So called templates-custom
are the āace in the holeā of our configuration system. Please have a look at
Hello Davide,
because of holiday and other projects I havenāt had a chance to answer in time. But now Iāve added a directory named sogo-config to templates-custom and copied 10user_source_active_directory to it. At this file I changed at āid = AD_Distributionlistā baseDN = ā$baseDNā; to baseDN = ādc=MyDomainFS,dc=local,dc=my-domain,dc=deā, but it dosnāt work. Do you have any idea.
Did you set up bind credentials? IIRC MS Active Directory requires GSSAPI or LDAP authenticationā¦ Maybe Iām wrong but latest versions may require LDAPs (SSL) tooā¦
Hello Davide,
thanks for your answer.
I think with this to lines at Github
# config setprop sogod AdsCredentials āsogoad%PASSWORDā
# signal-event nethserver-sogo-update
I get the binding. If I choose Branch1 or Branch2 at the Web-Interface everything is fine, but Iām not able to choose both branches.
Could you paste here your SOGo configuration? This should be the command:
https://github.com/NethServer/nethserver-sogo/blob/v6/README.rst#inspect-sogo-configuration
Hello Davide,
how can I post the config-file without loosing the tags?
Ok, thanks. Hereās the config file.
<?xml version="1.0" encoding="UTF-8"?> NSGlobalDomain sogod NGImap4ConnectionStringSeparator / NGUseUTF8AsURLEncoding YES OCSFolderInfoURL mysql://sogo:4QPpFj6bRc8ad3Dp@localhost/sogo/sogo_folder_info OCSSessionsFolderURL mysql://sogo:4QPpFj6bRc8ad3Dp@localhost/sogo/sogo_sessions_folder SOGoACLsSendEMailNotifications NO SOGoAppointmentSendEMailNotifications YES SOGoAppointmentSendEMailReceipts YES SOGoDraftsFolderName Drafts SOGoEnablePublicAccess YES SOGoFoldersSendEMailNotifications NO SOGoForwardEnabled YES SOGoIMAPServer localhost SOGoInternalSyncInterval 10 SOGoJunkFolderName Junk SOGoMailAuxiliaryUserAccountsEnabled YES SOGoMailCustomFromEnabled YES SOGoMailDomain MyDomain.local.my-domain.de SOGoMailingMechanism smtp SOGoMaximumPingInterval 10 SOGoMaximumSyncInterval 30 SOGoMaximumSyncResponseSize 2048 SOGoProfileURL mysql://sogo:4QPpFj6bRc8ad3Dp@localhost/sogo/sogo_user_profile SOGoSMTPServer 127.0.0.1:587 SOGoSentFolderName Sent SOGoSieveScriptsEnabled YES SOGoSieveServer sieve://localhost:4190 SOGoSuperUsernames admin SOGoTimeZone Europe/Berlin SOGoTrashFolderName Trash SOGoUserSources CNFieldName cn IDFieldName sAMAccountName UIDFieldName sAMAccountName baseDN ou=Verwaltung,dc=MyDomainFS,dc=LOCAL,dc=MY-DOMAIN,dc=DE bindDN CN=sogoad,CN=Users,dc=MyDomainFS,dc=LOCAL,dc=MY-DOMAIN,dc=DE bindFields sAMAccountName userPrincipalName bindPassword MyPassword canAuthenticate YES displayName MyDomainFS.local.my-domain.de users filter (objectClass='user') hostname ldap://MyDomainFS.local.my-domain.de:389 id AD_Users isAddressBook YES scope SUB type ldap CNFieldName name IDFieldName sAMAccountName UIDFieldName sAMAccountName baseDN ou=Verwaltung,dc=MyDomainFS,dc=LOCAL,dc=MY-DOMAIN,dc=DE bindDN CN=sogoad,CN=Users,dc=MyDomainFS,dc=LOCAL,dc=MY-DOMAIN,dc=DE bindPassword MyPassword canAuthenticate YES displayName MyDomainFS.local.my-domain.de groups filter (objectClass='group') AND (sAMAccountType=268435456) hostname ldap://MyDomainFS.local.my-domain.de:389 id AD_Groups isAddressBook YES scope SUB type ldap CNFieldName name IDFieldName sAMAccountName UIDFieldName sAMAccountName baseDN ou=Verwaltung,dc=MyDomainFS,dc=LOCAL,dc=MY-DOMAIN,dc=DE bindDN CN=sogoad,CN=Users,dc=MyDomainFS,dc=LOCAL,dc=MY-DOMAIN,dc=DE bindPassword MyPassword canAuthenticate NO displayName MyDomainFS.local.my-domain.de distribution lists filter (objectClass='group') AND (sAMAccountType=268435457) hostname ldap://MyDomainFS.local.my-domain.de:389 id AD_DistributionLists isAddressBook YES scope SUB type ldap CNFieldName cn IDFieldName cn UIDFieldName cn baseDN ou=Groups,dc=directory,dc=nh bindDN cn=sogo,dc=directory,dc=nh bindPassword 4QPpFj6bRc8ad3Dp canAuthenticate YES displayName Groupware groups hostname ldapi:// id groups isAddressBook NO scope ONE type ldap CNFieldName cn IDFieldName uid UIDFieldName uid baseDN ou=People,dc=directory,dc=nh bindDN cn=sogo,dc=directory,dc=nh bindPassword 4QPpFj6bRc8ad3Dp canAuthenticate YES displayName Groupware users filter accountStatus=active hostname ldapi:// id users isAddressBook YES scope ONE type ldap SOGoVacationEnabled YES SxVMemLimit 512 WOMessageUseUTF8 YES WOParsersUseUTF8 YES WOUseRelativeURLs YES WOWatchDogRequestTimeout 10 WOWorkersCount 3
ou=Verwaltung is one of the two branches
Iāve tested it with nethserver 7 beta 1, I can see all users at the webinterface, but not the branches. Also I canāt login with the accounts at the sogo login page.
Has anyone an idea how to login with Windows Active Directory Accounts to SOGo? It always says authentication failed, wrong username or password. I can see the users at users and groups at the nethserver, but the protocol says it canāt bind.
Aug 31 14:08:03 sogod [13276]: 192.168.46.130 āGET /SOGo/ HTTP/1.1ā 200 7354/0 0.107 23082 68% 0
Aug 31 14:08:18 sogod [13276]: <0x0x7f7650bf4ba0[LDAPSource]> <NSException: 0x7f7650553170> NAME:LDAPException REASON:operation bind failed: Canāt contact LDAP server (0xFFFFFFFF) INFO:{āerror_codeā = ā-1ā; login =
"samaccountname=mtraeumner@myDomain.local.my-domain.de,cn=users,dc=myDomain,dc=local,dc=my-domain,dc=de"; }
Aug 31 14:08:18 sogod [13276]: [ERROR] <0x0x7f7650bed1d0[LDAPSource]> Could not bind to the LDAP server ldap://gps0.myDomain.local.my-domain.de:389 (389) using the bind DN:
cn=GROUPWARE,cn=Computers,dc=myDomain,dc=local,dc=my-domain,dc=de
Aug 31 14:08:18 sogod [13276]: [ERROR] <0x0x7f7650bed1d0[LDAPSource]> <NSException: 0x7f7650c3a0b0> NAME:LDAPException REASON:operation bind failed: Canāt contact LDAP server (0xFFFFFFFF) INFO:{āerror_codeā = ā-1ā; login =
ācn=GROUPWARE,cn=Computers,dc=myDomain,dc=local,dc=my-domain,dc=deā; }
Aug 31 14:08:18 sogod [13276]: SOGoRootPage Login from ā192.168.46.130ā for user āmtraeumner@myDomain.local.my-domain.deā might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0
Aug 31 14:08:18 sogod [13276]: 192.168.46.130 āPOST /SOGo/connect HTTP/1.1ā 403 34/102 0.042 - - 0
Look at this answer on SO: http://stackoverflow.com/questions/9184978/ldap-root-query-syntax-to-search-more-than-one-specific-ou
Itās clear that you cannot search for MULTIPLE branches at the same time. But you can search the whole domain and set the scope of the search for the entire subtree, which is not ideal.
Can you try a ldapsearch from the command line?
something like:
ldapsearch -h LDAPSERVER -D "uid=YOURADMINUSER,dc=MyDomainFS,dc=LOCAL,dc=MY-DOMAIN,dc=DE" -w YOURPASSWORD -b "ou=Verwaltung,dc=MyDomainFS,dc=LOCAL,dc=MY-DOMAIN,dc=DE"
Hi paspo,
ldapsearch schows me the following.
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1
Iāve tried it with a user with admin rights and with the administrator account itself.
Iāve tried a new installation of nethserver 7 beta 1, than Update to 7 Beta 2 and than joining the active directory. First time I try to access the active directory it says āInvalid credentialsā Second time I try with the same credentials (I donāt change anything) it says task comleted with errors. After that Iāve all users listed at the webinterface, but I canāt login at sogo.
I tested sogo with Samba AD long time ago, I donāt know if it still works.
But you can try to configure it using official documentation from Inverse.
If anybody is interested in maintaining nethserver-sogo rpm, I will gladly help.
Oh,I want to access my Windows AD, not Samba.
Iāve no problem with webtop either. But I have to use my ad-users and I have to sync with IOS, Android and Thunderbird.
Hi Giacomo,
now Iāve tested sogo with samba ad, but not with multiple branches. It works very good.
I used Nethserver 7 beta 2 with sogo and samba. I tried the sogo-webinterface and thunderbird with lightning.
For the contacts I used sogo-connector.
EDIT!!! Optimized the code and only one user for binding.
Only four years later I get it working with multiple branches (organisation units).
I created a bind user directly at the Users Directory (not an OU) at AD. This user is used to connect Nethserver to the AD and for Sogo.Therefor I built a custom template 45user_source at
/etc/e-smith/templates-custom/etc/sogo/sogo.conf
{
use NethServer::SSSD;
my $sssd = new NethServer::SSSD();
my $baseDN = $sssd->baseDN();
my $bindDN = $sssd->bindDN();
$bindDN =~ s/\\/\\\\/g;
my $userDN = $sssd->userDN();
my $groupDN = $sssd->groupDN();
my $bindPassword = $sssd->bindPassword();
my $host = $sssd->host();
my $ldapURI = $sssd->ldapURI();
# We must check if starttls is used
$tls = $sssd->startTls();
if ($tls){
$ldapURI = $ldapURI . '/????!StartTLS';
}
# select the email field in case of Microsotf AD bind
my $CustomEmailField = $sogod{'CustomEmailField'} || 'userPrincipalName';
if ($sssd->isLdap){
# user source: ldap
$OUT .= <<EOF
/* 45 ldap authentication */
SOGoUserSources =(
\{
id = groups;
type = ldap;
CNFieldName = cn;
UIDFieldName = cn;
IDFieldName = cn;
baseDN = "$groupDN";
bindDN = "$bindDN";
bindPassword = "$bindPassword";
scope = ONE;
canAuthenticate = YES;
MailFieldNames = ("mail");
displayName = "$SystemName groups";
hostname = $ldapURI;
isAddressBook = YES;
\},
\{
id = users;
type = ldap;
CNFieldName = cn;
UIDFieldName = uid;
IDFieldName = mail;
bindFields = (
mail,
uid
);
IMAPLoginFieldName = mail;
baseDN = "$userDN";
bindDN = "$bindDN";
bindPassword = "$bindPassword";
scope = ONE;
MailFieldNames = ("mail");
canAuthenticate = YES;
displayName = "$SystemName users";
hostname = $ldapURI;
isAddressBook = YES;
\}
);
EOF
} elsif($sssd->isAD){
# user source: AD
$bindPassword =~ s/"/\"/;
$OUT .= <<EOF
/* 45 AD authentication */
SOGoUserSources =(
\{
id = AD_Users_1;
type = ldap;
CNFieldName = cn;
IDFieldName = sAMAccountName;
UIDFieldName = sAMAccountName;
IMAPLoginFieldName = $CustomEmailField;
canAuthenticate = YES;
bindDN = "$bindDN";
bindPassword = "$bindPassword";
baseDN = "OU=MyOrganisationUnit_1,DC=MyDomainName,DC=local";
bindFields = (
sAMAccountName,
$CustomEmailField
);
hostname = $ldapURI;
filter = "(objectClass='user') AND (sAMAccountType=805306368)";
MailFieldNames = ("$CustomEmailField");
scope = SUB;
displayName = "$DomainName users";
isAddressBook = YES;
\},
\{
id = AD_Users_2;
type = ldap;
CNFieldName = cn;
IDFieldName = sAMAccountName;
UIDFieldName = sAMAccountName;
IMAPLoginFieldName = $CustomEmailField;
canAuthenticate = YES;
bindDN = "$bindDN";
bindPassword = "$bindPassword";
baseDN = "OU=MyOrganisationUnit_2,DC=MyDomainName,DC=local";
bindFields = (
sAMAccountName,
$CustomEmailField
);
hostname = $ldapURI;
filter = "(objectClass='user') AND (sAMAccountType=805306368)";
MailFieldNames = ("$CustomEmailField");
scope = SUB;
displayName = "$DomainName users";
isAddressBook = YES;
\},
\{
id = AD_Groups_1;
type = ldap;
CNFieldName = name;
IDFieldName = sAMAccountName;
UIDFieldName = sAMAccountName;
canAuthenticate = YES;
bindDN = "$bindDN";
bindPassword = "$bindPassword";
baseDN = "OU=MyOrganisationUnit_1,DC=MyDomainName,DC=local";
hostname = $ldapURI;
filter = "(objectClass='group') AND (sAMAccountType=268435456)";
MailFieldNames = ("mail");
scope = SUB;
displayName = "$DomainName groups";
isAddressBook = YES;
\},
\{
id = AD_Groups_2;
type = ldap;
CNFieldName = name;
IDFieldName = sAMAccountName;
UIDFieldName = sAMAccountName;
canAuthenticate = YES;
bindDN = "$bindDN";
bindPassword = "$bindPassword";
baseDN = "OU=MyOrganisationUnit_2,DC=MyDomainName,DC=local";
hostname = $ldapURI;
filter = "(objectClass='group') AND (sAMAccountType=268435456)";
MailFieldNames = ("mail");
scope = SUB;
displayName = "$DomainName groups";
isAddressBook = YES;
\}
);
EOF
}
}
Now we have to expand the template:
expand-template /etc/sogo/sogo.conf
Also I updated sogo config with:
signal-event nethserver-sogo-update
Hope this can help some others. If somebody has problems, I will try to help.