General discussion on installation and configuration of SOGo

Text archives Help


Re: [SOGo] sogo 4.0.7 ldap ActiveDirectory authentication: filter by group membership doesn't work (worked with sogo 3.1.3)


Chronological Thread 
  • From: "\" \"" ( ) < >
  • To: "\" \" ( )" < >
  • Subject: Re: [SOGo] sogo 4.0.7 ldap ActiveDirectory authentication: filter by group membership doesn't work (worked with sogo 3.1.3)
  • Date: Thu, 16 May 2019 17:48:01 +0200
  • Dmarc-filter: OpenDMARC Filter v1.2.0 mail.inverse.ca 1238E1DE517E

OK,

it seems I can answer the question myself, after taking 10 minutes to
crafting below email it suddenly worked. I guess because the AD group
membership caching was renewed

the old sogo is authenticating towards a much faster DC, so there
seems to be no caching delay.

for the new sogo 4.0.7 deployment I authenticated towards a much slower
DC, so group membership caching seems to be an issue ....

I tried it now 3 times, waiting a couple of minutes, and the filter is
working. So I think it was the AD group caching all the time ...
hopefully this is useful information to not waste hours




On 16.05.19 16:38,
" "

( )
wrote:
> Dear all,
>
> I'm migrating to sogo nightly 4.0.7 and the filter to limit
> authentication to users being member of a certain group doesn't work
> anymore. I can still filter (enable/disable access to sogo) by checking
> whether the account is disabled in Active directory (Windows 2012R2).
>
> my ldap config:
>
> SOGoUserSources = (
> {
> type = ldap;
> CNFieldName = cn;
> UIDFieldName = sAMAccountName;
> IDFieldName = cn;
> baseDN = "CN=Users,dc=ad,dc=xyz,dc=org";
> bindDN = "CN=auth_sogo,CN=Users,DC=ad,DC=xyz,DC=org";
> bindFields = (sAMAccountName);
> bindPassword = "mypassw";
> canAuthenticate = YES;
> displayName = "xyz Staff";
> bindAsCurrentUser = YES;
> hostname = "ldaps://dc.ad.xyz.org:636";
> filter = "memberOf = 'CN=access_sogo,CN=Users,DC=ad,DC=xyz,DC=org'
> AND UserAccountControl:1.2.840.113556.1.4.803: <> 2";
> id = directory;
> isAddressBook = YES;
> }
> );
>
>
> I tried different syntax (e.g. filter =
> "(objectClass='access_sogo' .... as in the manual) but a test user
> always gets authenticated, no matter whether he is in the group
> "access_sogo" or not. It also doesn't matter when I temporarily don't
> check whether the AD user is disabled or not (e.g. also
> filter = "memberOf = 'CN=access_sogo,CN=Users,DC=ad,DC=xyz,DC=org'";
>
> doesn't work (user is always authenticated).
>
> -) "access_sogo" is a global security group.
> the test user is only in "domain user" group, beside the "access_sogo"
> group for testing.
>
> -) auth_sogo bind user is in domain user group, nowhere else.
>
> sogo.log:
> ....
> May 16 14:35:10 sogod [22127]: <0x0x5652ad140220[NGLdapConnection]>
> Using ldap_initialize for LDAP URL: ldaps://dc.xyz.org:636
> May 16 14:35:10 sogod [22127]: SOGoRootPage successful login from
> '10.11.1.51' for user 'it-test' - expire = -1 grace = -1
> ....
>
> also
> LDAPDebugEnabled = YES;
>
> doesn't seem to do anything
>



Archive powered by MHonArc 2.6.18.

Top of page