RE: [SOGo] OpenChange OCSmanager & multidomains

[Craig Fisher]

I can see it from both points of view - it's there and works (apparently - 
although I can't make it do so), so the documentation reflects the current 
usage.  But I've also spent quite a while banging my head against a component 
that doesn't have any meaningful documentation without consulting the Internet 
Archive to access openchange.org. That should have been a red-flag I suppose, 
but the active github repository in Zentyal (which is the build pulled in from 
the Inverse installation process) would seem to indicate that it's possibly 
hanging on.

What would be good is a bigger picture road-map (beyond that of bug fixes) of 
where things are moving to, so that any contributions I/we can make will take 
things forward along a productive path, rather than down a cul-de-sac.

If the openchange component is to go, and EAS is to be the Outlook-compatible 
tool of choice, then I'm assuming that all the EWS features ( 
https://msdn.microsoft.com/en-us/library/office/dn144954(v=exchg.140).aspx ) 
will be lost?

-Craig

-Original Message-

On 2017-03-29 5:05 PM, Gordon Messmer (gordon.mess...@gmail.com) wrote:

> I'm afraid I don't understand.  Why would people want to test and
> contribute to OpenChange if those contributions are going to be
> removed from SOGo "soon"?
If contributions are interesting and overcome limitations, why would we remove 
support? I wrote "it is likely" - I didn't write "it will".

--
Ludovic Marcotte
lmarco...@inverse.ca  ::  +1.514.755.3630  ::  http://inverse.ca Inverse inc. 
:: Leaders behind SOGo (http://sogo.nu), PacketFence (http://packetfence.org) 
and Fingerbank (http://fingerbank.org)

--
users@sogo.nu
https://inverse.ca/sogo/lists


smime.p7s
Description: S/MIME cryptographic signature

[SOGo] OpenChange OCSmanager & multidomains

[Craig Fisher]

Folks, Hi

 

I’ve got SOGO working fine with multiple domains, separated into different OUs 
in my LDAP (Samba4).  I’m using the email address as the login name – which 
works well for Sogo/dovecot/postfix logins.

 

However – I don’t seem to be able to get OCSManager to authenticate my 
autodiscover.xml properly.  It comes up with an HTTP-AUTH box which seems to 
connect and work using LDAP correctly initially, but once it gets into the 
‘pulling information out of Samba’ part to generate the autodiscover response, 
the Samba NTLM searches fail as they are searching for the email address.

 

There doesn’t seem to be any documentation for Openchange *anywhere*, beyond 
the example setup in the SOGo docs.  

 

Q1. Will Openchange support multipledomains/login via LDAP and pulling 
information from there?

Q1. If not is Openchange a requirement for Exchange ActiveSync functionality? 
It seems like a dead development… ☹

Q2. If not – is there any documentation on what the autodiscover.xml response 
should look like to tell remote Outlook to use EAS instead of using OCSManager 
to generate it?

 

May thanks in advance…

 

-Craig

 



smime.p7s
Description: S/MIME cryptographic signature

RE: [SOGo] ActiveSync 403 forbidden

[Craig Fisher]

Christian, Hi

Thanks for the pointers - yes sogo-activesync was installed, and I've turned up 
the debug in the sogo.log and the apache.log

Mar 27 17:07:08 sogod [5979]: |SOGo| starting method 'GET' on uri 
'/SOGo/Microsoft-Server-ActiveSync?'
Mar 27 17:07:08 sogod [5979]: |SOGo| traverse(acquire): SOGo => 
Microsoft-Server-ActiveSync
Mar 27 17:07:08 sogod [5979]: |SOGo|   do traverse name: 'SOGo'
Mar 27 17:07:08 sogod [5979]: |SOGo|   do traverse name: 
'Microsoft-Server-ActiveSync'
Mar 27 17:07:08 sogod [5979]: |SOGo| set clientObject: 
Mar 27 17:07:08 sogod [5979]: <0x0x5559bd382640[SOGoActiveSyncDispatcher]> EAS 
- Forbidden access for user (null)
Mar 27 17:07:08 sogod [5979]: |SOGo| request took 0.000676 seconds to execute
Mar 27 17:07:08 sogod [5979]: 192.168.205.113 "GET 
/SOGo/Microsoft-Server-ActiveSync? HTTP/1.1" 403 0/0 0.002 - - 0

Which implies to me that apache (for some reason) isn't getting a username - 
which is unsurprising as it doesn’t request any Authorisation.

[Mon Mar 27 16:07:08.916479 2017] [authz_core:debug] [pid 9790] 
mod_authz_core.c(835): [client 192.168.205.113:53478] AH01628: authorization 
result: granted (no directives)
[Mon Mar 27 16:07:08.916690 2017] [proxy:debug] [pid 9790] mod_proxy.c(1160): 
[client 192.168.205.113:53478] AH01143: Running scheme http handler (attempt 0)
[Mon Mar 27 16:07:08.916807 2017] [proxy:debug] [pid 9790] proxy_util.c(2160): 
AH00942: HTTP: has acquired connection for (127.0.0.1)
[Mon Mar 27 16:07:08.916893 2017] [proxy:debug] [pid 9790] proxy_util.c(2213): 
[client 192.168.205.113:53478] AH00944: connecting 
http://127.0.0.1:2/SOGo/Microsoft-Server-ActiveSync? to 127.0.0.1:2
[Mon Mar 27 16:07:08.916996 2017] [proxy:debug] [pid 9790] proxy_util.c(2422): 
[client 192.168.205.113:53478] AH00947: connected 
/SOGo/Microsoft-Server-ActiveSync? to 127.0.0.1:2
[Mon Mar 27 16:07:08.917225 2017] [proxy:debug] [pid 9790] proxy_util.c(2799): 
AH02824: HTTP: connection established with 127.0.0.1:2 (127.0.0.1)
[Mon Mar 27 16:07:08.917319 2017] [proxy:debug] [pid 9790] proxy_util.c(2965): 
AH00962: HTTP: connection complete to 127.0.0.1:2 (127.0.0.1)
[Mon Mar 27 16:07:08.922994 2017] [proxy:debug] [pid 9790] proxy_util.c(2175): 
AH00943: http: has released connection for (127.0.0.1)

I would have expected the server to request username+password the same way as 
it does for autodiscover - but that's done by OCSmanager. I'm assuming that 
Sogo does it for EAS and why would it work for normal Sogo requests - but not 
EAS requests...?

What is the process that requests and then handles the HTTP Authorisation 
request for username + password?

Any pointers would be useful. Thanks!!

My sogo.conf is :-
---
{
//  SOGoEnableDomainBasedUID = YES;
//  SOGoLoginDomains = (acme.com, widgets.com);

  domains = {
acme.com = {
  SOGoMailDomain = acme.com;
  SOGoUserSources = (
{
  type = ldap;
  CNFieldName = displayName;
  IDFieldName = cn;
  UIDFieldName = cn;
  baseDN = "ou=acme,ou=tenants,dc=exch,dc=smtp-engine,dc=com";
  bindDN = "cn=administrator,cn=Users,dc=exch,dc=smtp-engine,dc=com";
  bindPassword = "%%";
  bindFields = ( mail, cn );
  canAuthenticate = YES;
  displayName = "Shared Addresses";
  hostname = ldap://127.0.0.1:389;
  id = public_acme;
  isAddressBook = YES;
}
  );
};
widgets.com = {
  SOGoMailDomain = widgets.com;
  SOGoUserSources = (
{
  type = ldap;
  CNFieldName = displayName;
  IDFieldName = cn;
  UIDFieldName = cn;
  baseDN = "ou=widgets,ou=tenants,dc=exch,dc=smtp-engine,dc=com";
  bindDN = "cn=administrator,cn=Users,dc=exch,dc=smtp-engine,dc=com";
  bindPassword = "%%%";
  bindFields = ( mail, cn );
  canAuthenticate = YES;
  displayName = "Shared Addresses";
  hostname = ldap://127.0.0.1:389;
  id = public_widgets;
  isAddressBook = YES;
}
  );
};
  };

/* Database configuration  */
  SOGoProfileURL = 
mysql://sogo_user:%@127.0.0.1:3306/sogo/sogo_user_profile;
  OCSFolderInfoURL = 
mysql://sogo_user:@127.0.0.1:3306/sogo/sogo_folder_info;
  OCSEMailAlarmsFolderURL = 
mysql://sogo_user:%%%@127.0.0.1:3306/sogo/sogo_alarms_folder;
  OCSSessionsFolderURL = 
mysql://sogo_user:%@127.0.0.1:3306/sogo/sogo_sessions_info;

/* General */
  SOGoLanguage = English;
  SOGoTimeZone = "Europe/London";
  SOGoEnableEMailAlarms = YES;
  SOGoCalendarDefaultRoles = ("PublicDAndTViewer");
  //SOGoSuperUsernames = (administrator);

 /* Web Interface */
  SOGoPageTitle = SMTP-Engine;
  SOGoVacationEnabled = YES;
  SOGoForwardEnabled = YES;
  SOGoSieveScriptsEnabled = YES;
  //SOGoMailAuxiliaryUserAccountsEnabled = YES;
  SOGoTrustProxyAuthentication = NO;

/* Mail */
  SOGoDraftsFolderName = Drafts;
  SOGoSentF

[SOGo] ActiveSync 403 forbidden

[Craig Fisher]

Hi folks,

We're trying to setup a multi-domain Sogo and have run into an issue with 
ActiveSync - the http/https requests 
http://hostname.dom/Microsoft-Server-ActiveSync immediately fail with a 403 
forbidden error without even attempting/requesting a login.

The Sogo login and autodiscover login both work fine.

I just can't seem to see where the issue is - looks like an apache error as 
it's not even getting to the Sogo/Openchange debug logs.

Can anyone see any glaring errors in the SOGo.conf below? Are there any other 
config files that could be the issue?

Thanks in advance,

-Craig
--
Alias /SOGo.woa/WebServerResources/ \
  /usr/lib/GNUstep/SOGo/WebServerResources/
Alias /SOGo/WebServerResources/ \
  /usr/lib/GNUstep/SOGo/WebServerResources/

Redirect /Autodiscover/Autodiscover.xml /autodiscover/autodiscover.xml
Redirect /AutoDiscover/AutoDiscover.xml /autodiscover/autodiscover.xml



AllowOverride None


Order deny,allow
Allow from all

= 2.4>
Require all granted


# Explicitly allow caching of static content to avoid browser specific 
behavior.
# A resource's URL MUST change in order to have the client load the new 
version.

  ExpiresActive On
  ExpiresDefault "access plus 1 year"



## Uncomment the following to enable proxy-side authentication, you will then
## need to set the "SOGoTrustProxyAuthentication" SOGo user default to YES and
## adjust the "x-webobjects-remote-user" proxy header in the "Proxy" section
## below.
#
## For full proxy-side authentication:
#
#  AuthType XXX
#  Require valid-user
#  SetEnv proxy-nokeepalive 1
#  Allow from all
#
#
## For proxy-side authentication only for CardDAV and GroupDAV from external
## clients:
#
#  AuthType XXX
#  Require valid-user
#  SetEnv proxy-nokeepalive 1
#  Allow from all
#

ProxyRequests Off
SetEnv proxy-nokeepalive 1
ProxyPreserveHost On

# When using CAS, you should uncomment this and install cas-proxy-validate.py
# in /usr/lib/cgi-bin to reduce server overloading
#
# ProxyPass /SOGo/casProxy http://localhost/cgi-bin/cas-proxy-validate.py
# http://localhost/app/cas-proxy-validate.py>
#   Order deny,allow
#   Allow from your-cas-host-addr
# 

# Enable to use Microsoft ActiveSync support
# Note that you MUST have many sogod workers to use ActiveSync.
# See the SOGo Installation and Configuration guide for more details.
#
ProxyPass /Microsoft-Server-ActiveSync \
http://127.0.0.1:2/SOGo/Microsoft-Server-ActiveSync \
retry=60 connectiontimeout=5 timeout=360

ProxyPass /SOGo http://127.0.0.1:2/SOGo retry=0

http://127.0.0.1:2/SOGo>
## adjust the following to your configuration
  RequestHeader set "x-webobjects-server-port" "443"
  RequestHeader set "x-webobjects-server-name" "%{HTTP_HOST}e" env=HTTP_HOST
  RequestHeader set "x-webobjects-server-url" "https://%{HTTP_HOST}e"; 
env=HTTP_HOST
#  RequestHeader set "x-webobjects-server-port" "80"
#  RequestHeader set "x-webobjects-server-name" 
"exchange-xxx-x.smtp-engine.com"
#  RequestHeader set "x-webobjects-server-url" 
"http://exchange-xxx-x.smtp-engine.com";

## When using proxy-side autentication, you need to uncomment and
## adjust the following line:
# RequestHeader unset "x-webobjects-remote-user"
#  RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}e" 
env=REMOTE_USER

  RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"

#  RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e 
env=REMOTE_HOST
  AddDefaultCharset UTF-8


Order deny,allow
Allow from all

= 2.4>
Require all granted




# For Apple autoconfiguration

  RewriteEngine On
  RewriteRule ^/.well-known/caldav/?$ /SOGo/dav [R=301]
  RewriteRule ^/.well-known/carddav/?$ /SOGo/dav [R=301]


---




smime.p7s
Description: S/MIME cryptographic signature