Topic: Authentification of Scalix server

[kevinb]

Hello everyone,

I am looking at installing a Scalix server on a separate machine. I would really like to have Scalix authenticate users against SME.

When I reviewed the "Authentication" chapter in http://www.scalix.com/documents/Scalix_Setup_Guide_11.0.2.pdf it looks like we may be able to use a Windows NT domain (via Samba). Or would Kerberos work better? I know LDAP is out at this time.

Authentication

This chapter explains how Scalix’s native authentication system works, and how to integrate
with external authentication systems such as LDAP, Kerberos or Windows NT Domain, if
desired.

If you plan to use the authentication system that is native to the product, you can skip this
chapter.

Contents:
This chapter includes the following information:
• “Authentication Overview” on page 52
• “An Overview of PAM” on page 54
• “Configuring Scalix for LDAP Authentication” on page 59
• “Configuring Scalix for Windows NT Authentication” on page 62
• “Configuring Scalix for Kerberos Authentication” on page 63

Likewise, there are several different ways you can do authentication on a Scalix system: You
can rely entirely on Scalix’s native authentication setup, or work with your own such as an
existing LDAP server, the Kerberos method, or the Microsoft Windows NT domain, which
function alongside the native authentication method.
For maximum flexibility, all authentication configurations are based on the Linux standard
Pluggable Authentication Modules (PAM).

Does anyone have any experience with this?

Any ideas on how to start?


Thank you in advance.


Kevin

[kevinb]

I got it working.

Here are my steps

• Install Centos 5.0 - minimal, no firewall, no selinux, static IP or dynamic with SME IP address reservation.
• Code: [Select]
  yum install bind-utils compat-libstdc++-296 cyrus-sasl-md5 cyrus-sasl-plain elinks httpd nano pam_smb perl postgresql-server sendmail-cf tk wget which java
yum update

nano /etc/hosts
127.0.0.1 localhost
192.168.1.2 scalix.domain.tld scalix # this machine, only required for static IP
192.168.1.1 SME.DOMAIN.TLD SME # DNS server - may need to be caps – for authentication

nano /etc/selinux/config
SELINUX=disabled

reboot
  
• Install Scalix
• Code: [Select]
  mkdir rpm
cd rpm
wget http://downloads.scalix.com/.community/11.2/scalix-11.2.0-GA-core-rhel5-intel.tgz
tar -xzvf *tgz
rm -f *tgz
cd scalix-11.2.0-GA
./scalix-installer --override=rhel5

chkconfig postgresql on
chkconfig httpd on
  
• Remote Authentication:
• Code: [Select]
  nano /etc/pam_smb.conf
DOMAIN #must be caps - TEST
PRIMARY DNS SERVER #must be caps – DNS1
SECONDARY DNS SERVER #must be caps – DNS2, if there is not a secondary then primary must be duplicated – DNS1

nano /var/opt/scalix/sx/s/sys/pam.d/ual.remote
auth required om_om2authid
auth sufficient /lib/security/pam_smb_auth.so debug nolocal
auth sufficient om_auth use_first_pass
auth required pam_deny
account required om_auth

nano /var/opt/scalix/sx/s/sys/pam.d/smtpd.auth
auth required om_om2authid
auth sufficient /lib/security/pam_smb_auth.so debug nolocal
auth sufficient om_auth use_first_pass
auth required pam_deny
account required om_auth

service httpd restart

There are other authentication files in “/var/opt/scalix/sx/s/sys/pam.d/” (outlook connector, pop, imap, etc) that may need to be changed like these also. So far this has worked for me with my minimal testing.


I'll update this when i get the Scalix security and port forwarding figured out.


If anyone has any suggestion please let me know.


Kevin

[haymann]

No suggestions, but thanks for posting your results. I have been looking to try the same thing for months now and just haven't found the time to play with it yet.
Now that I see you have had some success, I will see if I can block off some time to play as well.
Thanks,
Ryan