General discussion on installation and configuration of SOGo

Text archives Help


[SOGo] Strange behaviour (bug?) with Multi-domains Configuration and LDAP


Chronological Thread 
  • From: "Nils Fredrik Gjerull" ( ) < >
  • To: SOGo-users < >
  • Subject: [SOGo] Strange behaviour (bug?) with Multi-domains Configuration and LDAP
  • Date: Fri, 1 Apr 2016 13:34:46 +0200
  • Dmarc-filter: OpenDMARC Filter v1.2.0 mail.inverse.ca 5B765B900B1

Hi.

I want to configure SOGo to be able service different MailDomains. Each
domain is a separate namespace, so that different domain can use the
same uid. The uid only need to be unique for one domain, not for the
whole installation.

The SOGo Documentation says for the SOGoEnableDomainBasedUID property that:
---
Parameter used to enable user identification by domain. Users will be
able( without being required) to login using the form username@domain,
meaning that values of UIDFieldName no longer have to be unique among
all domains but only within the same domain.
---

I have tried two different solution for this. One using the uid field
for ldap bind and as the UIDFieldName, and the other using the mail
field for ldap bind and UIDFieldName. They both fails, but using the
mail field is closes to being functional.

In Ubuntu version 2.1.1b-1 of SOGo I had a set-up that worked, based on
using uid as the UIDFieldName. After I upgraded to version 2.3.9-1 using
the Inverse Ubuntu repository it no longer works.

I will now try to explain the two different scenarios by including the
configuration and explaining how they fails.

Using uid as UIDFieldName:
-------------------------------------
SOGoEnableDomainBasedUID = YES;
SOGoForceExternalLoginWithEmail = YES;
domains = {
customer1.com = {
SOGoMailDomain = customer1.com;
SOGoUserSources = ({
id = public_customer1;
type = ldap;
CNFieldName = cn;
IDFieldName = uid;
UIDFieldName = uid;
baseDN = "ou=users,ou=customer1.com,dc=example,dc=com";
bindDN = "cn=sogo,dc=example,dc=com";
bindPassword = ****;
bindAsCurrentUser = NO;
canAuthenticate = YES;
displayName = "Shared Addresses";
hostname = ldap://localhost;
isAddressBook = YES;
});
};
customer2.com = {
SOGoMailDomain = customer2.com;
SOGoUserSources = ({
id = public_customer2;
type = ldap;
CNFieldName = cn;
IDFieldName = uid;
UIDFieldName = uid;
baseDN = "ou=users,ou=customer2.com,dc=example,dc=com";
bindDN = "cn=sogo,dc=example,dc=com";
bindPassword = ****;
bindAsCurrentUser = NO;
canAuthenticate = YES;
displayName = "Shared Addresses";
hostname = ldap://localhost;
isAddressBook = YES;
});
}
};

Using this set-up I am able to authentication against LDAP, but when
traversing to the mail view it fails. The traversal tries to look up the
user in LDAP using customer2's (the last in the config file) baseDN for
all domains. It looks like the traversal ignores the domain part, even
if it is in the path.

SOGo will look up the uid 'post' using customer2's baseDN when using the
following URL:
https://mail.example.com/SOGo/so/ /Mail/view



Using mail as UIDFieldName:
--------------------------------------
SOGoEnableDomainBasedUID = YES;
SOGoForceExternalLoginWithEmail = YES;
domains = {
customer1.com = {
SOGoMailDomain = customer1.com;
SOGoUserSources = ({
id = public_customer1;
type = ldap;
CNFieldName = cn;
IDFieldName = mail;
UIDFieldName = mail;
baseDN = "ou=users,ou=customer1.com,dc=example,dc=com";
bindDN = "cn=sogo,dc=example,dc=com";
bindFields = (mail);
bindPassword = ****;
bindAsCurrentUser = NO;
canAuthenticate = YES;
displayName = "Shared Addresses";
hostname = ldap://localhost;
isAddressBook = YES;
});
};
customer2.com = {
SOGoMailDomain = customer2.com;
SOGoUserSources = ({
id = public_customer2;
type = ldap;
CNFieldName = cn;
IDFieldName = mail;
UIDFieldName = mail;
baseDN = "ou=users,ou=customer2.com,dc=example,dc=com";
bindDN = "cn=sogo,dc=example,dc=com";
bindFields = (mail);
bindPassword = ****;
bindAsCurrentUser = NO;
canAuthenticate = YES;
displayName = "Shared Addresses";
hostname = ldap://localhost;
isAddressBook = YES;
});
};
};

Using this set-up CalDav and CardDav works and I am able to log in to
the webmail client. The problem manifest it self after being inactive
(not accessing server) for 5min. After that time I get a 500 server
error from SOGo and the following message in the sogo log:'
---
EXCEPTION: <NSException: 0x7fa95c3bea78> NAME:NSInvalidArgumentException
REASON:Tried to add nil value for key 'userName' to dictionary INFO:{}
---

I guess this has to do with some kind of in-memory session expiration
time. When I enable debug logging I can see that SOGo tries to look up
the user in LDAP with the uid
@custome1.com.
SOGo
appends the domain part even if it is already present.

My guess is that SOGo loads the session from the database and tries to
look up the user in LDAP, but do not check if the uid already contains
the domain part.

My question is if I am using a unsupported configuration or if I am
doing it wrong, or perhaps this is caused by bugs in the code?

I apologise for the long e-mail.

Regards

--
Nils Fredrik Gjerull
-----------------------------
"Ministry of Eternal Affairs"
Computer Department
( Not an official title :) )


Attachment: signature.asc
Description: OpenPGP digital signature



  • [SOGo] Strange behaviour (bug?) with Multi-domains Configuration and LDAP, Nils Fredrik Gjerull, 04/01/2016

Archive powered by MHonArc 2.6.18.

Top of page