[SOLVED]Sogo+AD+Chinese Typo on sogo.conf - I do not understand

sogo
activedirectory
v7
mail

(Zwordi) #1

NethServer Version: 7.3.1611
Module: Sogo
Hello Everyone,

I’m a linux lover but i’m new to Nethserver.
We are plannig to use it for our organisation and i have as you should have guess an issue with it.
My issue is about Sogo integration when a local AD is setup.
The Sogo service refuse to start and i have no issue accessing a user account with Roundcube.

I pass some hours on yours wiki/community website and the outer web space whitout finding anything.

Would you be kind enough to give me a hand with this situation :slight_smile:

Here are some infos about my situation:

------config show -----

DomainName=toto.fr
MinUid=5000
MySQL-asteriskcdrdb=odbc
    Database=asteriskcdrdb
    Description=ODBC on asteriskcdrdb
    Driver=MySQL
    Port=3306
    Server=localhost
OrganizationContact=configuration
    City=Hometown
    Company=Example Org
    CountryCode=
    Department=Main
    PhoneNumber=575-1685
    State=
    Street=123 Main Street
SystemName=mail-dev
TimeZone=Europe/Brussels
admins=configuration
    group=domain admins
    user=admin
amavisd=service
    AdminNotificationStatus=disabled
    AvailableDecoders=mail,asc,uue,hqx,ync,F,Z,gz,bz2,lzo,rpm,cpio,tar,deb,zip,7z,rar,arj,arc,zoo,lha,doc,cab,tnef,exe
    BlockAttachmentClassList=Exec
    BlockAttachmentCustomList=doc,odt
    BlockAttachmentCustomStatus=disabled
    BlockAttachmentStatus=enabled
    EnabledDecoders=mail,asc,uue,hqx,ync,F,Z,gz,bz2,lzo,rpm,cpio,tar,deb,zip,7z,rar,arj,arc,zoo,lha,doc,cab,tnef,exe
    MaxProcesses=4
    RecipientWhiteList=
    SenderBlackList=
    SenderWhiteList=
    SpamCheckStatus=enabled
    SpamDsnLevel=20
    SpamKillLevel=15.0
    SpamSubjectPrefixStatus=enabled
    SpamSubjectPrefixString=***SPAM*** 
    SpamTag2Level=5.0
    SpamTagLevel=2.0
    TCPPorts=
    VirusCheckStatus=enabled
    status=enabled
asterisk=service
    AllowExternalIAX=disabled
    AllowExternalSIPS=enabled
    AllowExternalWebRTC=enabled
    TCPPorts=5060,5038,8088,8089
    UDPPorts=4569,5036,5060,5160,10000:20000
    access=green
    status=enabled
backup-config=configuration
    HistoryLength=3
    notify=never
    notifyFrom=
    notifyTo=admin@localhost
    status=enabled
backup-data=configuration
    BackupTime=1:00
    CleanupOlderThan=never
    FullDay=0
    LogFile=/var/log/last-backup.log
    Mount=/mnt/backup
    NFSHost=
    NFSShare=
    Program=duplicity
    SMBHost=
    SMBLogin=
    SMBPassword=
    SMBShare=
    Type=incremental
    USBLabel=
    VFSType=
    VolSize=250
    WebDAVLogin=
    WebDAVPassword=
    WebDAVUrl=
    notify=error
    notifyFrom=
    notifyTo=root@localhost
    status=disabled
cgp=configuration
    alias=ad8057070018708f45d42e6a878488c4fd9d42bf
chronyd=service
    NTPServer=pool.ntp.org
    UDPPort=123
    access=green
    status=enabled
collectd=service
    PingHosts=
    status=enabled
dns=configuration
    NameServers=8.8.8.8
dnsmasq=service
    CacheSize=4000
    TCPPort=53
    UDPPorts=53,67,69
    access=green
    dhcp-boot=
    except-interface=virbr0
    status=enabled
    tftp-status=enabled
dovecot=service
    AdminIsMaster=disabled
    DeletedToTrash=disabled
    FtsLuceneStatus=enabled
    ImapMaxLineLenght=2048
    ImapStatus=enabled
    KrbKeytabPath=/var/lib/dovecot/krb5.keytab
    KrbPrimaryList=smtp,imap,pop
    KrbStatus=enabled
    LmtpInetListenerStatus=disabled
    LogActions=disabled
    MaxProcesses=400
    MaxUserConnectionsPerIp=12
    PopStatus=enabled
    QuotaDefaultSize=20
    QuotaStatus=disabled
    SharedMailboxesStatus=enabled
    SpamFolder=Junk
    SpamRetentionTime=15d
    TCPPorts=110,143,4190,993,995
    TlsSecurity=required
    access=green,red
    status=enabled
firewall=configuration
    CheckIP=8.8.8.8,208.67.222.222
    Docker=disabled
    ExternalPing=enabled
    HairpinNat=disabled
    MACValidation=disabled
    MACValidationPolicy=drop
    MaxNumberPacketLoss=5
    MaxPercentPacketLoss=10
    NotifyWan=disabled
    NotifyWanFrom=root@localhost
    NotifyWanTo=root@localhost
    PingInterval=5
    Policy=permissive
    WanMode=balance
    nfqueue=disabled
    tc=Simple
fstab=configuration
httpd=service
    SSLCipherSuite=HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
    TCPPorts=80,443
    access=green,red
    status=enabled
httpd-admin=service
    ForcedLoginModule=
    SSL=enabled
    TCPPort=980
    access=green,red
    colors=
    favicon=favicon.png
    headerBackground=
    logo=
    menuBackground=
    status=enabled
httpd-fpbx=service
    ValidFrom=10.47.175.79/255.255.0.0,172.0.0.0/255.255.255.0
    access=green
    status=enabled
janus-gateway=service
    access=green
    status=enabled
libvirtd=service
    status=enabled
logrotate=configuration
    Compression=disabled
    Rotate=weekly
    Times=4
lsm=service
    status=disabled
maxAcctNameLength=31
maxGroupNameLength=31
memcached=service
    status=enabled
mysqld=service
    LocalNetworkingOnly=no
    MaxAllowedPacket=16M
    TCPPort=3306
    access=
    status=enabled
nsdc=service
    IpAddress=10.47.175.101
    ProvisionType=newdomain
    bridge=br0
    status=enabled
nsswitch=configuration
    aliases=files nisplus
    automount=files nisplus
    bootparams=nisplus [NOTFOUND=return] files
    ethers=files
    group=files
    hosts=files dns
    netgroup=nisplus
    netmasks=files
    networks=files
    passwd=files
    protocols=files
    publickey=nisplus
    rpc=files
    services=files
    shadow=files
passwordstrength=configuration
    MaxPassAge=180
    MinPassAge=0
    PassExpires=no
    PassWarning=7
    Users=strong
phone-home=configuration
    status=disabled
    uuid=c54ef028-7a94-4cc5-854f-faa5845480a6
php=configuration
    DateTimezone=UTC
    ExposePhp=
    MaxExecutionTime=
    MemoryLimit=
    PostMaxSize=
    ShortOpenTag=
    UploadMaxFilesize=
pki=configuration
    CertificateDuration=3650
    ChainFile=
    CommonName=
    CountryCode=
    CrtFile=
    EmailAddress=
    KeyFile=
    LetsEncrypt=disabled
    LetsEncryptDomains=
    LetsEncryptMail=
    LetsEncryptRenewDays=30
    Locality=
    Organization=
    OrganizationalUnitName=
    State=
    SubjectAltName=
postfix=service
    AccessBypassList=
    AccessPolicies=
    AdsGroupsDeliveryType=copy
    AdsMapUserPrincipalStatus=enabled
    AlwaysBccAddress=
    AlwaysBccStatus=disabled
    ConnectionsLimit=0
    ConnectionsLimitPerIp=0
    HeloHost=
    KrbStatus=enabled
    MessageQueueLifetime=4
    MessageSizeMax=20000000
    MessageSizeMin=1048576
    MxRecordStatus=enabled
    RblServers=
    RblStatus=disabled
    SmartHostName=
    SmartHostPassword=
    SmartHostPort=25
    SmartHostStatus=disabled
    SmartHostTlsStatus=enabled
    SmartHostUsername=
    SpfStatus=disabled
    SystemUserRecipientStatus=disabled
    TCPPorts=25,465,587
    access=green,red
    status=enabled
proxy=configuration
    host=
    password=
    port=
    user=
rh-php56-php-fpm=service
    TCPPorts=9000
    access=
    status=enabled
root=configuration
    EmailAddress=
    KeepMessageCopy=yes
roundcubemail=configuration
    PluginsList=managesieve,markasjunk
    Server=localhost
    access=public
rsyslog=service
    LogAll2VT6=no
    status=enabled
shorewall=service
    status=enabled
smartd=service
    status=enabled
sogod=service
    ActiveSync=enabled
    AdminUsers=admin
    AdsCredentials=*********************
    Certificate=
    Dav=enabled
    DraftsFolder=Drafts
    MailAuxiliaryUserAccountsEnabled=YES
    Notifications=Appointment,EMail
    SOGoInternalSyncInterval=30
    SOGoMaximumPingInterval=3540
    SOGoMaximumSyncInterval=3540
    SOGoMaximumSyncResponseSize=2048
    SOGoMaximumSyncWindowSize=100
    SentFolder=Sent
    SessionDuration=1440
    SxVMemLimit=512
    TrashFolder=Trash
    VirtualHost=
    WOWatchDogRequestTimeout=60
    WOWorkersCount=10
    status=enabled
spamassassin=service
    TCPPort=783
    access=
    status=enabled
sshd=service
    LoginGraceTime=2m
    MaxAuthTries=6
    PasswordAuthentication=yes
    PermitRootLogin=yes
    Protocol=2
    TCPPort=22
    UsePAM=yes
    access=green,red
    status=enabled
sssd=service
    AdDns=10.47.175.101
    LdapURI=
    Provider=ad
    Realm=AD.toto.fr
    Workgroup=TOTO
    status=enabled
sysconfig=configuration
    Copyright=
    DefaultLanguage=en_US.utf8
    ProductName=NethServer
    Release=Final
    Version=7.3.1611
unbound=service
    UDPPort=10053
    access=
    status=enabled
webvirtmgr=service
    Password=****************
    TCPPort=8000
    User=admin
    access=green
    status=disabled
webvirtmgr-console=service
    TCPPorts=5900:5950,16509,6080
    access=green
    status=disabled

------account-provider-test dump -------

   "BindDN" : "TOTO\\MAIL-DEV$",
   "LdapURI" : "ldaps://ad.TOTO.fr",
   "StartTls" : "",
   "port" : 636,
   "host" : "ad.TOTO.fr",
   "isAD" : "1",
   "isLdap" : "",
   "UserDN" : "dc=ad,dc=TOTO,dc=fr",
   "GroupDN" : "dc=ad,dc=TOTO,dc=fr",
   "BindPassword" : "ܴ澵べ땭녀긢됃놷涟⸉㳨딊爙ױ竍纵딱㶀냾ꋕ☵ꍂ猎㚗ꊟ烼ⴘ竻憁⿑ⷋ兀뒪炊烫각꿇㣥㓧悚瓂ꓱ溚꾉㊆꾗ߡﲻ̷⯥が狀맣牨⢮炢㘉㵑た扟榰死㓲㥦밪澄﨑㎏溅╆⹊땬暤眀䀘덕ﺄ≸぀괼귱⹋껤ꉔꊶ篢普ꧼ떭￷ꮕ눋떢뻟ﰁⱁ洛曏ﰻメۡ畓歌⤫㗟롊掄痦痝뾡ꠊ桺獫﵃ォ꡵딩뒶닀籞ꃏ㑵☷综땆㴎煡擕獗Ⱇ㋭⭐뀒ܬ﫱뒅櫆㵏㍸Ⰰㇰ掬릫ˇרּ温⚩睿뻝㰮ㄡ⪨⸇뼫枴DŽꋾ딖㤲ⷎ㩡潼湖㶰棜㝑犫扎㡮ﯰ眊랥꭫ꭾ㏾ㄑ㻕煇獢릪ꋶ﷐㦕㩓榶獏⩼띟₎חﳎŚ歷簡^笗烲ꩰ⠫",
   "BaseDN" : "dc=ad,dc=TOTO,dc=fr",
   "LdapUriDn" : "ldap:///dc%3Dad%2Cdc%3DTOTO%2Cdc%3Dfr"

--------sogo.conf--------

/* **************** DO NOT MODIFY THIS FILE **************** *
 * 
 * Manual changes will be lost when this file is regenerated.
 *
 * ********************************************************** */


  /* 10 Database configuration (mysql) */
    SOGoProfileURL = "mysql://sogo:VZUOIxFaUItfOX2M@localhost/sogo/sogo_user_profile";
    OCSFolderInfoURL = "mysql://sogo:VZUOIxFaUItfOX2M@localhost/sogo/sogo_folder_info";
    OCSSessionsFolderURL = "mysql://sogo:VZUOIxFaUItfOX2M@localhost/sogo/sogo_sessions_folder"; 
    OCSEMailAlarmsFolderURL = "mysql://sogo:VZUOIxFaUItfOX2M@localhost/sogo/sogo_alarms_folder";


  /* 20 Mail */
    SOGoDraftsFolderName = "Drafts";
    SOGoSentFolderName = "Sent";
    SOGoTrashFolderName = "Trash";
    SOGoJunkFolderName = "Junk";
    SOGoIMAPServer = "localhost";
    SOGoSieveServer = "sieve://localhost:4190";
    SOGoSMTPServer = "127.0.0.1:587";
    SOGoMailDomain = "toto.fr";
    SOGoMailingMechanism = "smtp";
    NGImap4ConnectionStringSeparator = "/";

  /* 30 Notifications */
    SOGoFoldersSendEMailNotifications = NO;
    SOGoACLsSendEMailNotifications = NO;
    SOGoAppointmentSendEMailNotifications = YES;
    SOGoEnableEMailAlarms = YES;


  /* 40 Authentication */
  //SOGoPasswordChangeEnabled = YES;

  /* 45 AD authentication */
    SOGoUserSources =(
     { 
        id = AD_Users;
        type = ldap;
        CNFieldName = cn;
        IDFieldName = sAMAccountName;
        UIDFieldName = sAMAccountName;
        IMAPLoginFieldName = userPrincipalName;
        canAuthenticate = YES;
        bindDN = "TOTO\\MAIL-DEV$";
        bindPassword = "ܴ澵べ땭녀긢됃놷涟⸉㳨딊爙ױ竍纵딱㶀냾ꋕ☵ꍂ猎㚗ꊟ烼ⴘ竻憁⿑ⷋ兀뒪炊烫각꿇㣥㓧悚瓂ꓱ溚꾉㊆꾗ߡﲻ̷⯥が狀맣牨⢮炢㘉㵑た扟榰死㓲㥦밪澄﨑㎏溅╆⹊땬暤眀䀘덕ﺄ≸぀괼귱⹋껤ꉔꊶ篢普ꧼ떭￷ꮕ눋떢뻟ﰁⱁ洛曏ﰻメۡ畓歌⤫㗟롊掄痦痝뾡ꠊ桺獫﵃ォ꡵딩뒶닀籞ꃏ㑵☷综땆㴎煡擕獗Ⱇ㋭⭐뀒ܬ﫱뒅櫆㵏㍸Ⰰㇰ掬릫ˇרּ温⚩睿뻝㰮ㄡ⪨⸇뼫枴DŽꋾ딖㤲ⷎ㩡潼湖㶰棜㝑犫扎㡮ﯰ眊랥꭫ꭾ㏾ㄑ㻕煇獢릪ꋶ﷐㦕㩓榶獏⩼띟₎חﳎŚ歷簡^笗烲ꩰ⠫";
        baseDN = "dc=ad,dc=TOTO,dc=org";
        bindFields = (
                sAMAccountName,
                userPrincipalName
            );
        hostname = ldaps://ad.toto.fr;
        filter = "(objectClass='user')";
        MailFieldNames = ("userPrincipalName");
        scope = SUB;
        displayName = "toto.fr users";
        isAddressBook = YES;
     },
     {
        id = AD_Groups;
        type = ldap;
        CNFieldName = name;
        IDFieldName = sAMAccountName;
        UIDFieldName = sAMAccountName;
        canAuthenticate = YES;
        bindDN = "TOTO\\MAIL-DEV$";
        bindPassword = "ܴ澵べ땭녀긢됃놷涟⸉㳨딊爙ױ竍纵딱㶀냾ꋕ☵ꍂ猎㚗ꊟ烼ⴘ竻憁⿑ⷋ兀뒪炊烫각꿇㣥㓧悚瓂ꓱ溚꾉㊆꾗ߡﲻ̷⯥が狀맣牨⢮炢㘉㵑た扟榰死㓲㥦밪澄﨑㎏溅╆⹊땬暤眀䀘덕ﺄ≸぀괼귱⹋껤ꉔꊶ篢普ꧼ떭￷ꮕ눋떢뻟ﰁⱁ洛曏ﰻメۡ畓歌⤫㗟롊掄痦痝뾡ꠊ桺獫﵃ォ꡵딩뒶닀籞ꃏ㑵☷综땆㴎煡擕獗Ⱇ㋭⭐뀒ܬ﫱뒅櫆㵏㍸Ⰰㇰ掬릫ˇרּ温⚩睿뻝㰮ㄡ⪨⸇뼫枴DŽꋾ딖㤲ⷎ㩡潼湖㶰棜㝑犫扎㡮ﯰ眊랥꭫ꭾ㏾ㄑ㻕煇獢릪ꋶ﷐㦕㩓榶獏⩼띟₎חﳎŚ歷簡^笗烲ꩰ⠫";
        baseDN = "dc=ad,dc=TOTO,dc=org";
        hostname = ldaps://ad.toto.fr;
        filter = "(objectClass='group') AND (sAMAccountType=268435456)";
        MailFieldNames = ("userPrincipalName");
        scope = SUB;
        displayName = "toto.fr groups";
        isAddressBook = YES;
     }
    );
 


  /* 50 Web Interface */
    SOGoVacationEnabled = YES;
    SOGoForwardEnabled = YES;
    SOGoSieveScriptsEnabled = YES;
    SOGoMailAuxiliaryUserAccountsEnabled = YES;
    SOGoMailCustomFromEnabled = YES;
  //SOGoFirstDayOfWeek = 1;
  //SOGoMailReplyPlacement = "above";
  //SOGoMailSignaturePlacement = "above";

  /* 60 General */
    SOGoTimeZone = Europe/Brussels;
    SOGoSuperUsernames = (admin); // This is an array - keep the parens!
    SOGoMemcachedHost = "127.0.0.1";
    SxVMemLimit = 512;
    SOGoEnablePublicAccess = YES;

  /* From Nethesis GNUStep configuration
     Undocumented in sogo instalation manual */
     SOGoAppointmentSendEMailReceipts = YES;

  /* 70 Active Sync options and tuning */
    SOGoMaximumPingInterval = 3540;
    SOGoMaximumSyncInterval = 3540;
    SOGoInternalSyncInterval = 30;
    SOGoMaximumSyncResponseSize = 2048;
    SOGoMaximumSyncWindowSize = 100;

    WOWatchDogRequestTimeout = 60;
    WOWorkersCount = 10;

  /* 80 Debug */
  //SOGoDebugRequests = YES;
  //SoDebugBaseURL = YES;
  //ImapDebugEnabled = YES;
  LDAPDebugEnabled = YES;
  //PGDebugEnabled = YES;
  //MySQL4DebugEnabled = YES;
  //SOGoUIxDebugEnabled = YES;
  //WODontZipResponse = YES;
  SOGoEASDebugEnabled = YES;
  WOLogFile = "/var/log/sogo/sogo.log";

------LOG SOGO START ------------------------

Oct 19 12:31:43 mail-dev systemd: Starting SOGo is a groupware server...
Oct 19 12:31:43 mail-dev sogod: 2017-10-19 12:31:43.169 sogod[16609:16609] File NSString.m: 1507. In -[NSString initWithContentsOfFile:] Contents of f
ile '/etc/sogo/sogo.conf' are not string data
Oct 19 12:31:43 mail-dev sogod: <0x0x55706f92edd0[SOGoStartupLogger]> Cannot read configuration from '/etc/sogo/sogo.conf'. Aborting
Oct 19 12:31:43 mail-dev systemd: sogod.service: control process exited, code=exited status=1
Oct 19 12:31:43 mail-dev systemd: Failed to start SOGo is a groupware server.
Oct 19 12:31:43 mail-dev systemd: Unit sogod.service entered failed state.
Oct 19 12:31:43 mail-dev systemd: sogod.service failed.

What i don’t understand is why i’m getting Chinese Characters on my sogo.conf…

Anyway

Thank for any hins letting me fix this situation.

Zwordi


Join QNAP-NAS to NethServer LDAP Directory?
Release of NethServer 7.4.1708 Final
(Giacomo Sanchietti) #2

In NS 7.4 the machine password is in binary form (it depends on samba).
I guess Sogo isn’t capable of handling binary password to connect to AD LDAP.

The only solution I see, is creating a new ad-hoc user (from the Server Manager) and use it inside the configuration.


Error when trying to access SOGO web
(Stéphane de Labrusse) #3

:’( :’(


(Stéphane de Labrusse) #4

It is working without problem here, the service is running (Full updated NS7), but I cannot use anymore sogo with a remote bind…maybe some problems are coming @dev_team

on the server samba4 AD

[root@ns7dev ~]# account-provider-test dump
{
   "BindDN" : "STEPHDL\\NS7DEV$",
   "LdapURI" : "ldaps://ad.plop.org",
   "StartTls" : "",
   "port" : 636,
   "host" : "ad.plop.org",
   "isAD" : "1",
   "isLdap" : "",
   "UserDN" : "dc=ad,dc=plop,dc=org",
   "GroupDN" : "dc=ad,dc=plop,dc=org",
   "BindPassword" : "ꓵ矦◕𥳐祖㻠ﲺ㝋枎眺⽻ꮎ믴狫渍棴릗橜沢來¥椉㑳槩뼫뽵瑤燺怬❯긏眰뼌㖤柆꺴㕻璿㗒ﭖ粙㊙桧띿穤㖃瀡縯궻杼떒ﺆ龍璻ﻓユꊃ橰未ꉽ뱼筙㋸群眻㙔ꌹ꓁긼뮕먚枖눒댜ꚱ惂☲凉ꓱꔻ⠞突㖪盄둘磨ꖦ㎞⦉ﳍ㬐畵ꉫ浡⃈ꅣƫԲꞎϫ椾뺆멄백㮋篾ﳱ瓎⪳硩⬖ꀭ㚝怟뭑ꆽꟊ玾ﱁꛞ⤑ꏾꞠ￘벰憰궱憛꒧㺭竬зꈛꍍッ㘱⓫뢙ヴ귦㥁먻ℎ˰ꖤⅪ띮搱㰡㹮㭮몈㲨⪞滄讀⷇ⵞ攥毫ꋀ끔㷏⦮淛ꅹ瑊믎漸払㦴㬕狊缤﷌뭑뒓ꯄ璍Λ➛柧뇣ꂖ灣瑀璝겺櫦犞ꅌ뗞㣬ꈖ",
   "BaseDN" : "dc=ad,dc=plop,dc=org",
   "LdapUriDn" : "ldap:///dc%3Dad%2Cdc%3Dplop%2Cdc%3Dorg"
}

on the remote server

[root@ns7dev6 ~]# account-provider-test dump
Traceback (most recent call last):
  File "<stdin>", line 3, in <module>
KeyError: 'SECRETS/MACHINE_PASSWORD/AD'
Traceback (most recent call last):
  File "<stdin>", line 3, in <module>
KeyError: 'SECRETS/MACHINE_PASSWORD/AD'
{
   "BindDN" : "AD\\NS7DEV6$",
   "LdapURI" : "ldaps://nsdc-ns7dev.ad.plop.org",
   "StartTls" : null,
   "port" : 636,
   "host" : "nsdc-ns7dev.ad.plop.org",
   "isAD" : "1",
   "isLdap" : "",
   "UserDN" : "DC=ad,DC=plop,DC=org",
   "GroupDN" : "DC=ad,DC=plop,DC=org",
   "BindPassword" : null,
   "BaseDN" : "DC=ad,DC=plop,DC=org",
   "LdapUriDn" : "ldap:///dc%3Dad%2Cdc%3Dplop%2Cdc%3Dorg"
}

I suppose that here only a manual step can be done ?


(Stéphane de Labrusse) #5

what about if you try to reconfigure your service

signal-event nethserver-sogo-update


(Michael Träumner) #6

For me with a local nethserver with samba ad it is working too. But for me the password is looking more clearly. Something like the following:

f16jFdLK<I7Lf


(Stéphane de Labrusse) #7

I tested with a full ns7.4 updated before to install nethserver-dc and after nethserver-sogo


(Markus Neuberger) #8

I tested it on updated 7.4b1 with local AD, and it works, even with binary password in sogo.conf. Didn’t test remote AD for now.


(Markus Neuberger) #9

Tested remote ad now. Joined a 7.4b1(remotead) to a 7.4b1 DC(testserver) with Samba 4.6.8 container and installed sogo…

/var/log/messages:

Oct 20 17:32:20 remotead esmith::event[35839]: [ERROR] /usr/libexec/nethserver/smbads: failed to add service primaries to system keytab
Oct 20 17:32:20 remotead esmith::event[35839]: [ERROR] /usr/libexec/nethserver/smbads: failed to initialize keytabs
Oct 20 17:32:20 remotead esmith::event[35839]: Action: /etc/e-smith/events/nethserver-mail-server-update/S50nethserver-sssd-initkeytabs FAILED: 5 [1.262279]
...
Oct 20 17:32:24 remotead esmith::event[36074]: expanding /etc/sogo/sogo.conf
Oct 20 17:32:24 remotead esmith::event[36074]: Traceback (most recent call last):
Oct 20 17:32:24 remotead esmith::event[36074]:  File "<stdin>", line 3, in <module>
Oct 20 17:32:24 remotead esmith::event[36074]: KeyError: 'SECRETS/MACHINE_PASSWORD/AD'
Oct 20 17:32:24 remotead esmith::event[36074]: WARNING in /etc/e-smith/templates//etc/sogo/sogo.conf/45user_source: Use of uninitialized value $secret in scalar chomp at /usr/share/perl5/vendor_perl/NethServer/SSSD.pm line 309.
Oct 20 17:32:24 remotead esmith::event[36074]: WARNING in /etc/e-smith/templates//etc/sogo/sogo.conf/45user_source: Use of uninitialized value $bindPassword in substitution (s///) at /etc/e-smith/templates//etc/sogo/sogo.conf/45user_source line 62.
Oct 20 17:32:24 remotead esmith::event[36074]: WARNING in /etc/e-smith/templates//etc/sogo/sogo.conf/45user_source: Use of uninitialized value $bindPassword in concatenation (.) or string at /etc/e-smith/templates//etc/sogo/sogo.conf/45user_source line 63.
Oct 20 17:32:24 remotead esmith::event[36074]: WARNING in /etc/e-smith/templates//etc/sogo/sogo.conf/45user_source: Use of uninitialized value $bindPassword in concatenation (.) or string at /etc/e-smith/templates//etc/sogo/sogo.conf/45user_source line 63.
Oct 20 17:32:24 remotead esmith::event[36074]: WARNING: Template processing succeeded for //etc/sogo/sogo.conf: 4 fragments generated warnings

/var/log/sogo/sogo.log

Oct 20 17:44:57 sogod [36179]: 192.168.221.1 "POST /SOGo/connect HTTP/1.1" 403 34/84 0.034 - - 576K
Oct 20 17:45:14 sogod [36179]: <0x0x555d78f65160[LDAPSource]> <NSException: 0x555d78fb0040> NAME:LDAPException REASON:operation bind failed: Strong(er) authentication required (0x8) INFO:{"error_code" = 8; login = "samaccountname=testuser,dc=ad,dc=domain,dc=local"; }
Oct 20 17:45:14 sogod [36179]: [ERROR] <0x0x555d78f5c730[LDAPSource]> Could not bind to the LDAP server ldap://nsdc-testserver.ad.domain.local (389) using the bind DN: AD\REMOTEAD$
Oct 20 17:45:14 sogod [36179]: [ERROR] <0x0x555d78f5c730[LDAPSource]> <NSException: 0x555d78fb1ff0> NAME:LDAPException REASON:operation bind failed: Strong(er) authentication required (0x8) INFO:{"error_code" = 8; login = "AD\\REMOTEAD$"; }
Oct 20 17:45:14 sogod [36179]: SOGoRootPage Login from '192.168.221.1' for user 'testuser' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
  • Changing TLS to yes in Account Provider doesn’t help so trying with this:

but new error(the credentials are correct, I tried several times and copy/pasted)

Oct 20 18:07:01 sogod [37256]: [ERROR] <0x0x55da720b6850[LDAPSource]> Could not bind to the LDAP server ldap://nsdc-testserver.ad.domain.local (389) using the bind DN: AD\REMOTEAD$
Oct 20 18:07:01 sogod [37256]: [ERROR] <0x0x55da720b6850[LDAPSource]> <NSException: 0x55da72176ad0> NAME:LDAPException REASON:operation bind failed: Invalid credentials (0x31) INFO:{"error_code" = 49; login = "AD\\REMOTEAD$"; }
Oct 20 18:07:01 sogod [37256]: SOGoRootPage Login from '192.168.221.1' for user 'markus' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0

Roundcube login is working but join to remote AD is strange:

[root@testserver ~]# account-provider-test dump
Traceback (most recent call last):
  File "<stdin>", line 3, in <module>
KeyError: 'SECRETS/MACHINE_PASSWORD/AD'
{
   "BindDN" : "AD\\REMOTEAD$",
   "LdapURI" : "ldap://nsdc-testserver.ad.domain.local",
   "StartTls" : "",
   "port" : 389,
   "host" : "nsdc-testserver.ad.domain.local",
   "isAD" : "1",
   "isLdap" : "",
   "UserDN" : "DC=ad,DC=domain,DC=local",
   "GroupDN" : "DC=ad,DC=domain,DC=local",
   "BindPassword" : null,
   "BaseDN" : "DC=ad,DC=domain,DC=local",
   "LdapUriDn" : "ldap:///dc%3Dad%2Cdc%3Ddomain%2Cdc%3Dlocal"
}

Oops, I noticed there is a wrong bind dn, should be DOMAIN\REMOTEAD$. I deleted my changes regarding tls weak auth.
I did an unbind and join again via web UI and now sogo login works.

AD join looks good again:

[root@remotead ~]# account-provider-test dump
{
   "BindDN" : "DOMAIN\\REMOTEAD$",
   "LdapURI" : "ldap://nsdc-testserver.ad.domain.local",
   "StartTls" : "",
   "port" : 389,
   "host" : "nsdc-testserver.ad.domain.local",
   "isAD" : "1",
   "isLdap" : "",
   "UserDN" : "DC=ad,DC=domain,DC=local",
   "GroupDN" : "DC=ad,DC=domain,DC=local",
   "BindPassword" : "篅毝뼍籥מּ뻉...",
   "BaseDN" : "DC=ad,DC=domain,DC=local",
   "LdapUriDn" : "ldap:///dc%3Dad%2Cdc%3Ddomain%2Cdc%3Dlocal"
}

(Stéphane de Labrusse) #10

Fun, I tested like you the unbind, and bind it again with the same parameters, this time the bind has been successful.

But I can still not use sogo until

I had ldaps and i restart sogo

-        hostname = ldap://ad.plop.org;
+        hostname = ldaps://ad.plop.org;

fun that when you install sogo on the local samba4ad the correct ldaps url is there, but when you install sogo with a remote account provider the ‘$sssd->ldapURI();’ gives back a bad url

do you noticed it in the sogo.conf file @mrmarkuz


(Stéphane de Labrusse) #11

I could force the bad ldaps url by

    #force the ldaps url
    $ldapURI =~ s/ldap:/ldaps:/;

but before I would prefer to understand why NethServer::SSSD doesn’t give the good ‘ldapURI’ when I bind to a remote (NS) samba4 AD

when the user authentication (nethserver-dc) is installed on the nethserver

[root@ns7dev ~]# account-provider-test dump
"LdapURI" : "ldaps://ad.plop.org",

when I bind to the remote samba4 AD (user authentication is remote)

[root@ns7dev6 ~]# account-provider-test dump
 "LdapURI" : "ldap://nsdc-ns7dev.ad.plop.org"

why the LdapURI is no the same ???

do I can force the ldaps url in the sogo code @giacomo @davidep


(Markus Neuberger) #12

No, it worked without changing sogo.conf but I had old nethserver-dc version on testserver samba dc, so I removed nethserver-dc-1.2.6-1.9.g6e3010d.ns7.x86_64 and installed nethserver-dc-1.3.0-1.ns7. Then I got on the remotead:

[root@remotead ~]# account-provider-test dump
{
   "BindDN" : "DOMAIN\\REMOTEAD$",
   "LdapURI" : "ldap://nsdc-testserver.ad.domain.local",
   "StartTls" : "",
   "port" : 389,
   "host" : "nsdc-testserver.ad.domain.local",
   "isAD" : "1",
   "isLdap" : "",
   "UserDN" : "DC=ad,DC=domain,DC=local",
   "GroupDN" : "DC=ad,DC=domain,DC=local",
   "BindPassword" : "端뉍牒ꁐ...",
   "BaseDN" : "DC=ad,DC=domain,DC=local",
   "LdapUriDn" : "ldap:///dc%3Dad%2Cdc%3Ddomain%2Cdc%3Dlocal"
}

and an error:

[root@remotead ~]# account-provider-test
ldap_bind: Strong(er) authentication required (8)
        additional info: BindSimple: Transport encryption required.

So I changed my AD ldap uri via web UI(account provider) on the remotead NS to ldaps://nsdc-testserver.ad.domain.local and then account-provider-test worked.

But now I have the same status as @Zwordi.

-- Unit sogod.service has begun starting up.
Oct 20 21:44:48 remotead.domain.local sogod[1784]: 2017-10-20 21:44:48.129 sogod[1784:1784] File NSString.m: 1507. In -[NSString initWithContentsOfFile:] Contents of file '/etc/sogo/sogo.conf' are not string data
Oct 20 21:44:48 remotead.domain.local sogod[1784]: <0x0x556396e9edd0[SOGoStartupLogger]> Cannot read configuration from '/etc/sogo/sogo.conf'. Aborting
Oct 20 21:44:48 remotead.domain.local systemd[1]: sogod.service: control process exited, code=exited status=1
Oct 20 21:44:48 remotead.domain.local systemd[1]: Failed to start SOGo is a groupware server.
-- Subject: Unit sogod.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit sogod.service has failed.

Tried removing and installing Sogo and unbind/rejoin without success. Now I get

-- Unit sogod.service has begun starting up.
Oct 20 21:55:46 remotead.domain.local kernel: sogod[5723]: segfault at 7ffe69629b98 ip 00007f328312c9cf sp 00007ffe69629b80 error 6 in libgnustep-base.so.1.24.9[7f3282d9a000+4dc000]
Oct 20 21:55:46 remotead.domain.local systemd[1]: sogod.service: control process exited, code=killed status=11
Oct 20 21:55:46 remotead.domain.local systemd[1]: Failed to start SOGo is a groupware server.
-- Subject: Unit sogod.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit sogod.service has failed.
--
-- The result is failed.
Oct 20 21:55:46 remotead.domain.local systemd[1]: Unit sogod.service entered failed state.
Oct 20 21:55:46 remotead.domain.local systemd[1]: sogod.service failed.

This is weird.


SOGo Problem after update
(Stéphane de Labrusse) #13

Houston we have a problem !

probably it comes from the password as a binary field

Can you remove it and place a dummy one, just to look if the sogo service starts


(Markus Neuberger) #14

Oh no, I reinstalled the VM but I’ll try and report…


(Stéphane de Labrusse) #15

what a pity :’(


(Markus Neuberger) #16

I got the AD naming bug: If you enter no DNS Server IP on joining NS, the domain is AD instead of DOMAIN.

I freshly installed the VM with NS 7.4b1, updated, joined AD, changed ldap uri to ldaps so account-provider-test works again.

Then I installed sogo and it just worked. If you change the ldap uri it is correctly written to sogo.conf hostname:

/* 45 AD authentication */
    SOGoUserSources =(
     {
        id = AD_Users;
        type = ldap;
        CNFieldName = cn;
        IDFieldName = sAMAccountName;
        UIDFieldName = sAMAccountName;
        IMAPLoginFieldName = userPrincipalName;
        canAuthenticate = YES;
        bindDN = "DOMAIN\\REMOTEAD2$";
        bindPassword = "ꍝ꛸斦...";
        baseDN = "DC=ad,DC=domain,DC=local";
        bindFields = (
                sAMAccountName,
                userPrincipalName
            );
        hostname = ldaps://nsdc-testserver.ad.domain.local;
        filter = "(objectClass='user')";
        MailFieldNames = ("userPrincipalName");
        scope = SUB;
        displayName = "domain.local users";
        isAddressBook = YES;
     },
     {
        id = AD_Groups;
        type = ldap;
        CNFieldName = name;
        IDFieldName = sAMAccountName;
        UIDFieldName = sAMAccountName;
        canAuthenticate = YES;
        bindDN = "DOMAIN\\REMOTEAD2$";
        bindPassword = "ꍝ꛸...";
        baseDN = "DC=ad,DC=domain,DC=local";
        hostname = ldaps://nsdc-testserver.ad.domain.local;
        filter = "(objectClass='group') AND (sAMAccountType=268435456)";
        MailFieldNames = ("userPrincipalName");
        scope = SUB;
        displayName = "domain.local groups";
        isAddressBook = YES;
     }
    );

Don’t know what was the problem before maybe removing and reinstalling sogo? I’ll try again…


Release of NethServer 7.4.1708 Final
(Markus Neuberger) #17

I removed sogo from software center. Then I did “yum remove sogo”. Then I installed sogo from software center and now I have my error status again. I tried to empty the binary passwords in sogo.conf, but same error. I think it’s sogo install/remove procedure error and has nothing to do with binary password.

-- Unit sogod.service has begun starting up.
Oct 20 23:09:11 remotead2.domain.local kernel: sogod[6639]: segfault at 7ffdd9a52ff8 ip 00007f921262c107 sp 00007ffdd9a53000 error 6 in libc-2.17.so[7f92125ac000+1b8000]
Oct 20 23:09:11 remotead2.domain.local systemd[1]: sogod.service: control process exited, code=killed status=11
Oct 20 23:09:11 remotead2.domain.local systemd[1]: Failed to start SOGo is a groupware server.
-- Subject: Unit sogod.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit sogod.service has failed.

EDIT:

Summary:
I tried to join AD 3 times with fresh install and the first time join doesn’t work correctly, no matter if you enter DNS or not. The domain is set to AD instead of DOMAIN when DNS domain is ad.domain.local. Unbind and join the second time works.

The ldap uri on the joining Nethserver has to be changed via web ui to make accounts-provider-test work. You will get “ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required.” if you don’t do that.

@Zwordi, I could not reproduce your problem a second time, I just had it after updating my AD nethserver-dc from 1.2.6 to 1.3.
As @stephdl suggested, please try to change your sogo.conf to “BindPassword” : “dummypw” instead of the chinese typo and check if sogo starts.


(Davide Principi) #18

I think because MS AD doesn’t come with SSL enabled out of the box, like Samba AD. And enabling SSL in MS AD is quite complex…

Perhaps the ad probe procedure can guess the best choice by attempting SSL and fall back to plain LDAP if not available. I thought it was so!


(Markus Neuberger) #19

In this case the probe fails not seeing ldaps in Nethserver AD but it will work with any M$ AD…


(Zwordi) #20

Hello Everybody,

Thank a lot for your feedback.
I tried few others things whitout any result.
At least as i was just testing the AD side it don’t bother me. I’m gonna use the Openldap which work fine.
I’m gonna use also the command line to create users based on theirs registration.

To be honest i wasn’t expecting a lot of feedback so i love the fact that i received quick answer.
I will put this on SOLVED.

Thanks everybody.