[sync] autodiscover/EAS email vs login

Michael J Rubinsky mrubinsk at horde.org
Tue Nov 6 16:14:51 UTC 2012 

Quoting geoffroy desvernay <dgeo at centrale-marseille.fr>:

<snip>

>> I still don't see what the problem is for you. Are your users' email
>> mailboxes not the same as their username? I.e., if a user logs into
>> Horde with username_one, is the email address username_one at example.com?
>> If it is NOT, then autoconfigure will NOT work. Period. There is no
>> mechanism to automatically report back a different username to the
>> device. The user needs to edit it, or not use autoconfigure. If the
>> email address DOES match like that, then there should be no problem
>> using AUTOCONFIGURE with stripping everything after and including the
>> '@' in the address.
>>
> In this test case : what works:
>  - userlogin matches the local part of the mail.
>  - userlogin is used as internal uid in horde
>  - userlogin at domain CAN be used to login in horde (thanks to
> preauthenticate hook)
>  - userlogin at domain *is used* by the mobile device (because of
> autodiscover), and synchronized data *is* userlogin's

This in incorrect. Devices should NOT be using the full email address  
to login, this is against the protocol specs. They MUST use the  
mailbox name only. What device/client is this?

The other possibility is that you have a hook somewhere turning  
userlogin into userlogin at domain somewhere.

> The only problem is that the user 'userlogin' doesn't see the device in
> his preferences, and is not able to wipe/remove it. (horde's admin can,
> seeing the device owned by 'userlogin at domain')
> I though that authusername hook could be of some help here, but it
> doesn't seems to be...

You shouldn't need any hook at all. The device should be logging into  
horde as userlogin, period. If it's not, it's broken, or is  
misconfigured.


>>>>>> ps: Is there a documentation explaining that one have to add
>>>>>> permissions
>>>>>> to get that, I did read the code to catch this, did I search correctly
>>>>>> before ?
>>>>
>>>> Sorry, don't follow what you are asking here. Permissions to get what?
>>>
>>> Sorry, that sentence was anything but understandable... a kind of
>>> pre-written-post-scriptum-mis-pasted ;), let's write it again:
>>>
>>> I had to add horde:activesync:provisioning permission to 'Allow' through
>>> the admin interface to get any device in 'provisioned' state: without
>>> adding this permission horde seems to ignore provisioning
>>> (Horde_ActiveSync::PROVISIONING_NONE from what I caught in the code)
>>
>> Ah, ok. Yes. You have to explicitly add it since it is the more
>> restrictive choice and has the possibility of disallowing devices from
>> connecting.
>>
> Isn't "Force" the only one that may disallow devices ?

Explicitly, yes. But not creating any permission is the same as  
"None", which is the least restrictive since not only does it not  
disallow devices from connecting, but also doesn't enforce any  
specific security policies on the device.

> Anyway, I understand pretty well why NONE is a good default, as
> providing a WIPE button has to be done with full knowledge of the risks.
>
>>
>>> I didn't found anything in the wiki about this, and hoped to find this
>>> in the configuration... anyway, I'd have liked to read a simple 'Add the
>>> horde:activesync:provisionning permission to configure the kind of
>>> provisionning you want' :)
>>
>> Yes, I have a @TODO for exactly this on wiki.horde.org/ActiveSync
>>
> May I be of some help ? (despite my poor tailor ;)

Sure. It's a public wiki. Anything you feel would be worthwhile to  
add. I can always tweak it if it's not 100% correct etc...


>>> I'm still trying to get how to configure activesync:provisioning:*
>>> policies (as I read in _getPolicyFromPerms(),
>>> Horde_ActiveSync_Policies::POLICY_ROAMING_NOPUSH for example).
>>> The admin interface doesn't allow me to push these (may be a config
>>> problem in my installs)
>>
>> Not sure what you mean by "push these".  When you configure them, they
>> will be transmitted as the policy the next time the device issues a
>> PROVISIONING request.  You can force devices to reprovision by choosing
>> "Reset All Policykeys" in the activesync administrative interface. It's
>> also worth noting that not all devices honor all of these policies, and
>> not all of them are available in older activesync versions.
>>
> I meant the admin interface doesn't let me to configure these policies
> (even for devices are using 12.1 protocol), or I don't know how to set
> these ?
> I searched in the perms interface: nothing but
> horde:activesync:provisioning, there is no 'Activesync' root perm
> (should it?), nor is it in the configuration/activesync tab.

The ActiveSync perm is under Horde (as you have no doubt already  
found). Provisioning is under ActiveSync. Once you have added the  
Provisioning perm, you can add individual security policies as  
children of the Provisioning perm. I.e., you click on the "+" sign  
next to Provisioning for each new security policy you want to add.


-- 
mike

The Horde Project (www.horde.org)
mrubinsk at horde.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6062 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.horde.org/archives/sync/attachments/20121106/8fab03c3/attachment.bin>

More information about the sync mailing list