On 25/09/13 05:47, Jean Raby wrote:
On 13-09-24 1:57 PM, Mark Pavlichuk wrote:
If I use the deprecated way of specifying a starttls ldap addess
things work ie. :
sudo -u sogo defaults write sogod SOGoUserSources '({CNFieldName = cn;
IDFieldName = cn; UIDFieldName = uid;
baseDN=ou=people,dc=strategicit,dc=homelinux,dc=net;
bindDN=cn=admin,dc=strategicit,dc=homelinux,dc=net;
bindFields = (uid); usePasswordAlgorithm = ssha;
bindPassword = xx; canAuthenticate = YES;
displayName =
Shared Addresses; hostname =
fusion.strategicit.homelinux.net;
id = shared;
port = 389;
encryption = starttls;
isAddressBook = YES;})'
...but if I do things the new way ... ie:
sudo -u sogo defaults write sogod SOGoUserSources '({CNFieldName = cn;
IDFieldName = cn; UIDFieldName = uid;
baseDN=ou=people,dc=strategicit,dc=homelinux,dc=net;
bindDN=cn=admin,dc=strategicit,dc=homelinux,dc=net;
bindFields = (uid); usePasswordAlgorithm = ssha;
bindPassword = xx; canAuthenticate = YES;
displayName =
Shared Addresses; hostname =
ldap://fusion.strategicit.homelinux.net/!StartTLS; id = shared;
isAddressBook = YES;})'
I just tested again here and both works :
sogo.log
Sep 19 16:23:33 sogod [12048]: 0x0x7f1190e78bd0[NGLdapConnection]
Using ldap_initialize for LDAP URL: ldap://127.0.0.1:3389/!StartTLS
2013-09-19 16:23:33.527 sogod[12048] -[NGLdapConnection
_searchAtBaseDN:qualifier:attributes:scope:]: search at base
'ou=people,dc=example,dc=com' filter '(|(uid=sogo1)(mail=sogo1))' for
attrs '*'
slapd logs:
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 fd=16 ACCEPT from
IP=127.0.0.1:33868 (IP=0.0.0.0:3389)
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=0 STARTTLS
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=0 RESULT oid= err=0 text=
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 fd=16 TLS established
tls_ssf=128 ssf=128
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=1 BIND
dn=cn=admin,dc=example,dc=com method=128
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=1 BIND
dn=cn=admin,dc=example,dc=com mech=SIMPLE ssf=0
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=1 RESULT tag=97 err=0
text=
Sep 19 16:23:33 sogo slapd[1169]: connection_input: conn=1938
deferring operation: binding
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=2 SRCH
base=ou=people,dc=example,dc=com scope=2 deref=0
filter=(|(uid=sogo1)(mail=sogo1))
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=2 SRCH attr=*
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
...SOGo fails to bind to LDAP. From /var/log/sogo/sogo.log :
Sep 25 03:21:21 sogod [7923]: 0x0x7ffc74b043f0[SOGoCache] Using
host(s)
'localhost' as server(s)
2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): SoDebugKeyLookup
is enabled!
2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): SoDebugBaseURL is
enabled!
2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): relative base
URLs are enabled.
2013-09-25 03:21:21.240 sogod[7923] ERROR(-[NGBundleManager
bundleWithPath:]):
could not create bundle for path:
'/usr/share/GNUstep/Libraries/gnustep-base/Versions/1.22/Resources/SSL.bundle'
2013-09-25 03:21:21.246 sogod[7923] WOCompoundElement: pool embedding
is on.
2013-09-25 03:21:21.246 sogod[7923] WOCompoundElement: id logging is on.
192.168.1.109 - - [25/Sep/2013:03:21:21 GMT] GET /SOGo HTTP/1.1 302
0/0 0.129
- - 2M
2013-09-25 03:21:21.379 sogod[7923] WARNING(-[NSNull(misc) count]):
called
NSNull -count (returns 0) !!!
192.168.1.109 - - [25/Sep/2013:03:21:21 GMT] GET /SOGo/ HTTP/1.1
200 3874/0
0.020 11821 67% 1M
Sep 25 03:21:30 sogod [7923]: [ERROR] 0x0x7ffc74b7d930[LDAPSource]
Could not
bind to the LDAP server
ldap://fusion.strategicit.homelinux.net!StartTLS
(389) using the bind DN: cn=admin,dc=strategicit,dc=homelinux,dc=net
Sep 25 03:21:30 sogod [7923]: [ERROR] 0x0x7ffc74b7d930[LDAPSource]
NSException: 0x7ffc74af69e0 NAME:LDAPException REASON:operation
bind failed:
Confidentiality required (0xD) INFO:{login =
cn=admin,dc=strategicit,dc=homelinux,dc=net; }
Sep 25 03:21:30 sogod [7923]: SOGoRootPage Login from '192.168.1.109'
for user
'fd-admin' might not have worked - password policy: 65535 grace: -1
expire: -1
bound: 0
192.168.1.109 - - [25/Sep/2013:03:21:30 GMT] POST /SOGo/connect
HTTP/1.1 403
34/44 0.003 - - 476K
Sep 25 03:31:31 sogod [7899]: 0x0x7ffc74808b20[WOWatchDog]
Terminating with
SIGINT or SIGTERM
The only strange things I'm doing are setting options requiring certs in
OpenLDAP, ie:
olcTLSVerifyClient: demand
olcLocalSSF: 256
olcTLSCipherSuite: SECURE256
olcSecurity: ssf=256
...although I'm not sure if that could be making a difference.
You realize that 'olcTLSVerifyClient: demand' means