Re: [SOGo] Sogo and samba 4 AD authentification
El 20/03/18 a les 19:05, Goetz Reinicke (goetz.reini...@filmakademie.de) ha escrit: Am 20.03.2018 um 18:30 schrieb Luca Olivetti (l...@wetron.es) : El 20/03/18 a les 18:02, Goetz Reinicke (goetz.reini...@filmakademie.de) ha escrit: I did that and it works, but disabling encryption as i understand that, is notes good option. use ldap server require strong auth = allow_sasl_over_tls (I suppose you already enabled tls in samba) Not yet, as i was not aware that I have to need it. Tls enable etc are the options?! https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es/ Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007 -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Sogo and samba 4 AD authentification - SOLVED
Thanks to all, I got it up and running. (For now with TLS_REQCERT never). Regards . Götz -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Sogo and samba 4 AD authentification
Am 20.03.2018 um 15:56 schrieb Götz Reinicke (goetz.reini...@filmakademie.de): > Hi, > > I try to use our samba 4 ad as the user source but looks like I miss an point > or option. > > I have added a dedicated user to the ad, edited the config and restarted > SOGo&memcached. > > From the logs so far I guess it’s a SSL problem. Yes it is. You need to install the certificates at the distro level (localtion can be specified in /etc/openldap/ldap.conf) or configure /etc/openldap/ldap.conf to not check the certificates with: TLS_REQCERT never Location of the files may vary. This is for Centos. Sogo.conf looks like this: SOGoUserSources = ( { CNFieldName = displayName; IDFieldName = sAMAccountName; UIDFieldName = sAMAccountName; bindAsCurrentUser =YES; baseDN = "cn=xx,dc=xx,dc=xx,dc=xx"; bindDN = "CN=xx,CN=xx,DC=xx,DC=xx,DC=xx"; bindFields = ( sAMAccountName ); bindPassword = "xx"; listRequiresDot = NO; canAuthenticate = YES; displayName = xx; hostname = "ldaps://xx.xx.xx"; id = xx; isAddressBook = YES; SearchFieldNames = (sAMAccountName,displayName,mail); } As you can see we have the domain name as ldap server this des a "crude" load balancing as the DNS returns the IPs of all DCs in the ActiveDirectory. regards > > May be someone has already a working set and can share the hints and doc how > to use that? > > Thanks & Regards . Götz > > -- Dr. Christian Naumer Research Scientist Plattform-Koordinator Bioprozesstechnik B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail c...@brain-biotech.de, homepage www.brain-biotech.de fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel Aufsichtsratsvorsitzender: Dr. Ludger Mueller -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Sogo and samba 4 AD authentification
Hi, On 03/20/2018 06:05 PM, Goetz Reinicke (goetz.reini...@filmakademie.de) wrote: So haproxy is Talking encrypted to the samba servers? With the option of failover this sounds interesting. How hard is the haproxy configuration? Yes, like that. Config not very complicated, and it works very nicely. In fact we do this on all servers that require ldap connections. Relevant bits from haproxy.cfg: frontend ldap_service_front mode tcp bind localhost:389 description LDAP Service optionsocket-stats optiontcpka timeout client5s default_backend ldaps_service_back backend ldaps_service_back mode tcp balance roundrobin serverdc2 ldap.server.ip.1:636 check fall 1 rise 1 inter 2s verify none check check-ssl ssl serverdc3 ldap.server.ip.2:636 check fall 1 rise 1 inter 2s verify none check check-ssl ssl serverdc4 ldap.server.ip.3:636 check fall 1 rise 1 inter 2s verify none check check-ssl ssl optionlog-health-checks optionldap-check timeout server2s timeout connect 2s As you can see, we are currently not checking the certificates, which is not good. This is still on our to-do list. MJ -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Sogo and samba 4 AD authentification
> Am 20.03.2018 um 18:30 schrieb Luca Olivetti (l...@wetron.es) : > > El 20/03/18 a les 18:02, Goetz Reinicke (goetz.reini...@filmakademie.de) ha > escrit: >> I did that and it works, but disabling encryption as i understand that, is >> notes good option. > > use > > ldap server require strong auth = allow_sasl_over_tls > > (I suppose you already enabled tls in samba) Not yet, as i was not aware that I have to need it. Tls enable etc are the options?! Thanks and regards . Götz -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Sogo and samba 4 AD authentification
El 20/03/18 a les 18:02, Goetz Reinicke (goetz.reini...@filmakademie.de) ha escrit: I did that and it works, but disabling encryption as i understand that, is notes good option. use ldap server require strong auth = allow_sasl_over_tls (I suppose you already enabled tls in samba) Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es/ Tel. +34 93 5883004 (Ext.3010) Fax +34 93 5883007 -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Sogo and samba 4 AD authentification
I did that and it works, but disabling encryption as i understand that, is notes good option. Suggestions? Regards Götz > Am 20.03.2018 um 16:33 schrieb Sauro Cerri (sauro.ce...@isi-it.eu) > : > > Hello, did you tried this on smb.con? > ldap server require strong auth = No > > > Il 20/03/2018 15:56, Götz Reinicke (goetz.reini...@filmakademie.de) ha > scritto: >> Hi, >> >> I try to use our samba 4 ad as the user source but looks like I miss an >> point or option. >> >> I have added a dedicated user to the ad, edited the config and restarted >> SOGo&memcached. >> >> From the logs so far I guess it’s a SSL problem. >> >> May be someone has already a working set and can share the hints and doc how >> to use that? >> >> Thanks & Regards . Götz >> >> > > -- > Sauro Cerri > ISI-IT S.r.l. > Via Murada, 200 > 23018 Talamona (SO) > Tel. 0342-670320 > Fax. 0342-671812 > e-mail: sauro.ce...@isi-it.eu > > Avviso importante: Le informazioni contenute nel presente documento e negli > allegati sono riservate al destinatario indicato. A chi legge il presente > avviso, se non è l'effettivo destinatario, o un dipendente, o la persona > responsabile della consegna della comunicazione, si notifica che è proibito > qualsiasi uso, copia, distribuzione o divulgazione di quanto in esso > contenuto ai sensi dell'art. 616 C.P. e di quanto stabilisce la legge 675/96 > e 196/2003 sulla tutela dei dati personali. Se questa comunicazione Vi è > pervenuta per errore Vi preghiamo di informarci immediatamente; il contenuto > del presente documento e degli allegati non va letto ma distrutto. > > CONFIDENTIALITY NOTICE The contents of this e-mail are confidential to the > ordinary user of the e-mail address to which it was addressed, and may also > be privileged. If you are not the addressee of this e-mail you may not copy, > forward, disclose or otherwise use it or any part of it in any form > whatsoever. If you have received this e-mail in error, please e-mail the > sender by replying to this message. > -- > users@sogo.nu > https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Sogo and samba 4 AD authentification
> Am 20.03.2018 um 16:44 schrieb lists (li...@merit.unu.edu) : > > Hi, > > We have been doing that for years. Config like this: > >> SOGoUserSources = ( >>{ >>type = ldap; >>CNFieldName = displayName; >>IDFieldName = cn; >>UIDFieldName = uid; >>bindFields = (sAMAccountName, cn); >>baseDN = "CN=Users,DC=samba,DC=company,DC=com"; >>canAuthenticate = YES; >>listRequiresDot = NO; >>bindDN = "cn=sogo_search,cn=users,dc=samba,dc=company,dc=com"; >>bindPassword = very_secret; >>displayName = "AD Internal Users"; >>MailFieldNames =(mail, otherMailbox, proxyAddresses); >>hostname = "ldap://127.0.0.1:389";; >>id = ad-users; >>isAddressBook = YES; >>port = 389; >>scope = "SUB"; >>filter = "((samAccountType=805306368) AND (mail='*') AND (NOT >> userAccountControl:1.2.840.113556.1.4.803:=2))"; >>} > > As you can see, we have sogo talk ldap to 127.0.0.1:389, which is where > haproxy is listening. HAProxy is configured to talk to our three AD servers, > doing the failover etc. > > Hope this helps? So haproxy is Talking encrypted to the samba servers? With the option of failover this sounds interesting. How hard is the haproxy configuration? Regards Götz -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Sogo and samba 4 AD authentification
Hello, did you tried this on smb.con? ldap server require strong auth = No Il 20/03/2018 15:56, Götz Reinicke (goetz.reini...@filmakademie.de) ha scritto: Hi, I try to use our samba 4 ad as the user source but looks like I miss an point or option. I have added a dedicated user to the ad, edited the config and restarted SOGo&memcached. From the logs so far I guess it’s a SSL problem. May be someone has already a working set and can share the hints and doc how to use that? Thanks & Regards . Götz -- /*Sauro Cerri */ISI-IT S.r.l. Via Murada, 200 23018 Talamona (SO) Tel. 0342-670320 Fax. 0342-671812 e-mail: sauro.ce...@isi-it.eu Avviso importante: Le informazioni contenute nel presente documento e negli allegati sono riservate al destinatario indicato. A chi legge il presente avviso, se non è l'effettivo destinatario, o un dipendente, o la persona responsabile della consegna della comunicazione, si notifica che è proibito qualsiasi uso, copia, distribuzione o divulgazione di quanto in esso contenuto ai sensi dell'art. 616 C.P. e di quanto stabilisce la legge 675/96 e 196/2003 sulla tutela dei dati personali. Se questa comunicazione Vi è pervenuta per errore Vi preghiamo di informarci immediatamente; il contenuto del presente documento e degli allegati non va letto ma distrutto. CONFIDENTIALITY NOTICE The contents of this e-mail are confidential to the ordinary user of the e-mail address to which it was addressed, and may also be privileged. If you are not the addressee of this e-mail you may not copy, forward, disclose or otherwise use it or any part of it in any form whatsoever. If you have received this e-mail in error, please e-mail the sender by replying to this message. -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Sogo and samba 4 AD authentification
Hi, We have been doing that for years. Config like this: SOGoUserSources = ( { type = ldap; CNFieldName = displayName; IDFieldName = cn; UIDFieldName = uid; bindFields = (sAMAccountName, cn); baseDN = "CN=Users,DC=samba,DC=company,DC=com"; canAuthenticate = YES; listRequiresDot = NO; bindDN = "cn=sogo_search,cn=users,dc=samba,dc=company,dc=com"; bindPassword = very_secret; displayName = "AD Internal Users"; MailFieldNames =(mail, otherMailbox, proxyAddresses); hostname = "ldap://127.0.0.1:389";; id = ad-users; isAddressBook = YES; port = 389; scope = "SUB"; filter = "((samAccountType=805306368) AND (mail='*') AND (NOT userAccountControl:1.2.840.113556.1.4.803:=2))"; } As you can see, we have sogo talk ldap to 127.0.0.1:389, which is where haproxy is listening. HAProxy is configured to talk to our three AD servers, doing the failover etc. Hope this helps? MJ On 20-3-2018 15:56, Götz Reinicke (goetz.reini...@filmakademie.de) wrote: Hi, I try to use our samba 4 ad as the user source but looks like I miss an point or option. I have added a dedicated user to the ad, edited the config and restarted SOGo&memcached. From the logs so far I guess it’s a SSL problem. May be someone has already a working set and can share the hints and doc how to use that? Thanks & Regards . Götz -- users@sogo.nu https://inverse.ca/sogo/lists
[SOGo] Sogo and samba 4 AD authentification
Hi, I try to use our samba 4 ad as the user source but looks like I miss an point or option. I have added a dedicated user to the ad, edited the config and restarted SOGo&memcached. From the logs so far I guess it’s a SSL problem. May be someone has already a working set and can share the hints and doc how to use that? Thanks & Regards . Götz -- users@sogo.nu https://inverse.ca/sogo/lists