Mailing List CGatePro@mail.stalker.com Message #92768
From: Andy Kunkle <akunkle@aimengr.com>
Subject: RE: Passwords
Date: Thu, 27 Sep 2007 09:46:50 -0400
To: 'CommuniGate Pro Discussions' <CGatePro@mail.stalker.com>
X-Mailer: Microsoft Office Outlook 12.0
> From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On
> Behalf Of Darren Sundborg
> Sent: Thursday, September 27, 2007 5:33 AM
>
> Hi Andy
>
> I gave up on the Kerberos route and have gone down the authPAM.pl
> route!

Bummer. I don't know much about the PAM approach. I tried it first, but had
no luck. Kerberos, once it's working, is by far the nicest approach, as you
don't have to worry about syncing passwords or anything. Next in line is the
LDAP-Secure.pl script that's on the CommuniGate Script repository. This uses
the LDAP-Secure.pl script as the external authenticator between CGP and AD
to bind to the LDAP directory, thus authenticating the password. I'm
assuming it works similar to how PAM works, only you can use LDAPS to
encrypt the traffic so the passwords aren't going across the wire in clear
text.

 

> 1) Does the user have to have the same PC logon name & Communigate
> email
> logon name?

Yes. You have to pay special attention to what the server with the passwords
is expecting. This is particularly the case when users try to use webmail.
The CGPro server will try to send user@mail.domain.com  (assuming that's
your mail servers name) and my AD server was expecting just user, or
user@domain.com (without the mail). This caused some headaches, but I
finally figured out where the problem was. Wireshark or Ethereal are very
useful when dealing with problems like that...

 
> 2) When users change their Windows AD passwords, Outlook will prompt
> for
> a new password as well?

When they change their AD passwords, Outlook will no longer have the correct
one stored, so yes, they will get a password prompt. It's not a big deal,
but if you can get Kerberos working, that would not happen. That could be
your goal for future upgrades once you roll out the server. It would cut
down on support calls during "that time of the month."

> 3) If APPLE MAC users are logging in thourgh AD, is there a way for
> them
> to also change their passwords? Or be prompted? (I suppose that would
> be
> asking for to much!!)

I'm not sure I follow. If you're using authPAM to check against your AD
server, and your mac user has an AD account, yes... when they change their
password, that would happen automatically...

If you're interested in the LDAP-Secure.pl script that works out of the box
with AD, let me know.

I hope this helps...

Andy Kunkle
AIM Engineering & Surveying

>
>
> -----Original Message-----
> From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On
> Behalf Of Andy Kunkle
> Sent: 26 September 2007 21:03
> To: CommuniGate Pro Discussions
> Subject: Re: Passwords
>
> > Behalf Of John Rudd
>
> > I just wrote a new external authenticator that:
> >
> > if (auth is successful)
> >     cache the external auth password into the CGP app password
> >     enable the CGP app password
>
> John, Would you be interested in sharing this authenticator? Is it for
> a
> AD
> server syncing to a Linux-based CGPro server? It's exactly what I was
> talking to a tech at CommuniGate the other day about. It would be
> perfect if
> you used the LDAP=>bind command to authenticate against AD and then if
> it's
> successful, assign that password to the communigate internal password.
> This
> would also allow us to use Pronto for webmail, since as it stands now,
> I
> cannot authenticate since our CGPro accounts don't have a password in
> them.
>
> Darren:
>
> Have you made any head-way on the Kerberos part? If not, I can probably
> be
> of some assistance and I've really dug into how AD uses Kerberos and
> how
> it
> all jives. Let me know if you need help, or at least let me know where
> you
> stand on it.
>
>
> Andy Kunkle
> AIM Engineering
>
> > Then, I have a nightly process that disables the CGP app password for
> > each user (forcing them to go to the external authenticator).
> >
> >
> > So:
> >
> > 1) if they change their external password, then within 24 hours
> they'll
> > have to start using that password in CGP.
> >
> > 2) They will, hopefully, only have to consult the external
> > authenticator
> > once every 24 hours (not including failed auths).
> >
> > 3) If the external auth system fails, I can turn off the nightly
> > disable
> > check, and they can continue using the app password until things get
> > better.
> >
> >
> > Am I on the right track for what you're having a problem with?
> >
> >
> >
> > Darren Sundborg wrote:
> > > Hi
> > >
> > >
> > >
> > > I am really thinking about going over to exchange. There I said it.
> > >
> > >
> > >
> > > I am running an Active Directory environment, and am having the
> > problem
> > > of changing passwords every ""whatever days"".
> > >
> > > What does everyone else do in this situation? How do you get
> > passwords
> > > to change? Do you have users change two passwords?
> > >
> > >
> > >
> > > Really need some guidance on this one, any help would be greatly
> > > appreciated...
> > >
> > >
> > >
> > > Thanks in advance,
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > http://www.ukintpress.com <http://www.ukintpress.com/>
> > >
> > >
> > >
> > > Disclaimer
> > >
> > >
> > >
> > > ================================================================
> > >
> > > This email (which includes any files transmitted with it) is
> > > confidential and may also be legally privileged.
> > >
> > > It is intended solely for the use of the individual to whom it is
> > > addressed. Any views or opinions presented are solely those of the
> > > author and do not necessarily represent those of UKIP Media &
> Events
> > > Ltd.
> > >
> > >
> > >
> > > If you are not the intended recipient, be advised that any use,
> > > dissemination, forwarding, printing, or copying of this email is
> > > strictly prohibited. If you have received this message in error, do
> > not
> > > open any attachment but please notify the sender (above) deleting
> > this
> > > message from your system. Please rely on your own anti-virus
> system,
> > no
> > > responsibility is taken by the sender for any damage rising out of
> > virus
> > > infection.
> > >
> > >
> > >
> > > UKIP Media & Events Ltd.
> > >
> > > Registered Address: 82 St John Street, London EC1M 4JN VAT No.
> GB879
> > > 4451 71 Registration Number: 5893940 Company registered in England
> > and
> > > Wales
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> > #############################################################
> > This message is sent to you because you are subscribed to
> >   the mailing list <CGatePro@mail.stalker.com>.
> > To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
> > To switch to the DIGEST mode, E-mail to <CGatePro-
> > digest@mail.stalker.com>
> > To switch to the INDEX mode, E-mail to <CGatePro-
> > index@mail.stalker.com>
> > Send administrative queries to  <CGatePro-request@mail.stalker.com>
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list <CGatePro@mail.stalker.com>.
> To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
> To switch to the DIGEST mode, E-mail to
> <CGatePro-digest@mail.stalker.com>
> To switch to the INDEX mode, E-mail to <CGatePro-
> index@mail.stalker.com>
> Send administrative queries to  <CGatePro-request@mail.stalker.com>
>
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list <CGatePro@mail.stalker.com>.
> To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
> To switch to the DIGEST mode, E-mail to <CGatePro-
> digest@mail.stalker.com>
> To switch to the INDEX mode, E-mail to <CGatePro-
> index@mail.stalker.com>
> Send administrative queries to  <CGatePro-request@mail.stalker.com>


Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster