General discussion on installation and configuration of SOGo

Text archives Help

Re: [SOGo] LDAP Address Book Indirect Bind

Chronological Thread 
  • From: Nathanael Bettridge < >
  • To:
  • Subject: Re: [SOGo] LDAP Address Book Indirect Bind
  • Date: Sun, 5 Dec 2010 07:04:36 -0800 (PST)
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024;; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=MBvDCuIPjrxuSdKb9mdC75+xddz2GGNUVG7P3Q9Afd6SoHR4QNoK8Q0suRdgGSG1KMZzVAHdKGulBlUdZxy6CwmusslhuRae20naccRTlhNHzc/469EBXkWAm8ODQW5J04Lcoa0qqWg7gwmV0GnSty8wRVc7IUWhNt0x419UX+4=;

Hi Dennis,
I've thought about that - as far as I can tell, that would still have the problem (except that all users could now see an address book for each domain, since the instance is shared). I'm also creating domains directly into LDAP, and if I use a different addressbook per domain, I need to edit configs & restart any SOGo instances whenever I do so (which is doable but messy). Is there a theoretical limit on the number of LDAP address books btw?
Unless there's some way to perform a substitution on the LDAP base of the address book when queried?
Something like (I'm no good @ ObjectiveC so pseudocode follows) :
$ParentDomain = getUserDNComponent($UserDN,3);
$ldapsearchbase = $ParentDomain + ",o=hosting,dc=my,dc=domain";
On the other hand - I get the feeling it's possibly a good idea for ldap queries visible to the user, to respect ldap ACLs for that user, regardless of the specific use case...
-Nathanael Bettridge

--- On Mon, 12/6/10, Dennis Petschull < > wrote:

From: Dennis Petschull < >
Subject: Re: [SOGo] LDAP Address Book Indirect Bind
To: "Nathanael Bettridge" < >
Date: Monday, December 6, 2010, 1:47 AM

Hi Nathanael,

Why not use a different subtree search for each of your domains, e.g.



On Sunday 05 December 2010 14:42:25 Nathanael Bettridge wrote:
> Hi folks,

> I'm setting up a multi-tenant mail system at the moment, SOGo works a treat
>  with it all, however there's one quirk.
> We're segregating different mail domains/organizations in LDAP within
>  different OUs (for example
>  uid= " ymailto="mailto: "> ,ou=users,domainOU=test1.local,o=hosting,dc=my,dc=dom
> ain and
>  uid= " ymailto="mailto: "> ,ou=users,domainOU=test2.local,o=hosting,dc=my,dc=dom
> ain ) with each UID only having read permissions to it's own domainOU and
>  below.
> Address books use a subtree search from o=hosting,dc=my,dc=domain - ACLs
>  screen out unwanted entries.
> When directly listing addresses from LDAP bound as a hosted user
>  ( " ymailto="mailto: "> for instance), it can only see cards from within
>  domainOU=test1.local, o=hos...
> From within SOGo however, the user sees *all* configured domains' users,
>  not just his own. LDAP debugging indicates queries are made only as the DN
>  written into the defaults file (not the logged-in user)
> It would be nice if the LDAP addressbooks could be enumerated based on an
>  indirect bind. Is there any way to get SOGo to do this, or is it into
>  patch territory? For the moment I'm assuming I'll just have to keep LDAP
>  addressbooks hidden, but it would be nice to have them work this way...
> Thanks,

> Nathanael Bettridge
> Prodigy Communications--
> " ymailto="mailto: ">

Archive powered by MHonArc 2.6.16.

Top of page