain')
I though that authusername hook could be of some help here, but it
doesn't seems to be...

>>>>> ps: Is there a documentation explaining that one have to add
>>>>> permissions
>>>>> to get that, I did read the code to catch this, did I search correctly
>>>>> before ?
>>>
>>> Sorry, don't follow what you are asking here. Permissions to get what?
>>
>> Sorry, that sentence was anything but understandable... a kind of
>> pre-written-post-scriptum-mis-pasted ;), let's write it again:
>>
>> I had to add horde:activesync:provisioning permission to 'Allow' through
>> the admin interface to get any device in 'provisioned' state: without
>> adding this permission horde seems to ignore provisioning
>> (Horde_ActiveSync::PROVISIONING_NONE from what I caught in the code)
> 
> Ah, ok. Yes. You have to explicitly add it since it is the more
> restrictive choice and has the possibility of disallowing devices from
> connecting.
> 
Isn't "Force" the only one that may disallow devices ?
Anyway, I understand pretty well why NONE is a good default, as
providing a WIPE button has to be done with full knowledge of the risks.

> 
>> I didn't found anything in the wiki about this, and hoped to find this
>> in the configuration... anyway, I'd have liked to read a simple 'Add the
>> horde:activesync:provisionning permission to configure the kind of
>> provisionning you want' :)
> 
> Yes, I have a @TODO for exactly this on wiki.horde.org/ActiveSync
> 
May I be of some help ? (despite my poor tailor ;)

> 
>> I'm still trying to get how to configure activesync:provisioning:*
>> policies (as I read in _getPolicyFromPerms(),
>> Horde_ActiveSync_Policies::POLICY_ROAMING_NOPUSH for example).
>> The admin interface doesn't allow me to push these (may be a config
>> problem in my installs)
> 
> Not sure what you mean by "push these".  When you configure them, they
> will be transmitted as the policy the next time the device issues a
> PROVISIONING request.  You can force devices to reprovision by choosing
> "Reset All Policykeys" in the activesync administrative interface. It's
> also worth noting that not all devices honor all of these policies, and
> not all of them are available in older activesync versions.
> 
I meant the admin interface doesn't let me to configure these policies
(even for devices are using 12.1 protocol), or I don't know how to set
these ?
I searched in the perms interface: nothing but
horde:activesync:provisioning, there is no 'Activesync' root perm
(should it?), nor is it in the configuration/activesync tab.

> 
>>>>> Anyway, thank you really for this version, that may become *the*
>>>>> really-oss-and-working alternative for mobile groupware ;)
>>>>>
>>>>
>>>> Could someone tell me if (where?) I'm wrong here:
>>>>  - Autodiscover mechanism won't let us define the login used (I found
>>>> nothing in shema that could help in that - checked
>>>> http://msdn.microsoft.com/en-us/library/gg663411%28v=exchg.80%29.aspx )
>>>
>>> This is correct. Exchange's ActiveSync autodiscovery ALWAYS uses the
>>> provided email address. In Horde, we *try* to determine the username
>>> from either the mailbox portion of the email address (if you choose
>>> "user" in the ActiveSync autodiscovery configuration), or by using a
>>> hook. Of course, if your users log in with their email address anyway,
>>> that is also an option.
>>>
>> Of course this is an option, but I'm not that confident with our actual
>> horde3 DB to change ~2000 actual logins to emails while migrating to
>> horde5? And we use a (still-to-be-adapted-to-h5) CAS login that works
>> with logins in all our systems... but I will investigate a bit more this
>> way too :)
> 
> Didn't mean to suggest that you should use email addresses as your
> login, just stating that that should also work if that was what you were
> already using.
> 


-- 
*geoffroy desvernay*
C.R.I - Administration systèmes et réseaux
Ecole Centrale de Marseille
Tel: (+33|0)4 91 05 45 24
Fax: (+33|0)4 91 05 45 98
dgeo at centrale-marseille.fr


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 549 bytes
Desc: OpenPGP digital signature
URL: <http://lists.horde.org/archives/sync/attachments/20121106/224e8bbd/attachment.bin>