General discussion on installation and configuration of SOGo

Text archives Help


Re: [SOGo] Multi-domain LDAP authentication. Problem


Chronological Thread 
  • From: Nathanael Bettridge < >
  • To:
  • Subject: Re: [SOGo] Multi-domain LDAP authentication. Problem
  • Date: Tue, 31 Jul 2012 17:57:35 +1000



"> wrote:
" type="cite">
Hi,

I'm trying to setup multi-domain SoGo(ver 2) and I currently have a
working config, but one that's rather tedious to maintain.

We have ou=zones such as:

dn: dc=somedomain,dc=com,ou=zones,dc=webgate,dc=net,dc=au
associatedDomain: somedomain.com

And we have ou=emails such as:

 
 ,ou=emails,dc=webgate,dc=net,dc=au">uid=
 ,ou=emails,dc=webgate,dc=net,dc=au
mail: 
 
 ">
 
mail: ...

My current SoGo config is as such:

<snip>

And while this config is working fine and it allows us to isolate one
domain from another, it would be a hard tedious work to have to configure
HUNDREDS of domains this way.

Is there any way we can automate this? ie. have SoGo look up ou=zones and
check an associatedDomain attribute so that we can just add more domains
to LDAP without having to reconfigure SOGO?

Thanks,
Petr


Hi Petr,

Depending on your LDAP backend, you can use LDAP ACLs, a single actual domain config block, and use BindAsCurrentUser to isolate users to what they can see in LDAP only (usually their own domain).

The option was implemented for exactly that scenario :)
However - I have no idea how it interacts with the Openchange parts. If you're not using that or feel like beta testing them with this option (as a SOGo2 user you're already beta testing anyway), no problem :)

Pro: No automation scripts or config changes needed when adding domains ("just works")
Pro: all LDAP config in one place
Pro: LDAP direct access connections return the same results as the address book in SOGo
Con: Requires LDAP configuration changes
Con: No selection box for domains (full email based logins only)
Con: Limits domain config options to being global for all domains
Con: Sharing access across domains involves fiddling with ACLs on the directory

Thanks,

-Nathanael Bettridge



Archive powered by MHonArc 2.6.18.

Top of page