Trying to secure aC and failing
Page: 1
Recent posts in this topic
Recently purchased aC and am trying to secure it to some degree. I've had nothing but trouble using it from Internet Explorer (Firefox works fine). Here's what I've tried and has failed. Note that aC is listed in my trusted sites in IE and has lower security requirements.
1) Initial install of aC would login fine from ff but would quietly return to a blank login screen with IE. This seems to have something to do with the "remember me" checkbox and not logging out of aC. The hack around this was to change the login page text to have the checkbox checked and change the text. :x
2) Installed self signed SSL cert (make-ssl-cert) and ff is happy but IE only shows the text of the login screen, no pictures.. obviously I think this has something to do with the images and templates being in a different directory, but I'm clueless as to where to start looking (log files don't seem to be any help). --edit, idiot: change the root_url in config.php to https. why did it works in firefox?
3) Active Directory authentication by the LDAP plugin listed in the module area http://www.activecollab.com/forums/topic/2311/ is supposed to fall back to the local user database if AD is not working but I can't get AD to work and it's not falling back. Does anyone have this working that could copy out their config changes for me to check out? You would think that the example given would be enough, but maybe I'm a bit dense.
If i keep aC as http with the local user database (no encryption anywhere!) then it works but there is no way that my company will keep it like this...
Oh yeah, mod_rewrite doesn't seem to work based on http://www.activecollab.com/support/index.php?pg=kb.page&id=26 (typo somewhere?) mod_rewrite is working to redirect http to https (so I know the module is fine, just my copy-paste somewhere is wonky).
Up-to-date Debian Etch. mod_ldap, mod_rewrite, php5.. aC 1.0.4
1) Initial install of aC would login fine from ff but would quietly return to a blank login screen with IE. This seems to have something to do with the "remember me" checkbox and not logging out of aC. The hack around this was to change the login page text to have the checkbox checked and change the text. :x
2) Installed self signed SSL cert (make-ssl-cert) and ff is happy but IE only shows the text of the login screen, no pictures.. obviously I think this has something to do with the images and templates being in a different directory, but I'm clueless as to where to start looking (log files don't seem to be any help). --edit, idiot: change the root_url in config.php to https. why did it works in firefox?
3) Active Directory authentication by the LDAP plugin listed in the module area http://www.activecollab.com/forums/topic/2311/ is supposed to fall back to the local user database if AD is not working but I can't get AD to work and it's not falling back. Does anyone have this working that could copy out their config changes for me to check out? You would think that the example given would be enough, but maybe I'm a bit dense.
If i keep aC as http with the local user database (no encryption anywhere!) then it works but there is no way that my company will keep it like this...
Oh yeah, mod_rewrite doesn't seem to work based on http://www.activecollab.com/support/index.php?pg=kb.page&id=26 (typo somewhere?) mod_rewrite is working to redirect http to https (so I know the module is fine, just my copy-paste somewhere is wonky).
Up-to-date Debian Etch. mod_ldap, mod_rewrite, php5.. aC 1.0.4
Ilija Studen
on Feb 16. 2008. 9:27 am
Can you please send link to your activeCollab setup and FTP parameters to support@a51dev.com so we can check.
activeCollab team member
Nope, sorry. It's behind our firewall and ftp is not enabled (suggesting yet another non-encrypted protocol?). Ilija, I'm not trying to be difficult, it's our corporate policy. Give me some suggestions and I'll gladly try them. I've already got debugging set to 2, but that doesn't seem to catch the AD auth problem (not integrated?).
update for AD auth: phew. That was not easy. Valdemar's "hey just put this in" post was far from what I needed to do. The included README and INSTALL were fairly lame as well for people not used to the pain of AD ldap on nix. The previous post (http://www.activecollab.com/forums/topic/2224/) states "Please be sure that your Apache has mod_ldap working and installed." This was easier said than done and required me to pull into the reaches of google to get this working (with a few detours).
Here's what I did that made it work (i think). Remember this is a Debian system, so this is going to be somewhat debian specific:
apt-get install php5-ldap slapd ldap-utils
enable the following apache2 modules: authnz_ldap.load, ldap.load
Followed the directions from the source of Vald's script:
http://adldap.sourceforge.net/wiki/doku.php?id=ldap_over_ssl
^ magic
Along the way I configured/enabled ldaps on the slapd service (slapd.conf) but I'm not sure if that is necessary (because php is using the ldap.conf file).
Interestingly the first company created has a primary key of 8.. threw me off when getting autocreate to work.
Here's what I did that made it work (i think). Remember this is a Debian system, so this is going to be somewhat debian specific:
apt-get install php5-ldap slapd ldap-utils
enable the following apache2 modules: authnz_ldap.load, ldap.load
Followed the directions from the source of Vald's script:
http://adldap.sourceforge.net/wiki/doku.php?id=ldap_over_ssl
^ magic
Along the way I configured/enabled ldaps on the slapd service (slapd.conf) but I'm not sure if that is necessary (because php is using the ldap.conf file).
Interestingly the first company created has a primary key of 8.. threw me off when getting autocreate to work.
Ilija Studen
on Feb 17. 2008. 9:49 am
I see no reason why SSL would not work in IE. When ROOT_URL (in config/config.php) is set to use https:// every URL activeCollab generates (page links, images etc) will use that protocol. SSL does not have to do anything with the application itself, only with the way server sends and receives data.
Not really. SFTP is fine as well, but FTP is what most of our customers are using and are familiar with... We just don't want to confuse them with yet another acronym so we use FTP when we ask for direct access to the code. I understand that some companies cannot give us that, but in that case finding solution for problems may take more time.
kattrap:suggesting yet another non-encrypted protocol?
Not really. SFTP is fine as well, but FTP is what most of our customers are using and are familiar with... We just don't want to confuse them with yet another acronym so we use FTP when we ask for direct access to the code. I understand that some companies cannot give us that, but in that case finding solution for problems may take more time.
activeCollab team member
Oliver Maksimović
on Feb 18. 2008. 12:40 am
P.S. When using SSL on a website: if paths to images (or any other included content) are beginning with "http://", Internet Exporer will ofter ignore those images considering them as 'insecure content', or it will show additional message asking for a permission to load insecure content. Lowering security options (bad idea) or setting the path to correct value will solve the problem (this one is a good way, of course)
activeCollab team member, too ;)
kattrap:update for AD auth: phew. That was not easy. Valdemar's "hey just put this in" post was far from what I needed to do. The included README and INSTALL were fairly lame as well for people not used to the pain of AD ldap on nix.
Nice attitude towards people giving away their work for free. Punk.
Perhaps my slang was misinterpreted. I only meant to show that the succinct README and INSTALL with Casper's well done repackaging of adLDAP to work with activeCollab did not mention the magic words "Apache LDAP authentication" that led me to get the AD authentication working.
I would hope, long term, that Casper's efforts are rewarded. I actually did donate to adLDAP via sourceforge. I did not see any way to compensate Casper (email me and I'll throw down a kickback, you're doing awesome work!).
It is interesting that this sort of corporate-level authentication is not built into a software package labeled for corporate use ($400 package). I can only assume that this sort of authentication will be built into future versions (1.2?).
I do like punk music ;)
I would hope, long term, that Casper's efforts are rewarded. I actually did donate to adLDAP via sourceforge. I did not see any way to compensate Casper (email me and I'll throw down a kickback, you're doing awesome work!).
It is interesting that this sort of corporate-level authentication is not built into a software package labeled for corporate use ($400 package). I can only assume that this sort of authentication will be built into future versions (1.2?).
I do like punk music ;)
oc:kattrap:update for AD auth: phew. That was not easy. Valdemar's "hey just put this in" post was far from what I needed to do. The included README and INSTALL were fairly lame as well for people not used to the pain of AD ldap on nix.
Nice attitude towards people giving away their work for free. Punk.
