1 (edited by matteo.frakka 2013-08-08 00:43:01)

Topic: Awstats - Unable to login.

==== Required information ====
- iRedMail version: 0.8.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Linux/BSD distribution name and version: CentOS 6.4 64bit
- Related log if you're reporting an issue: /var/log/httpd/ssl_access_log
====

Fresh install, completed today. I've imported only the ldif and mail archives (no mysql db or apache configurations) from a previous install of iRedMail LDAP on a Debian Squeeze, following your instructions. All seems to work fine (postfix, dovecot, iredadmin, phpmyadmin, phpldap, rouncdube, etc...), except for awstats logins:

192.168.200.220 - - [07/Aug/2013:18:18:27 +0200] "GET /awstats/awstats.pl?config=web HTTP/1.1" 401 513
192.168.200.220 - postmaster@mydomain.it [07/Aug/2013:18:18:43 +0200] "GET /awstats/awstats.pl?config=web HTTP/1.1" 401 513

If I comment out "Require valid-user" in /etc/httpd/conf.d/awstats.conf I can access to awstats, so seems that the problem is with apache authorization module or its binding to LDAP.
What I should check?
Account and password for bind to LDAP are fine...

I've installed SoGO 2.x on the same server, which it binds to iRedMail LDAP...

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Awstats - Unable to login.

matteo.frakka wrote:

If I comment out "Require valid-user" in /etc/httpd/conf.d/awstats.conf I can access to awstats, so seems that the problem is with apache authorization module or its binding to LDAP.

Without 'Require valid-user', there's no user authentication while accessing Awstats. It's accessible for everyone.
Could you please show us file /etc/httpd/conf.d/awstats.conf here to help troubleshoot? Do you have correct LDAP related info in it?

WARNING: Remove password in this file before posting.

3

Re: Awstats - Unable to login.

#
# File generated by iRedMail (2013.08.06.13.44.15):
#
# Version:  0.8.5
# Project:  http://www.iredmail.org/
#
# Community: http://www.iredmail.org/forum/
#

# Note: Please refer to /etc/httpd/conf.d/ssl.conf for SSL/TLS setting.
#Alias /awstats/icon "/usr/share/awstats/wwwroot/icon/"
#Alias /awstats/css "/usr/share/awstats/wwwroot/css/"
#Alias /awstats/js "/usr/share/awstats/wwwroot/js/"
#ScriptAlias /awstats "/usr/share/awstats/wwwroot/cgi-bin/"

<Directory /usr/share/awstats/wwwroot/cgi-bin/>
    DirectoryIndex awstats.pl
    Options ExecCGI
    Order allow,deny
    allow from all
    allow from 127.0.0.1

    AuthName "Authorization Required"
    AuthType Basic

    AuthBasicProvider ldap
    AuthzLDAPAuthoritative   Off

    AuthLDAPUrl   ldap://127.0.0.1:389/o=domains,dc=fracassetti,dc=lan?mail?sub?(&(objectclass=mailUser)(accountStatus=active)(enabledService=domainadmin)(domainGlobalAdmin=yes))

    AuthLDAPBindDN "cn=vmail,dc=fracassetti,dc=lan"
    AuthLDAPBindPassword "-----------------------------------"

    Require valid-user
</Directory>

AuthLDAPUrl is one 1 line.
Password for user "vmaill" match with one in "iRedMail.tips"

I had comment out 'Require valid-user' to ensure that awstast was full working without auth.

4

Re: Awstats - Unable to login.

May be an issue with the crypto used to send password to ldap??

5

Re: Awstats - Unable to login.

Does below command return something?

# ldapsearch -x -D 'cn=vmail,dc=fracassetti,dc=lan' -b 'o=domains,dc=fracassetti,dc=lan' (&(objectclass=mailUser)(accountStatus=active)(enabledService=domainadmin)(domainGlobalAdmin=yes))

NOTE: It will prompt to input password of cn=vmail,dc=fracassetti,dc=lan.

6

Re: Awstats - Unable to login.

Sorry for delay, I didn't receive any notify about your reply. That command gives me an error:

-bash: syntax error near unexpected token `('

Anyway I think to have found the issue: The "AuthLDAPUrl" string seems to be wrong.

Mine is (from fresh install but after restoring LDAP from previus setup):

ldap://127.0.0.1:389/o=domains,dc=fracassetti,dc=lan?mail?sub?(&(objectclass=mailUser)(accountStatus=active)(enabledService=domainadmin)(domainGlobalAdmin=yes))

But trying this search with phpLDAPAdmin it gives me no results: There is no user with objectclass=mailUser, accountStatus=active, enabledService=domainadmin and domainGlobalAdmin=yes in the subtree "o=domains,dc=fracassetti,dc=lan".
In fact, user "postmaster@fracassetti.it" is registered in subtree "o=domainAdmins,dc=fracassetti,dc=lan" with this definitions:

mail=postmaster@fracassetti.it
    dn    mail=postmaster@fracassetti.it,o=domainAdmins,dc=fracassetti,dc=lan
    accountStatus     active
    cn                      postmaster
    domainGlobalAdmin    yes
    enabledService    awstats
    givenName    postmaster
    Email    postmaster@fracassetti.it
    objectClass    mailAdmin
                                shadowAccount
                                top
    preferredLanguage    en_US
    User Name    postmaster
    Password    ****************

so this user simply can't be used to login to awstats.

To allow postmaster@fracassetti.it to login in awstats the AuthLDAPUrl string should be changed as follow:

#    Require that authorized user is ("active") AND (("mailUser" AND "Domainadmin") OR "GlobalAdmin=yes" )
#    AuthLDAPUrl   ldap://127.0.0.1:389/dc=fracassetti,dc=lan?mail?sub?(&(accountStatus=active)(|(&(objectclass=mailUser)(enabledService=domainadmin))(domainGlobalAdmin=yes))) TLS

or

#    Require that authorized users satisfy 3 conditions: "accountStatus=active" AND ("GlobalAdmin=yes" OR "enabledService=awstats" OR "enabledService=domainadmin" ) AND ( "objectclass=mailUser" OR "objectclass=mailAdmin").
     AuthLDAPUrl   ldap://127.0.0.1:389/dc=fracassetti,dc=lan?mail?sub?(&(accountStatus=active)(|(enabledService=awstats)(enabledService=domainadmin)(domainGlobalAdmin=yes))(|(objectclass=mailUser)(objectclass=mailAdmin))) TLS

In both "TLS" at the end is not required for authentication but it works.
Using this AuthLDAPUrl I can now login to awstats using postmaster account.


P.S:
Sorry for my English but is late night...

7 (edited by matteo.frakka 2013-08-23 06:27:07)

Re: Awstats - Unable to login.

[matteo@server-centos ~]$ ldapsearch -x -D 'cn=vmail,dc=fracassetti,dc=lan' -w '<password>' -b 'o=domains,dc=fracassetti,dc=lan' "(&(objectclass=mailUser)(accountStatus=active)(enabledService=domainadmin)(domainGlobalAdmin=yes))"

# extended LDIF
#
# LDAPv3
# base <o=domains,dc=fracassetti,dc=lan> with scope subtree
# filter: (&(objectclass=mailUser)(accountStatus=active)(enabledService=domainadmin)(domainGlobalAdmin=yes))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

[matteo@server-centos ~]$ ldapsearch -x -D 'cn=vmail,dc=fracassetti,dc=lan' -w '<password>' -b 'dc=fracassetti,dc=lan' "(&(objectclass=mailUser)(accountStatus=active)(enabledService=domainadmin)(domainGlobalAdmin=yes))"
# extended LDIF
#
# LDAPv3
# base <dc=fracassetti,dc=lan> with scope subtree
# filter: (&(objectclass=mailUser)(accountStatus=active)(enabledService=domainadmin)(domainGlobalAdmin=yes))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

It confirms that user "postmaster@fracassetti.it" can't login in awstats due to is out of the search scope defined by AuthLDAPUrl, right?

[matteo@server-centos ~]$ ldapsearch -x -D 'cn=vmail,dc=fracassetti,dc=lan' -w '<password>' -b 'dc=fracassetti,dc=lan' "(&(accountStatus=active)(|(enabledService=awstats)(enabledService=domainadmin)(domainGlobalAdmin=yes))(|(objectclass=mailUser)(objectclass=mailAdmin)))"
# extended LDIF
#
# LDAPv3
# base <dc=fracassetti,dc=lan> with scope subtree
# filter: (&(accountStatus=active)(|(enabledService=awstats)(enabledService=domainadmin)(domainGlobalAdmin=yes))(|(objectclass=mailUser)(objectclass=mailAdmin)))
# requesting: ALL
#

# postmaster@fracassetti.it, domainAdmins, fracassetti.lan
dn: mail=postmaster@fracassetti.it,o=domainAdmins,dc=fracassetti,dc=lan
objectClass: mailAdmin
objectClass: shadowAccount
objectClass: top
uid: postmaster
givenName: postmaster
mail: postmaster@fracassetti.it
domainGlobalAdmin: yes
enabledService: awstats
preferredLanguage: en_US
cn: postmaster
accountStatus: active
userPassword:: <enc_password>

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

8

Re: Awstats - Unable to login.

Sorry, my mistake, forgot to quote query filter. Try this one:

# ldapsearch -x -D 'cn=vmail,dc=fracassetti,dc=lan' -b 'o=domains,dc=fracassetti,dc=lan' "(&(objectclass=mailUser)(accountStatus=active)(domainGlobalAdmin=yes))"

9

Re: Awstats - Unable to login.

Yet done, in the first and second quote of my post on "Today 00:26:29"

In the first there is the response to a search performed using your AuthLDAPUrl:

[matteo@server-centos ~]$ ldapsearch -x -D 'cn=vmail,dc=fracassetti,dc=lan' -w '<password>' -b 'o=domains,dc=fracassetti,dc=lan' "(&(objectclass=mailUser)(accountStatus=active)(enabledService=domainadmin)(domainGlobalAdmin=yes))"

    # extended LDIF
    #
    # LDAPv3
    # base <o=domains,dc=fracassetti,dc=lan> with scope subtree
    # filter: (&(objectclass=mailUser)(accountStatus=active)(enabledService=domainadmin)(domainGlobalAdmin=yes))
    # requesting: ALL
    #

    # search result
    search: 2
    result: 0 Success

    # numResponses: 1

In the second there is the same search extended to the whole tree dc=fracassetti,dc=lan but with the same results:

[matteo@server-centos ~]$ ldapsearch -x -D 'cn=vmail,dc=fracassetti,dc=lan' -w '<password>' -b 'dc=fracassetti,dc=lan' "(&(objectclass=mailUser)(accountStatus=active)(enabledService=domainadmin)(domainGlobalAdmin=yes))"
    # extended LDIF
    #
    # LDAPv3
    # base <dc=fracassetti,dc=lan> with scope subtree
    # filter: (&(objectclass=mailUser)(accountStatus=active)(enabledService=domainadmin)(domainGlobalAdmin=yes))
    # requesting: ALL
    #

    # search result
    search: 2
    result: 0 Success

    # numResponses: 1

The last quote is the search response of a modified AuthLDAPUrl that works for me: I think that the default AuthLDAPUrl in awstats configuration file is wrong...

10

Re: Awstats - Unable to login.

Please, my ldap filter doesn't have "enabledService=domainadmin". So, please try again.

11 (edited by matteo.frakka 2013-08-27 03:04:51)

Re: Awstats - Unable to login.

Is the same:

[root@server-centos matteo]# ldapsearch -x -D 'cn=vmail,dc=fracassetti,dc=lan' -w '<password>' -b 'o=domainAdmins,dc=fracassetti,dc=lan' "(&(objectclass=mailUser)(accountStatus=active)(domainGlobalAdmin=yes))"
# extended LDIF
#
# LDAPv3
# base <o=domainAdmins,dc=fracassetti,dc=lan> with scope subtree
# filter: (&(objectclass=mailUser)(accountStatus=active)(domainGlobalAdmin=yes))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1


[root@server-centos vsftpd]# ldapsearch -x -D 'cn=vmail,dc=fracassetti,dc=lan' -w '<password>' -b 'dc=fracassetti,dc=lan' "(&(objectclass=mailUser)(accountStatus=active)(domainGlobalAdmin=yes))"
# extended LDIF
#
# LDAPv3
# base <dc=fracassetti,dc=lan> with scope subtree
# filter: (&(objectclass=mailUser)(accountStatus=active)(domainGlobalAdmin=yes))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

Anyway I'm pretty sure to have no modified your ldap filter from stock install before trying to debug the issue. I've restored from backup only the ldap database...

12

Re: Awstats - Unable to login.

matteo.frakka wrote:

# postmaster@fracassetti.it, domainAdmins, fracassetti.lan
dn: mail=postmaster@fracassetti.it,o=domainAdmins,dc=fracassetti,dc=lan
objectClass: mailAdmin

Oh, I just saw this, this admin account is a standalone mail admin account, not a mail user which has admin privilege. Sorry about my mistake.

You can try to use below one as LDAP filter in awstats.conf:

(&(accountStatus=active)(domainGlobalAdmin=yes)(|(objectclass=mailUser)(objectclass=mailAdmin)))

We recommend to mark normal mail user as domain admin or global admin, not creating a standalone mail admin account (it's not a mail user).

13 (edited by matteo.frakka 2013-08-29 06:14:24)

Re: Awstats - Unable to login.

ZhangHuangbin wrote:

We recommend to mark normal mail user as domain admin or global admin, not creating a standalone mail admin account (it's not a mail user).

This was the default user created by iRedMail during setup.

Tested your filter in a testing environment, this seems to work fine.
Thank you.

14

Re: Awstats - Unable to login.

matteo.frakka wrote:

This was the default user created by iRedMail during setup.

It doesn't look right. iRedMail-0.8.5 will mark the first mail user as global domain admin, it doesn't create a separate mail admin account (objectClass=mailAdmin) at all.

15

Re: Awstats - Unable to login.

You're right... As in the first post, the users db was imported from previous install (iRedMail 0.8.1 on debian squeeze) before testing awstats.

http://www.nexthardware.com/forum/appun … post856823

So postmaster@fracassetti.it should be the default user created by setup of the version 0.8.1.
Otherwise I must have done some changes that I don't remember: In this case, I'm sorry.