Sogo LDAP bind error

m.traeumner (Michael Träumner) 2017-10-24 10:44:15 UTC #1

NethServer Version: NethServer release 7.3.1611
Module: Sogo 3.2.10

Hi to all,
since today I can’t synchronize my calendars with thunderbird inverse sogo connector and outlook calddavsynchchronizer.
Caldavsynchronizer gives the following error:

CalDavSynchronizer.DataAccess.WebDavClientException: Response status code does not indicate success: ‘405’ (‘Not Allowed’)

sogolog gives me the following:

2017-10-24 12:15:03.474 sogod[1811:1811] ERROR(-[NGLdapSearchResultEnumerator nextObject]): does not support result references yet .. 
2017-10-24 12:15:03.716 sogod[1811:1811] ERROR(-[NGLdapSearchResultEnumerator nextObject]): does not support result references yet .. 
2017-10-24 12:15:03.976 sogod[1811:1811] ERROR(-[NGLdapSearchResultEnumerator nextObject]): does not support result references yet .. 
2017-10-24 12:15:04.148 sogod[1811:1811] ERROR(-[NGLdapSearchResultEnumerator nextObject]): does not support result references yet .. 
2017-10-24 12:15:04.320 sogod[1811:1811] ERROR(-[NGLdapSearchResultEnumerator nextObject]): does not support result references yet .. 
2017-10-24 12:15:04.491 sogod[1811:1811] ERROR(-[NGLdapSearchResultEnumerator nextObject]): does not support result references yet .. 
2017-10-24 12:15:04.663 sogod[1811:1811] ERROR(-[NGLdapSearchResultEnumerator nextObject]): does not support result references yet .. 
Oct 24 12:15:04 sogod [1811]: 192.168.46.120 "REPORT /SOGo/dav/admin/Calendar/6C5-5965CE80-3-4A42B780/ HTTP/1.1" 207 7408/683 1.446 - - 116K 
Oct 24 12:15:04 sogod [1811]: 192.168.46.120 "REPORT /SOGo/dav/admin/Calendar/6C2-5965CF00-7-40810D00/ HTTP/1.1" 207 4098/683 0.051 - - 0 
Oct 24 12:15:04 sogod [1811]: 192.168.46.120 "REPORT /SOGo/dav/admin/Calendar/6C2-5965CF00-9-40810D00/ HTTP/1.1" 207 32233/683 0.057 - - 0 
Oct 24 12:15:40 sogod [1811]: <0x0x559072677c30[LDAPSource]> <NSException: 0x5590733c77c0> NAME:LDAPException REASON:operation bind failed: Invalid credentials (0x31) INFO:{"error_code" = 49; login = "samaccountname=Username,dc=MyDomain,dc=de"; }

At Sogo webinterface I can login with the same user.

What I’ve changed till yesterday is deleting two calendars and creating one new.
What I’ve done after getting the errors is restarting sogod, sssd and after it doesn’t help I restarted the server.
It is a production server with sogo, local AD, dokuwiki and squid.
What can I do,

Can't run a SOGo Backup

mrmarkuz (Markus Neuberger) 2017-10-24 11:05:58 UTC #2

Is the login string correct? I think “cn=Username,cn=Users,dc=MyDomain,dc=de” would be correct, just an idea…

m.traeumner (Michael Träumner) 2017-10-24 11:25:33 UTC #3

Hi Markus Thanks for your fast answer,
The login string is correct but I found my error. For testing my test-server I changed my proxy settings at Internet Explorer. Caldavsynchronizer, also sogo connector don’t work if you change the proxy to another one than SOGo-Server.
At caldavsynchronizer you can change proxy settings from IE to other proxy settings, but SOGo Connector has no settings.

The credentials error at the log still appears, but with no effect.
Can you test it and have a look at your log?
Thanks in advance.

mrmarkuz (Markus Neuberger) 2017-10-24 11:43:19 UTC #4

I don’t use Sogo with caldavsync, but I may test it in the evening…

mrmarkuz (Markus Neuberger) 2017-10-24 19:20:03 UTC #5

I tested it now with NS 7.4, Sogo 3.2.1, caldavsynchronizer 2.25 and Outlook 2013 and I have no credentials error in sogo.log.
By the way caldavsynchronizer is really a nice tool supporting much interfaces…

m.traeumner (Michael Träumner) 2017-10-25 08:41:27 UTC #6

Hi Markus,
thanks for your testing.
So I know it’s an error with my installation or configuration.
Perhaps somebody has an idea how to find out why the message appears.
It appears to every user which is connected inclusive the admin-user which doesn’t connect to caldav. The admin user is used to login to webinterface and creates and shares calendars for the other users.

m.traeumner (Michael Träumner) 2017-10-25 09:29:08 UTC #7

Output of config show sogod if it helps:

[root@groupware ~]# config show sogod
sogod=service
    ActiveSync=enabled
    AdminUsers=admin
    Certificate=
    Dav=enabled
    DraftsFolder=Drafts
    MailAuxiliaryUserAccountsEnabled=YES
    Notifications=Appointment,EMail
    SOGoInternalSyncInterval=30
    SOGoMaximumPingInterval=3540
    SOGoMaximumSyncInterval=3540
    SOGoMaximumSyncResponseSize=2048
    SOGoMaximumSyncWindowSize=100
    SentFolder=Sent
    SessionDuration=1440
    SxVMemLimit=512
    TrashFolder=Trash
    VirtualHost=
    VirtualHosts=
    WOWatchDogRequestTimeout=60
    WOWorkersCount=10
    status=enabled

The error appears everytime a user logs in to webinterface or caldavsynchronizer syncs.

mrmarkuz (Markus Neuberger) 2017-10-25 12:52:52 UTC #8

My config is exactly the same, so this is the default config I think:

sogod=service
    ActiveSync=enabled
    AdminUsers=admin
    Certificate=
    Dav=enabled
    DraftsFolder=Drafts
    MailAuxiliaryUserAccountsEnabled=YES
    Notifications=Appointment,EMail
    SOGoInternalSyncInterval=30
    SOGoMaximumPingInterval=3540
    SOGoMaximumSyncInterval=3540
    SOGoMaximumSyncResponseSize=2048
    SOGoMaximumSyncWindowSize=100
    SentFolder=Sent
    SessionDuration=1440
    SxVMemLimit=512
    TrashFolder=Trash
    VirtualHost=
    WOWatchDogRequestTimeout=60
    WOWorkersCount=10
    status=enabled

But I searched our forum for sogo connection strings and found some:

https://community.nethserver.org/search?q=error_code"%20%3D%2049

LDAP:
"uid=nas@somedomain.net,ou=people,dc=directory,dc=nh"

AD:
"samaccountname=gerald@otherdomain.com,cn=users,dc=neuching,dc=com"

So if you have a user named Username it will be ok but I don’t think so.

Wrong:

"error_code" = 49; login = "samaccountname=Username,dc=MyDomain,dc=de"

Correct:

"error_code" = 49; login = "samaccountname=realexistinguser,cn=users,dc=MyDomain,dc=de"

It looks like a wrong default setting but from where does it come?

m.traeumner (Michael Träumner) 2017-10-25 13:02:54 UTC #9

Hi Markus,
I changed the real username to “Username” only for posting. It’s correct.

mrmarkuz (Markus Neuberger) 2017-10-25 13:05:28 UTC #10

Haha sorry, didn’t check it…
But the users cn still missing:

samaccountname=realexistinguser,cn=users,dc=MyDomain,dc=de

m.traeumner (Michael Träumner) 2017-10-26 08:24:10 UTC #11

Hello Markus,

the configuration was generated automatically and I have no custom templates for sogo.

  /* 45 AD authentication */
    SOGoUserSources =(
     {
        id = AD_Users;
        type = ldap;
        CNFieldName = cn;
        IDFieldName = sAMAccountName;
        UIDFieldName = sAMAccountName;
        IMAPLoginFieldName = userPrincipalName;
        canAuthenticate = YES;
        bindDN = "MyDomain\\MyServer$";
        bindPassword = "MyBindPassword"; //it's still clear text (I've updated to 7,4 final, but no reboot)
        baseDN = "dc=MyDomain,dc=de";
        bindFields = (
                sAMAccountName,
                userPrincipalName
            );
        hostname = ldaps://MyDomain.de;
        filter = "(objectClass='user')";
        MailFieldNames = ("userPrincipalName");
        scope = SUB;
        displayName = "MyDomain.de users";
        isAddressBook = YES;
     },
     {
        id = AD_Groups;
        type = ldap;
        CNFieldName = name;
        IDFieldName = sAMAccountName;
        UIDFieldName = sAMAccountName;
        canAuthenticate = YES;
        bindDN = "MyDomain\\MyServer$";
        bindPassword = "MyBindPassword";
        baseDN = "dc=MyDomain,dc=de";
        hostname = ldaps://MyDomain.de;
        filter = "(objectClass='group') AND (sAMAccountType=268435456)";
        MailFieldNames = ("userPrincipalName");
        scope = SUB;
        displayName = "MyDomain.de groups";
        isAddressBook = YES;
     }
    );

But I did some more tests, the error only occours if I add an email-address to CalDav-Synchronizer Profile or if I login to webinterface.
Without an email-address at CalDav-Synchronizer the error is away.

I’ve looked at the posts, inclusive the one of me , but they all have a real problem with login.

mrmarkuz (Markus Neuberger) 2017-10-26 10:35:27 UTC #12

I tested again, and if I add caldavsynchronizer contact sync(with calendar it worked without error yesterday) with an AD nethserver(LDAP is working without error) then I can reproduce your error:

Oct 26 11:50:18 sogod [25568]: <0x0x55d8d6670160[LDAPSource]> <NSException: 0x55d8d6bafec0> NAME:LDAPException REASON:operation bind failed: Invalid credentials (0x31) INFO:{"error_code" = 49; login = "samaccountname=markus,dc=ad,dc=cmb,dc=local"; }

I think caldavsynchronizer just tries different “AD login possibilities” with and without “cn=users” and the errors just show the failed tries. Syncing works like a charm so the error may be safely ignored.