General discussion on installation and configuration of SOGo

Text archives Help


[SOGo] sogo 4.0.7 ldap ActiveDirectory authentication: filter by group membership doesn't work (worked with sogo 3.1.3)


Chronological Thread 
  • From: "\" \"" ( ) < >
  • To:
  • Subject: [SOGo] sogo 4.0.7 ldap ActiveDirectory authentication: filter by group membership doesn't work (worked with sogo 3.1.3)
  • Date: Thu, 16 May 2019 16:38:39 +0200
  • Dmarc-filter: OpenDMARC Filter v1.2.0 mail.inverse.ca A9F821DE4FD9

Dear all,

I'm migrating to sogo nightly 4.0.7 and the filter to limit
authentication to users being member of a certain group doesn't work
anymore. I can still filter (enable/disable access to sogo) by checking
whether the account is disabled in Active directory (Windows 2012R2).

my ldap config:

SOGoUserSources = (
{
type = ldap;
CNFieldName = cn;
UIDFieldName = sAMAccountName;
IDFieldName = cn;
baseDN = "CN=Users,dc=ad,dc=xyz,dc=org";
bindDN = "CN=auth_sogo,CN=Users,DC=ad,DC=xyz,DC=org";
bindFields = (sAMAccountName);
bindPassword = "mypassw";
canAuthenticate = YES;
displayName = "xyz Staff";
bindAsCurrentUser = YES;
hostname = "ldaps://dc.ad.xyz.org:636";
filter = "memberOf = 'CN=access_sogo,CN=Users,DC=ad,DC=xyz,DC=org'
AND UserAccountControl:1.2.840.113556.1.4.803: <> 2";
id = directory;
isAddressBook = YES;
}
);


I tried different syntax (e.g. filter =
"(objectClass='access_sogo' .... as in the manual) but a test user
always gets authenticated, no matter whether he is in the group
"access_sogo" or not. It also doesn't matter when I temporarily don't
check whether the AD user is disabled or not (e.g. also
filter = "memberOf = 'CN=access_sogo,CN=Users,DC=ad,DC=xyz,DC=org'";

doesn't work (user is always authenticated).

-) "access_sogo" is a global security group.
the test user is only in "domain user" group, beside the "access_sogo"
group for testing.

-) auth_sogo bind user is in domain user group, nowhere else.

sogo.log:
....
May 16 14:35:10 sogod [22127]: <0x0x5652ad140220[NGLdapConnection]>
Using ldap_initialize for LDAP URL: ldaps://dc.xyz.org:636
May 16 14:35:10 sogod [22127]: SOGoRootPage successful login from
'10.11.1.51' for user 'it-test' - expire = -1 grace = -1
....

also
LDAPDebugEnabled = YES;

doesn't seem to do anything



Archive powered by MHonArc 2.6.18.

Top of page