Re: [SOGo] One LDAP branch for authentication, many LDAP branches for addressbook
Hello Roberto De Oliveira Am 2014-07-18 18:01, schrieb Roberto De Oliveira: We are using sogo with LDAP authentication and we have designed our DIT with 3 branches with email accounts at the same level: people, aliases (virtual accounts without authentication) and group of distributions (aliases associated to many real accounts). Right now we have issues with at the web interface because sogo sees just people, I don't know if there is a way to specify branch for authentication and branches for address book on SOGoUserSources. Any ideas? Sure. You can specify multiple SOGoUserSources and set canAuthenticate and isAddressBook for each according to your needs. Kind regards, Christian Mack -- Christian Mack Universität Konstanz Kommunikations-, Informations-, Medienzentrum (KIM) Abteilung Basisdienste 78457 Konstanz +49 7531 88-4416 smime.p7s Description: S/MIME Cryptographic Signature
Re: [SOGo] One LDAP branch for authentication, many LDAP branches for addressbook
On 7/21/2014 5:42 AM, Christian Mack christian.m...@uni-konstanz.de wrote:
You can specify multiple SOGoUserSources and set canAuthenticate and
isAddressBook for each according to your needs
Hi Christian,
My apologies to the OP, but I have a question about this very thing.
We have two SOGoUserSources defined in our config.
The first is our linux/sql based email userDB, and does all user AUTH.
The second is an LDAP based user source pointed at our existing Windows
Active Directory DC, and is defined so we can utilize our AD based Users
and Security Groups for controlling access to shared Calendars and
Contacts. The only other options - add each user separately to every
shared resource, or pay for developing an SQL based Group support - were
not workable (although we may eventually pay to add SQL based Group
support).
As I reported a couple of weeks ago, I am having a problem with my logs
being flooded with errors, which I think caused a major problem once
where my sql server blocked the sogo server due to too many errors.
Doubling the number of errors from 10 to 20 appears to have solved that
problem (sogo server hasn't been blocked again... yet), but the errors
flooding the logs continues.
I've narrowed it down to what I believe could be a problem with this
dual config.
The error flood (anywhere from a couple hundred to over a thousand
lines, all with the exact same date/time stamp down to the second),
*always* start with a failed BIND operation, like this:
Jul 21 06:57:07 sogod [29455]: |SOGo| starting method 'REPORT' on uri
'/SOGo/dav/username/Calendar/5EDA-533EC400-A3-564CA400/'
Jul 21 06:57:07 sogod [29455]: 0x0x7ff375997e80[LDAPSource]
NSException: 0x7ff375e48710 NAME:LDAPException REASON:operation bind
failed: Invalid credentials (0x31) INFO:{login =
cn=username,dc=sub,dc=example,dc=com; }
These two lines are then followed by anywhere from hundreds to over a
thousand lines - again, with the exact same date/time stamp down to the
second (this simply cannot be good for performance) - like:
Jul 21 06:57:07 sogod [29455]: [ERROR]
0x0x7ff375e55800[NGLdapAttribute] could not convert value of
objectGUID to string
Jul 21 06:57:07 sogod [29455]: [ERROR]
0x0x7ff375e43760[NGLdapAttribute] could not convert value of objectSid
to string
Jul 21 06:57:07 sogod [29455]: [ERROR]
0x0x7ff375df7130[NGLdapAttribute] could not convert value of
logonHours to string
Jul 21 06:57:07 sogod [29455]: [ERROR]
0x0x7ff375e73880[NGLdapAttribute] could not convert value of
userCertificate to string
They are always the same detail (objectSid, objectGUID, logonHours and
userCertificate), although the [29455] (I assume that is the process
ID?) does have maybe 4 or 5 different values interspersed throughout
these lines.
My question is, could this problem simply be caused because the LDAP
user Source has canAuthenticate set to yes? Or is this required for the
LDAP source to simply be able to be read when applying the ACLs?
I've been hesitant to test this theory on my production system, and have
been meaning to try to get a test environment set up, but I'm a one man
IT support shop, and I'm a bit outside my comfort zone. I paid Inverse
to get this installed and working, but my support hours ran out before I
even realized this problem existed. I'm waiting for approval from the
boss to buy some more support hours so I can get so I can get some help,
but would really appreciate if you could give me an opinion about this...
Thanks... here are my current user sources:
SOGoUserSources =
(
{
type = sql;
id = directory;
viewURL =
mysql://sogo_user:passw...@sub.example.com:3306/auth_db/sogo_auth;
canAuthenticate = YES;
isAddressBook = NO;
userPasswordAlgorithm = crypt;
},
{
type = ldap;
CNFieldName = cn;
IDFieldName = cn;
UIDFieldName = sAMAccountName;
baseDN = DC=sub,DC=example,DC=com;
bindDN = cn=ldap
lookups,ou=Services,ou=Our_Users,dc=sub,dc=example,dc=com;
bindPassword = readonly-password;
canAuthenticate = YES;
displayName = Our Groups;
hostname = ldap://123.456.100.10:389;;
id = our_groups;
isAddressBook = NO;
scope = SUB;
}
);
So... can I simply change 'canAuthenticate = YES;' for the ldap source
to NO and fix these log flood errors? Or will the users access to the
Shared Calendars/Address Books be broken if I do this?
And maybe would I also need to change 'isAddressBook = NO;' to YES?
Anyway, thanks very much for any advice you or anyone else can offer...
--
users@sogo.nu
https://inverse.ca/sogo/lists
Re: [SOGo] Sogo 2.2.2: sieve connection does not work
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, thank you for these notes. The configuration seems to be ok now but the conection still fails. Now we run sogo 2.2.6 and it still does not work. I played a little bit with the config file and figured out that it works when I remove the tls=YES in the sieve connection URL. But I've to use TLS because the sieve server is on another machine. Ideas? Regards, Rasca Am 31.03.2014 16:03, schrieb Rainer Ruprechtsberger: Hi, do you have an account configured SOGo should use to connect to the sieve server? /etc/sogo/sieve.creds: sogo:password This user has to be a sieve administrator (may change sieve scripts for every user). In case of a cyrus ldap server this would be: /etc/imapd.conf sieve_admins: sogo And in a configured sasl backend. hope this is of any help. /rupi - -- Rasca Gmelch | IT | JabberID: rasca.gme...@artcom.de OpenPGP Key ID: 8168E925, Key server: pool.sks-keyservers.net Fingerprint 1FD0 3199 13B7 7ADC 5DF1 A8EF FA4C 4AC0 8168 E925 ART+COM AG | Kleiststr. 23-26 | 10787 Berlin | Germany Fon: +49.30.21001-466 | Fax: +49.30.21001-555 http://www.artcom.de/ HRB 68308 | Amtsgericht Charlottenburg Vorstand: Andreas Wiek, Prof. Joachim Sauter Aufsichtsratsvorsitzender: Volker Tietgens USt-IdNr.: DE811998328 -BEGIN PGP SIGNATURE- iQIcBAEBAgAGBQJTzQ+RAAoJEPpMSsCBaOklpiUP/iIUT4qyyNGAuwOH3aKri3Mt SIUjvqMBZ+OPHN9ODsJQPRAeR8GZk5zRR96H5Xzymr4Dh4yTptCe+ughw08cobzJ lUMlqk5UUAlRYj/DwWrcJtFsO17Pbz391X8tSyr1kxXrHcPCrUTJ6XKVpYRR5nw3 GPXTIPkF2L9MD4ZAWkfalQvUS+XkykS74X4A2wjU1utBSTtPgZWG0/bffyP2vyHV dVKrkBGNZIYHTMtW0QRcc4Fkts4mVm9uhdwcEF2hioDFjr0K+rcx/mRJu1tYcKSh 44OjtQI+hzsSl2l/cgnXye5hstR/+pMdrGvXqmbzbtz+MOMhuu/mjr2fvFT+sAv5 FENqC4M29vodTLz1KKJffpKnUCCITsucPGbm7LQ7GE1rfAi0orv7B9P73+WUsqma LsJFz11hoZHcS8Wq6mY3UQqjBo7bXfZsvcyO8wwylS3mRzDI8fWGIr9rIaYeO8PH Dlv+kTDF95WiNqEGsb/208HqabBelPB7eNkjFFWw4OU9xBmEJAHEaBSWlSzSekDv jPdAxsAC/CfnIUcFfwcQhvdIAMYydWfa0VHmla9dMN0A3hdbCGztB33jslgpPdul zJeOVCqReKPWYUe7a27fVBVOefM77j23hF1BJiwePxrQ9qQHnD2M6lCsnLMlesmH B7rX2WlBmVHRHE99dvs5 =5n+T -END PGP SIGNATURE- -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] One LDAP branch for authentication, many LDAP branches for addressbook
I will try it! Thanks! 2014-07-21 5:12 GMT-04:30 Christian Mack christian.m...@uni-konstanz.de: Hello Roberto De Oliveira Am 2014-07-18 18:01, schrieb Roberto De Oliveira: We are using sogo with LDAP authentication and we have designed our DIT with 3 branches with email accounts at the same level: people, aliases (virtual accounts without authentication) and group of distributions (aliases associated to many real accounts). Right now we have issues with at the web interface because sogo sees just people, I don't know if there is a way to specify branch for authentication and branches for address book on SOGoUserSources. Any ideas? Sure. You can specify multiple SOGoUserSources and set canAuthenticate and isAddressBook for each according to your needs. Kind regards, Christian Mack -- Christian Mack Universität Konstanz Kommunikations-, Informations-, Medienzentrum (KIM) Abteilung Basisdienste 78457 Konstanz +49 7531 88-4416 -- Saludos, Roberto De Oliveira -- users@sogo.nu https://inverse.ca/sogo/lists
[SOGo] Question regarding SOGo scalability
Hello, We were considering moving from zarafa community to SOGo, but we are concerned about possible scalability problems with it. Right now we have around 4000 mailboxes and zarafa can't deal with it anymore. Our current infrastructure is of 3 servers, one for Zarafa-Server (+postfix), one for Mysql and a third one only for Apache (webaccess) and Z-Push. Both of them are Citrix Xenserver guests, with 16+ processors and 32GB RAM. Servers CPU load are not an issue, but zarafa-server freezes almost in a daily basis. The access is currently 100% webclient only with a few users syncing to their smartphones. With SOGo we planned on using Thunderbird + Connector. We wonder if SOGo can handle such a user base of this size (actually the base is going to increase: probably 12.000 mailboxes - at least - in 2 or 3 years). Does anyone have experience with such an environment? Kind Regards, Rodrigo Gregori Network Administrator Prefeitura de Joinville +55 47 3431-3289 rodrigo.gregori at joinville.sc.gov.br -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Question regarding SOGo scalability
On 21/07/14 14:46, Rodrigo Habib Gregori wrote: Hello, We were considering moving from zarafa community to SOGo, but we are concerned about possible scalability problems with it. Right now we have around 4000 mailboxes and zarafa can't deal with it anymore. Our current infrastructure is of 3 servers, one for Zarafa-Server (+postfix), one for Mysql and a third one only for Apache (webaccess) and Z-Push. Both of them are Citrix Xenserver guests, with 16+ processors and 32GB RAM. Servers CPU load are not an issue, but zarafa-server freezes almost in a daily basis. The access is currently 100% webclient only with a few users syncing to their smartphones. With SOGo we planned on using Thunderbird + Connector. We wonder if SOGo can handle such a user base of this size (actually the base is going to increase: probably 12.000 mailboxes - at least - in 2 or 3 years). Does anyone have experience with such an environment? Kind Regards, Rodrigo Gregori Network Administrator Prefeitura de Joinville +55 47 3431-3289 rodrigo.gregori at joinville.sc.gov.br You can redistribute the load with a load blance setup: We use HAproxy for HTTP load balance. IMAP connections can be balanced with a proxy as Perdition or the native Dovecot proxy functionallity. You will need to configure Postfix to forward the incoming mails to the storage backend server where resides the account mailbox; you can use use LDAP to store the mailbox server info for every user. If you don't want to redistribute the mailboxs over several storage servers, you can use a centralized storage such as NFS or gfs, ocfs2, etc). SMTP can be balanced with DNS mx records. OpenLDAP provides replication and you can balance it with DNS. SOGo provides a method to redistribute the DB data between more than one DB backend. The DB connection parameters can be configured per user basis. But such feature isn't documented :-(. Alternatively you can setup a DB cluster, but I think that it is more complicated and requires more maintenance. Or, if you have the money, buy commercial support to Inverse (SOGo developers) and consult with they the recommended architecture. Regards Federico -- users@sogo.nu https://inverse.ca/sogo/lists
RES: [SOGo] Question regarding SOGo scalability
Hello Federico, Thanks for your reply. It will be very useful to us here! Would you care to share your user base size? How many mailboxes do you have there? And for how long do you have SOGo implemented? We have hardware resources for doing loading balance (both web, mail and DB). As for the storage, I was indeed thinking of a centralized solution. Still not sure of which protocol to choose. Regards, Rodrigo Habib Gregori Analista de Tecnologia da Informação - Matrícula 35444 +55 47 3431-3232 Prefeitura Municipal de Joinville www.joinville.sc.gov.br -Mensagem original- De:Federico Alberto Sayd fs...@uncu.edu.ar Enviado:Seg 21/07/2014 16:45 Assunto:Re: [SOGo] Question regarding SOGo scalability Para:users@sogo.nu; On 21/07/14 14:46, Rodrigo Habib Gregori wrote: Hello, We were considering moving from zarafa community to SOGo, but we are concerned about possible scalability problems with it. Right now we have around 4000 mailboxes and zarafa can't deal with it anymore. Our current infrastructure is of 3 servers, one for Zarafa-Server (+postfix), one for Mysql and a third one only for Apache (webaccess) and Z-Push. Both of them are Citrix Xenserver guests, with 16+ processors and 32GB RAM. Servers CPU load are not an issue, but zarafa-server freezes almost in a daily basis. The access is currently 100% webclient only with a few users syncing to their smartphones. With SOGo we planned on using Thunderbird + Connector. We wonder if SOGo can handle such a user base of this size (actually the base is going to increase: probably 12.000 mailboxes - at least - in 2 or 3 years). Does anyone have experience with such an environment? Kind Regards, Rodrigo Gregori Network Administrator Prefeitura de Joinville +55 47 3431-3289 rodrigo.gregori at joinville.sc.gov.br You can redistribute the load with a load blance setup: We use HAproxy for HTTP load balance. IMAP connections can be balanced with a proxy as Perdition or the native Dovecot proxy functionallity. You will need to configure Postfix to forward the incoming mails to the storage backend server where resides the account mailbox; you can use use LDAP to store the mailbox server info for every user. If you don't want to redistribute the mailboxs over several storage servers, you can use a centralized storage such as NFS or gfs, ocfs2, etc). SMTP can be balanced with DNS mx records. OpenLDAP provides replication and you can balance it with DNS. SOGo provides a method to redistribute the DB data between more than one DB backend. The DB connection parameters can be configured per user basis. But such feature isn't documented :-(. Alternatively you can setup a DB cluster, but I think that it is more complicated and requires more maintenance. Or, if you have the money, buy commercial support to Inverse (SOGo developers) and consult with they the recommended architecture. Regards Federico -- users@sogo.nu https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists
[SOGo] BTS activities for Monday, July 21 2014
Title: BTS activities for Monday, July 21 2014 BTS Activities Home page: http://www.sogo.nu/bugs Project: SOGo For the period covering: Monday, July 21 2014 idlast updatestatus (resolution)categorysummary 2702 2014-07-21 05:53:15 updated (open) Backend Address Book Invites in shared calendar are sent from the resource user 2863 2014-07-21 05:54:58 updated (open) Backend Calendar No email invitations sent to attendees when using Thunderbird and CalDAV 2865 2014-07-21 07:42:10 updated (open) Web Calendar SOGo does not interpret date-time without timezone correctly 2767 2014-07-21 14:21:58 resolved (fixed) Backend Calendar Users should be able to prevent being invited to appointments 2759 2014-07-21 14:22:30 resolved (fixed) Web Calendar Events and tasks cannot be moved to other calendars using drag
