LDAP search multiple branches

Hello,
is there a way to search the LDAP through multiple branches? I’ve two branches with users and I want to login in Sogo with all the useres.

This is my environment:

Domain: dc=MyDomainFS,dc=local,dc=my-domain,dc=de

Branch1: ou=Firm,dc=MyDomainFS,dc=local,dc=my-domain,dc=de
Branch2: ou=Administration,dc=MyDomainFS,dc=local,dc=my-domain,dc=de

cn=Users,dc=MyDomainFS,dc=local,dc=my-domain,dc=de

Thanks in advance for your help.

Connecting SOGo to a remote LDAP server is not possible with NS6 current configuration.

I’d suggest not installing nethserver-sogo at all, and going with a manual CentOS+SOGo setup.

Anyway I’d give a try to NS7 alpha, because it has support for a remote LDAP account database.

1 Like

Thanks for your answer Davide,
but with the configuration shown at GitHub and only selecting one branch at the point windows-network at nethserver it works very well.
If I try to enter the domain like this ‘dc=MyDomainFS,dc=local,dc=my-domain,dc=de’ in the branch-field for global search, it dosn’t work.

Hi Michael,
I understand your LDAP server is actually an Active Directory. You might try to make a custom-template of

/etc/e-smith/templates/sogo-config/10user_source_active_directory

and set baseDN parameter to fit your needs

1 Like

Thanks for your answer and sorry for my late answer, but I haven’t had so much time.
I don’t understand how to do it with the template, can you explain it to me based on an example?

Thanks Michael

So called templates-custom are the “ace in the hole” of our configuration system. Please have a look at

http://docs.nethserver.org/projects/nethserver-devel/en/v6.8/templates.html#local-site-overrides-templates-custom-and-templates-user-custom

2 Likes

Hello Davide,
because of holiday and other projects I haven’t had a chance to answer in time. But now I’ve added a directory named sogo-config to templates-custom and copied 10user_source_active_directory to it. At this file I changed at “id = AD_Distributionlist” baseDN = “$baseDN”; to baseDN = “dc=MyDomainFS,dc=local,dc=my-domain,dc=de”, but it dosn’t work. Do you have any idea.

Did you set up bind credentials? IIRC MS Active Directory requires GSSAPI or LDAP authentication… Maybe I’m wrong but latest versions may require LDAPs (SSL) too…

Hello Davide,
thanks for your answer.
I think with this to lines at Github

# config setprop sogod AdsCredentials ‘sogoad%PASSWORD’
# signal-event nethserver-sogo-update

I get the binding. If I choose Branch1 or Branch2 at the Web-Interface everything is fine, but I’m not able to choose both branches.

Could you paste here your SOGo configuration? This should be the command:

https://github.com/NethServer/nethserver-sogo/blob/v6/README.rst#inspect-sogo-configuration

Hello Davide,
how can I post the config-file without loosing the tags?

Wrap into a PRE tag. For instance, XML-like tags:

<pre>
<a><b></b></a>
</pre>

You get


Ok, thanks. Here’s the config file.

<?xml version="1.0" encoding="UTF-8"?>



    NSGlobalDomain
    
    
    sogod
    
    NGImap4ConnectionStringSeparator
    /
    NGUseUTF8AsURLEncoding
    YES
    OCSFolderInfoURL
    mysql://sogo:4QPpFj6bRc8ad3Dp@localhost/sogo/sogo_folder_info
    OCSSessionsFolderURL
    mysql://sogo:4QPpFj6bRc8ad3Dp@localhost/sogo/sogo_sessions_folder
    SOGoACLsSendEMailNotifications
    NO
    SOGoAppointmentSendEMailNotifications
    YES
    SOGoAppointmentSendEMailReceipts
    YES
    SOGoDraftsFolderName
    Drafts
    SOGoEnablePublicAccess
    YES
    SOGoFoldersSendEMailNotifications
    NO
    SOGoForwardEnabled
    YES
    SOGoIMAPServer
    localhost
    SOGoInternalSyncInterval
    10
    SOGoJunkFolderName
    Junk
    SOGoMailAuxiliaryUserAccountsEnabled
    YES
    SOGoMailCustomFromEnabled
    YES
    SOGoMailDomain
    MyDomain.local.my-domain.de
    SOGoMailingMechanism
    smtp
    SOGoMaximumPingInterval
    10
    SOGoMaximumSyncInterval
    30
    SOGoMaximumSyncResponseSize
    2048
    SOGoProfileURL
    mysql://sogo:4QPpFj6bRc8ad3Dp@localhost/sogo/sogo_user_profile
    SOGoSMTPServer
    127.0.0.1:587
    SOGoSentFolderName
    Sent
    SOGoSieveScriptsEnabled
    YES
    SOGoSieveServer
    sieve://localhost:4190
    SOGoSuperUsernames
    
        admin
    
    SOGoTimeZone
    Europe/Berlin
    SOGoTrashFolderName
    Trash
    SOGoUserSources
    
        
        CNFieldName
        cn
        IDFieldName
        sAMAccountName
        UIDFieldName
        sAMAccountName
        baseDN
        ou=Verwaltung,dc=MyDomainFS,dc=LOCAL,dc=MY-DOMAIN,dc=DE
        bindDN
        CN=sogoad,CN=Users,dc=MyDomainFS,dc=LOCAL,dc=MY-DOMAIN,dc=DE
        bindFields
        
            sAMAccountName
            userPrincipalName
        
        bindPassword
        MyPassword
        canAuthenticate
        YES
        displayName
        MyDomainFS.local.my-domain.de users
        filter
        (objectClass='user')
        hostname
        ldap://MyDomainFS.local.my-domain.de:389
        id
        AD_Users
        isAddressBook
        YES
        scope
        SUB
        type
        ldap
        
        
        CNFieldName
        name
        IDFieldName
        sAMAccountName
        UIDFieldName
        sAMAccountName
        baseDN
        ou=Verwaltung,dc=MyDomainFS,dc=LOCAL,dc=MY-DOMAIN,dc=DE
        bindDN
        CN=sogoad,CN=Users,dc=MyDomainFS,dc=LOCAL,dc=MY-DOMAIN,dc=DE
        bindPassword
        MyPassword
        canAuthenticate
        YES
        displayName
        MyDomainFS.local.my-domain.de groups
        filter
        (objectClass='group') AND (sAMAccountType=268435456)
        hostname
        ldap://MyDomainFS.local.my-domain.de:389
        id
        AD_Groups
        isAddressBook
        YES
        scope
        SUB
        type
        ldap
        
        
        CNFieldName
        name
        IDFieldName
        sAMAccountName
        UIDFieldName
        sAMAccountName
        baseDN
        ou=Verwaltung,dc=MyDomainFS,dc=LOCAL,dc=MY-DOMAIN,dc=DE
        bindDN
        CN=sogoad,CN=Users,dc=MyDomainFS,dc=LOCAL,dc=MY-DOMAIN,dc=DE
        bindPassword
        MyPassword
        canAuthenticate
        NO
        displayName
        MyDomainFS.local.my-domain.de distribution lists
        filter
        (objectClass='group') AND (sAMAccountType=268435457)
        hostname
        ldap://MyDomainFS.local.my-domain.de:389
        id
        AD_DistributionLists
        isAddressBook
        YES
        scope
        SUB
        type
        ldap
        
        
        CNFieldName
        cn
        IDFieldName
        cn
        UIDFieldName
        cn
        baseDN
        ou=Groups,dc=directory,dc=nh
        bindDN
        cn=sogo,dc=directory,dc=nh
        bindPassword
        4QPpFj6bRc8ad3Dp
        canAuthenticate
        YES
        displayName
        Groupware groups
        hostname
        ldapi://
        id
        groups
        isAddressBook
        NO
        scope
        ONE
        type
        ldap
        
        
        CNFieldName
        cn
        IDFieldName
        uid
        UIDFieldName
        uid
        baseDN
        ou=People,dc=directory,dc=nh
        bindDN
        cn=sogo,dc=directory,dc=nh
        bindPassword
        4QPpFj6bRc8ad3Dp
        canAuthenticate
        YES
        displayName
        Groupware users
        filter
        accountStatus=active
        hostname
        ldapi://
        id
        users
        isAddressBook
        YES
        scope
        ONE
        type
        ldap
        
    
    SOGoVacationEnabled
    YES
    SxVMemLimit
    512
    WOMessageUseUTF8
    YES
    WOParsersUseUTF8
    YES
    WOUseRelativeURLs
    YES
    WOWatchDogRequestTimeout
    10
    WOWorkersCount
    3
    


ou=Verwaltung is one of the two branches

I’ve tested it with nethserver 7 beta 1, I can see all users at the webinterface, but not the branches. Also I can’t login with the accounts at the sogo login page.

Has anyone an idea how to login with Windows Active Directory Accounts to SOGo? It always says authentication failed, wrong username or password. I can see the users at users and groups at the nethserver, but the protocol says it can’t bind.

Aug 31 14:08:03 sogod [13276]: 192.168.46.130 “GET /SOGo/ HTTP/1.1” 200 7354/0 0.107 23082 68% 0
Aug 31 14:08:18 sogod [13276]: <0x0x7f7650bf4ba0[LDAPSource]> <NSException: 0x7f7650553170> NAME:LDAPException REASON:operation bind failed: Can’t contact LDAP server (0xFFFFFFFF) INFO:{“error_code” = “-1”; login =
"samaccountname=mtraeumner@myDomain.local.my-domain.de,cn=users,dc=myDomain,dc=local,dc=my-domain,dc=de"; }
Aug 31 14:08:18 sogod [13276]: [ERROR] <0x0x7f7650bed1d0[LDAPSource]> Could not bind to the LDAP server ldap://gps0.myDomain.local.my-domain.de:389 (389) using the bind DN:
cn=GROUPWARE,cn=Computers,dc=myDomain,dc=local,dc=my-domain,dc=de
Aug 31 14:08:18 sogod [13276]: [ERROR] <0x0x7f7650bed1d0[LDAPSource]> <NSException: 0x7f7650c3a0b0> NAME:LDAPException REASON:operation bind failed: Can’t contact LDAP server (0xFFFFFFFF) INFO:{“error_code” = “-1”; login =
“cn=GROUPWARE,cn=Computers,dc=myDomain,dc=local,dc=my-domain,dc=de”; }
Aug 31 14:08:18 sogod [13276]: SOGoRootPage Login from ‘192.168.46.130’ for user ‘mtraeumner@myDomain.local.my-domain.de’ might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
Aug 31 14:08:18 sogod [13276]: 192.168.46.130 “POST /SOGo/connect HTTP/1.1” 403 34/102 0.042 - - 0

@nrauso @alefattorini have you any experience on it?

Nope, may @paspo help us?

Look at this answer on SO: http://stackoverflow.com/questions/9184978/ldap-root-query-syntax-to-search-more-than-one-specific-ou
It’s clear that you cannot search for MULTIPLE branches at the same time. But you can search the whole domain and set the scope of the search for the entire subtree, which is not ideal.

Can you try a ldapsearch from the command line?
something like:

ldapsearch -h LDAPSERVER -D "uid=YOURADMINUSER,dc=MyDomainFS,dc=LOCAL,dc=MY-DOMAIN,dc=DE" -w YOURPASSWORD -b "ou=Verwaltung,dc=MyDomainFS,dc=LOCAL,dc=MY-DOMAIN,dc=DE"
3 Likes

Hi paspo,
ldapsearch schows me the following.
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1

I’ve tried it with a user with admin rights and with the administrator account itself.