EGroupWare and OpenLDAP on Windows

Gabio 2006-10-11 16:39:03 UTC #1

Hi all,
This week my quest for trouble was again successful when I tried the LDAP authentication for EGroupWare on Windows.
I got most stuff working, So sad there isn’t much documentation about that, I had to do some try-error game to get all stuff working. Now Egroupware create user and group but I can’t authenticate anyone from EGroupWare. I can authenticate the egroupware admin user from phpldapadmin though egroupware is setup to use DES crypting with v3 protocol.

I saw a very strange thing though, if I log in phpldapadmin as admin and change the egroupware admin’s password to cleartext (was CRYPT, the Unix default) Egroupware can authenticate without problem. So I tried some debug session to see what egroupware was telling. He always send the password In cleartext. I can’t tell if this is a normal behavior, but if I change the encryption to SSHA in EGroupWare and put a SSHA-crypted password in LDAP using phpldapadmin it doesn’t work, only cleartext.
So a LDAP guru could light my candle here:
-Is it my OpenLDAP build not having all the build Flags or features for hash-type on (as I saw in some posts about this windows build while I was googling), also the readme state it doesn’t have SASL support does this could influence?
-Or is there a bug in egroupware who should return a crypted password to OpenLDAP?
-Or is there is something blocking egroupware from doing all his check in my LDAP security policy? I’m using a basic one right now: Allow self write access, Allow authenticated users read access, Allow anonymous users to authenticate.

In egroupware I’m setup on DES encryption, v3 protocol, in the directory the password is stored in “crypt” according to phpldapadmin. If I try to verify my password in phpldapadmin it work. but egroupware get an err=49 when he try to bind the user…

Here is a debug session from OpenLDAP of Egroupware trying to login:

C:\web\OpenLDAP>slapd -d 256
main: new debug level is: 256
main: new config file is: .\slapd.conf
@(#) $OpenLDAP: slapd 2.2.29 (Oct 21 2005 16:01:14) $
MMohr@BELTIRA:openldap-2.2.29/servers/slapd
bdb_db_init: Initializing BDB database
slapd starting
conn=0 fd=1584 ACCEPT from IP=127.0.0.1:1098 (IP=0.0.0.0:389)
conn=0 op=0 BIND dn=“cn=admin,dc=domain,dc=com” method=128
conn=0 op=0 BIND dn=“cn=admin,dc=domain,dc=com” mech=SIMPLE ssf=0
conn=0 op=0 RESULT tag=97 err=0 text=
conn=0 op=1 SRCH base=“ou=groups,dc=doamin,dc=com” scope=2 deref=0 filter="(&(
cn=gbeloin)(phpgwAccountType=g))“
conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
conn=0 op=2 SRCH base=“ou=accounts,dc=domain,dc=com” scope=2 deref=0 filter=”(
&(uid=gbeloin)(phpgwAccountType=u))“
conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 fd=1664 ACCEPT from IP=127.0.0.1:1099 (IP=0.0.0.0:389)
conn=1 op=0 BIND dn=“cn=admin,dc=domain,dc=com” method=128
conn=1 op=0 BIND dn=“cn=admin,dc=domain,dc=com” mech=SIMPLE ssf=0
connection_input: conn=1 deferring operation: binding
conn=1 op=0 RESULT tag=97 err=0 text=
conn=1 op=1 SRCH base=“ou=accounts,dc=domain,dc=com” scope=2 deref=0 filter=”(
&(uid=gbeloin)(phpgwAccountStatus=A))"
conn=1 op=1 SRCH attr=uid dn givenName sn mail uidNumber gidNumber
conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 op=2 BIND anonymous mech=implicit ssf=0
conn=1 op=2 BIND dn=“uid=gbeloin,ou=accounts,dc=domain,dc=com” method=128
connection_input: conn=1 deferring operation: binding
conn=1 op=2 RESULT tag=97 err=49 text=
conn=1 fd=1664 closed
conn=0 op=3 UNBIND
conn=0 fd=1584 closed
conn=2 fd=1584 ACCEPT from IP=127.0.0.1:1100 (IP=0.0.0.0:389)
conn=2 op=0 BIND dn=“cn=admin,dc=domain,dc=com” method=128
conn=2 op=0 BIND dn=“cn=admin,dc=domain,dc=com” mech=SIMPLE ssf=0
conn=2 op=0 RESULT tag=97 err=0 text=
conn=2 op=1 UNBIND
conn=2 fd=1584 closed

So, now I’ll tell how I got it working so other can Google this and get an idea of the uptodate procedure (the Readme in phpgwapi/doc/ldap is out of date)

-Get a basic install of Apache, php and MySQL, The XAMPP package provide a very complete installation for this.
-Get the latest egroupware package (1.2.105 now)
-Get the latest version of OpenLDAP for Windows(2.2.29 now). It’s not the latest, but it seem no one care to build one up to date.
A Google search show that you can get one from there: http://download.bergmans.us/openldap/
-Edit you PHP.ini file and uncomment the php_ldap.dll and php_mhash.dll extension. Restart you apache service.
-Install OpenLDAP as NT service.
-Copie the 2 egroupware ldap schemas from egroupware\phpgwapi\doc\ldap
-Configure OpenLDAP with the slapd.conf file. The Egroupware Readme say you need core, cosine schemas “at least”. In fact you need core, cosine, inetorgperson, nis for the egroupware schemas phpgwaccount and phpgwconctact to load.
The Readme also say you need to index some stuff, In fact you need to index some more data for Egroupware to be able to lookup all the info.
Check my slapd.conf:

See slapd.conf(5) for details on configuration options.

This file should NOT be world readable.

ucdata-path ./ucdata
include ./schema/core.schema
include ./schema/cosine.schema
include ./schema/inetorgperson.schema
include ./schema/nis.schema
include ./schema/phpgwaccount.schema
include ./schema/phpgwcontact.schema

Define global ACLs to disable default read access.

Do not enable referrals until AFTER you have a working directory

service AND an understanding of referrals.

#referral ldap:/root.openldap.org

pidfile ./run/slapd.pid
argsfile ./run/slapd.args

Load dynamic backend modules:

modulepath ./libexec/openldap

moduleload back_bdb.la

moduleload back_ldap.la

moduleload back_ldbm.la

moduleload back_passwd.la

moduleload back_shell.la

Sample security restrictions

Require integrity protection (prevent hijacking)

Require 112-bit (3DES or better) encryption for updates

Require 63-bit encryption for simple bind

security ssf=1 update_ssf=112 simple_bind=64

Sample access control policy:

Root DSE: allow anyone to read it

Subschema (sub)entry DSE: allow anyone to read it

Other DSEs:

Allow self write access

Allow authenticated users read access

Allow anonymous users to authenticate

Directives needed to implement policy:

access to dn.base="" by * read
access to dn.base=“cn=Subschema” by * read
access to *
by self write
by users read
by anonymous auth

if no access controls are present, the default policy

allows anyone and everyone to read anything but restricts

updates to rootdn. (e.g., “access to * by * read”)

rootdn can always read and write EVERYTHING!

#######################################################################

BDB database definitions

#######################################################################

database bdb
suffix "dc=domain,dc=com"
rootdn “cn=admin,dc=domain,dc=com”

Cleartext passwords, especially for the rootdn, should

be avoid. See slappasswd(8) and slapd.conf(5) for details.

Use of strong authentication encouraged.

rootpw secret

The database directory MUST exist prior to running slapd AND

should only be accessible by the slapd and slap tools.

Mode 700 recommended.

directory ./data

Indices to maintain

index default eq
index cn,sn,uid,displayName pres,sub,eq
index uidNumber pres,eq
index gidNumber pres,eq
index objectClass eq
index phpgwAccountType pres,eq
index phpgwAccountStatus eq
index phpgwContactOwner pres,eq

-You need to actually create the structure dc=domain,dc=com
create a text file with this in it:
dn: dc=dual-ade, dc=com
objectClass: domain
dc: dual-ade
-open a dosbox and cd to the openldap directory. do ldapadd -x -D “cn=admin,dc=domaine,dc=com” -w admin -f fichiertext.ldif
-You also need to create Organisationnal unit to contain accounts groups and contact. easily done with phpldapadmin, but a ldif file can do the job too.
-start egroupware installation, when doing the configuration, enter authentication: LDAP.
Account context: ou=accounts,dc=domain,dc=com (if you created an organisationnal unit “accounts”) same for contact and groups.
-Search filter: leave empty for the default. Default work ok if accounts is done by egroupware.
-Rootdn: cn=admin,dc=domain,dc=com
-root pw: the password…
-Encryption type: something that work (seriously I have no idea yet)
-LDAP v3. the windows Build I used had it, so yes.