Re: [SOGo] SOGo v5.10.0 integration with Windows Server 2016 based domain
Am 13.05.2024 um 06:15:24 Uhr schrieb Roman: > Do you mean 636 instead of 686? Yes. > Windows server uses 636 port for sure because when I do "telnet > home.arpa 686" it's open. But if I use hostname = > "ldapS://home.arpa:636" - I can't connect with SOGo web page to LDAP, > no security logs in Windows during that operation. But without "S" - > hostname = "ldap://home.arpa:389; - it works as intended. Use a sniffer (wireshark) and check if it tries to use TLS directly on port 636.
Re: [SOGo] SOGo v5.10.0 integration with Windows Server 2016 based domain
Hi,Do you mean 636 instead of 686?Windows server uses 636 port for sure because when I do "telnet home.arpa 686" it's open.But if I use hostname = "ldapS://home.arpa:636" - I can't connect with SOGo web page to LDAP, no security logs in Windows during that operation.But without "S" - hostname = "ldap://home.arpa:389" - it works as intended.Maybe I also need to add domain client certificate to SOGo in order to get secure access? 12.05.2024, 23:38, "Marco Moock (m...@dorfdsl.de)" :Am 12.05.2024 um 05:44:53 Uhr schrieb Roman: I keep getting these errors: " TLS: can't connect: Error in the pull function.. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)" Although if I run the same command without the "S" - ( ldapsearch -H ldap://home.arpa -D "us...@home.arpa" -w "Password" -b "DC=home,DC=arpa" -d1 ) everything works fine. But the port 636 is open (checked with telnet).Add the port to the configuration to make sure it uses 686.Use a sniffer to verify it uses 686.
Re: [SOGo] SOGo v5.10.0 integration with Windows Server 2016 based domain
Am 12.05.2024 um 05:44:53 Uhr schrieb Roman: > I keep getting these errors: > " TLS: can't connect: Error in the pull function.. > ldap_err2string > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)" > > Although if I run the same command without the "S" - ( ldapsearch -H > ldap://home.arpa -D "us...@home.arpa" -w "Password" -b > "DC=home,DC=arpa" -d1 ) everything works fine. But the port 636 is > open (checked with telnet). Add the port to the configuration to make sure it uses 686. Use a sniffer to verify it uses 686.
Re: [SOGo] SOGo v5.10.0 integration with Windows Server 2016 based domain
Because of your helpful suggestion, finally using logs on domain controller I was able to fix LDAP authentication with insecure 389 port. According to second paragraph of the official SOGo documentation ( https://www.sogo.nu/files/docs/SOGoInstallationGuide.html#_authentication_using_ldap ) it's workable to use an insecure LDAP connection settings with 389 port, and currently my LDAP connection settings allow to authenticate and look like that: SOGoUserSources = ({type = ldap;CNFieldName = cn;IDFieldName = cn;UIDFieldName = sAMAccountName;baseDN = "cn=Users,dc=home,dc=arpa";bindDN = "cn=user1,cn=Users,dc=home,dc=arpa";bindFields = (sAMAccountName);bindPassword = "Password";canAuthenticate = YES;displayName = "Active Directory";hostname = "ldap://home.arpa:389";id = directory;isAddressBook = YES;}); But I'm not able to make it work securely and even if I try to connect with secure method using ldapsearch linux utility with command: ldapsearch -H ldaps://home.arpa -D "us...@home.arpa" -w "Password" -b "DC=home,DC=arpa" -d1 I keep getting these errors:" TLS: can't connect: Error in the pull function..ldap_err2stringldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)" Although if I run the same command without the "S" - ( ldapsearch -H ldap://home.arpa -D "us...@home.arpa" -w "Password" -b "DC=home,DC=arpa" -d1 ) everything works fine. But the port 636 is open (checked with telnet). It seems that secure authentication requires some additional configuration and maybe on client side too. Any insights or suggestions would be greatly appreciated! Thank you very much for your precious time and help. 09.05.2024, 14:47, "Marco Moock (m...@dorfdsl.de)" :Am 08.05.2024 um 20:56:01 Uhr schrieb Christian Naumer: Normally in AD you have to use ldaps, startTLS or Kerberos for Auth to the LDAP. In your config I don't see any of that.I would assume an appropriate error message then that tells about this- on the LDAP server and on the LDAP client. --GrußMarcoSend unsolicited bulk mail to 1715194561mu...@cartoonies.org
Re: [SOGo] SOGo v5.10.0 integration with Windows Server 2016 based domain
Am 08.05.2024 um 20:56:01 Uhr schrieb Christian Naumer: > Normally in AD you have to use ldaps, startTLS or Kerberos for Auth > to the LDAP. In your config I don't see any of that. I would assume an appropriate error message then that tells about this - on the LDAP server and on the LDAP client. -- Gruß Marco Send unsolicited bulk mail to 1715194561mu...@cartoonies.org
Re: [SOGo] SOGo v5.10.0 integration with Windows Server 2016 based domain
Normally in AD you have to use ldaps, startTLS or Kerberos for Auth to the LDAP. In your config I don't see any of that. Regards Christian Am 7. Mai 2024 16:18:42 MESZ schrieb Marco Moock : >Am 07.05.2024 um 16:40:58 Uhr schrieb Roman: > >> and also, if I run the command from a Linux machine: >> ldapsearch -H ldap://home.arpa:389 -D "us...@home.arpa" -w >> "Lenovo777" -b "DC=home,DC=arpa". >> then I get a correct response, so it is probably correct. > >Can you check the logs at the Windows Server and check for the >difference? > >-- >kind regards >Marco > >Send unsolicited bulk mail to 1715092858mu...@cartoonies.org
Re: [SOGo] SOGo v5.10.0 integration with Windows Server 2016 based domain
Am 07.05.2024 um 16:40:58 Uhr schrieb Roman: > and also, if I run the command from a Linux machine: > ldapsearch -H ldap://home.arpa:389 -D "us...@home.arpa" -w > "Lenovo777" -b "DC=home,DC=arpa". > then I get a correct response, so it is probably correct. Can you check the logs at the Windows Server and check for the difference? -- kind regards Marco Send unsolicited bulk mail to 1715092858mu...@cartoonies.org
Re: [SOGo] SOGo v5.10.0 integration with Windows Server 2016 based domain
If I run the command "dsquery user -name * -limit 0" on a domain controller, I get the following output: PS C:\Users\Administrator\Desktop> dsquery user -name * -limit 0"CN=Administrator,CN=Users,DC=home,DC=arpa.""CN=Guest,CN=Users,DC=home,DC=arpa.""CN=DefaultAccount,CN=Users,DC=home,DC=arpa.""CN=krbtgt,CN=Users,DC=home,DC=arpa.""CN=user1,CN=Users,DC=home,DC=arpa.""CN=user2,CN=Users,DC=home,DC=arpa.""CN=user3,OU=test,DC=home,DC=arpa."PS C:\Users\Administrator\Desktop> and also, if I run the command from a Linux machine:ldapsearch -H ldap://home.arpa:389 -D "us...@home.arpa" -w "Lenovo777" -b "DC=home,DC=arpa". then I get a correct response, so it is probably correct. Translated with www.DeepL.com/Translator (free version) 07.05.2024, 16:39, "Marco Moock (m...@dorfdsl.de)" :Am 07.05.2024 um 12:46:02 Uhr schrieb "Rom@n": For test purpose I didn't create anything in domain controller except user1 with domain admin privileges and user2 with regular user privileges, no OU created, everything is default for Windows Server 2016.I think you should ask at a place for LDAP/MS AD discussions.This is most likely a problem on your LDAP server. Maybe the bindDNisn't set up properly.
Re: [SOGo] SOGo v5.10.0 integration with Windows Server 2016 based domain
Am 07.05.2024 um 12:46:02 Uhr schrieb "Rom@n": > For test purpose I didn't create anything in domain controller except > user1 with domain admin privileges and user2 with regular user > privileges, no OU created, everything is default for Windows Server > 2016. I think you should ask at a place for LDAP/MS AD discussions. This is most likely a problem on your LDAP server. Maybe the bindDN isn't set up properly.
Re: [SOGo] SOGo v5.10.0 integration with Windows Server 2016 based domain
Am 07.05.2024 um 09:26:46 Uhr schrieb Roman:
> 1) Deployed a Windows Server 2016 based domain "ldap.local" [...]
This is the first mistake. ".local" is intended for multicast DNS and
DNS resolution will fail if it is not connected to the same link. It
may fallback to unicast DNS then. Use "home.arpa" or other domains
reserved for private use.
> NAME:LDAPException REASON:operation bind failed: Invalid credentials
> (0x31) INFO:{"error_code" = 49; login =
> "uid=user1,ou=users,dc=ldap,dc=local"; }
Your bindDN seems to be wrong.
Is that the place where the users are located?
--
Gruß
Marco
Send unsolicited bulk mail to 1715066806mu...@cartoonies.org
[SOGo] SOGo v5.10.0 integration with Windows Server 2016 based domain
Hi everyone, Please help to configure authorization with LDAP server based on Windows Server 2016.Recently I have configured SOGo with SQL (Postgres) authentication and it was able to login into SOGo web interface, but I have to migrate to Windows Server 2016 Active Directory and it became a huge challenge. In order to perform this I did the following:1) Deployed a Windows Server 2016 based domain "ldap.local" with default settings and created "user1" LDAP account and added domain controller administrator rights to this user.2) Commented out the working SOGoUserSources settings for SQL and added SOGoUserSources LDAP settings for “user1” account instead according to official guide.3) Changed SOGoSuperUsernames from postrgres to user1 But apparently these changes are not enough to correctly configure LDAP integration.Any insights or suggestions would be greatly appreciated! Thank you very much for your precious time and help. Below I will attach the logs I get when trying to authorize with LDAP "user1" account and contents of the “sogo.conf” file with functional SQL (postgres) authorization settings commented out and added SOGoUserSources LDAP settings for “user1” account instead: May 07 05:50:49 sogod [152]: version 5.10.0 (build @localhost 202404270249) -- startingMay 07 05:50:49 sogod [152]: vmem size check enabled: shutting down app when vmem > 384 MB. Currently at 82 MBMay 07 05:50:49 sogod [152]: <0x0x55beb1c68aa0[SOGoProductLoader]> SOGo products loaded from '/usr/local/lib/GNUstep/SOGo':May 07 05:50:49 sogod [152]: <0x0x55beb1c68aa0[SOGoProductLoader]> AdministrationUI.SOGo, Appointments.SOGo, CommonUI.SOGo, Contacts.SOGo, ContactsUI.SOGo, MailPartViewers.SOGo, Mailer.SOGo, MailerUI.SOGo, MainUI.SOGo, PreferencesUI.SOGo, SchedulerUI.SOGoMay 07 05:50:49 sogod [152]: <0x0x55beb1c68aa0[SOGoProductLoader]> SOGo products loaded from '/usr/lib/GNUstep/SOGo':May 07 05:50:49 sogod [152]: <0x0x55beb1c68aa0[SOGoProductLoader]> AdministrationUI.SOGo, Appointments.SOGo, CommonUI.SOGo, Contacts.SOGo, ContactsUI.SOGo, MailPartViewers.SOGo, Mailer.SOGo, MailerUI.SOGo, MainUI.SOGo, PreferencesUI.SOGo, SchedulerUI.SOGoMay 07 05:50:49 sogod [152]: All products loaded - current memory usage at 91 MBMay 07 05:50:49 sogod [152]: <0x0x55beb1c97a00[WOWatchDog]> listening on 127.0.0.1:2May 07 05:50:49 sogod [152]: <0x0x55beb1c97a00[WOWatchDog]> watchdog process pid: 152May 07 05:50:49 sogod [152]: <0x0x7f0b0b345420[WOWatchDogChild]> watchdog request timeout set to 10 minutesMay 07 05:50:49 sogod [152]: <0x0x55beb1c97a00[WOWatchDog]> preparing 8 childrenMay 07 05:50:49 sogod [152]: <0x0x55beb1c97a00[WOWatchDog]> child spawned with pid 153May 07 05:50:49 sogod [152]: <0x0x55beb1c97a00[WOWatchDog]> child spawned with pid 154May 07 05:50:49 sogod [152]: <0x0x55beb1c97a00[WOWatchDog]> child spawned with pid 155May 07 05:50:49 sogod [152]: <0x0x55beb1c97a00[WOWatchDog]> child spawned with pid 156May 07 05:50:49 sogod [152]: <0x0x55beb1c97a00[WOWatchDog]> child spawned with pid 157May 07 05:50:49 sogod [152]: <0x0x55beb1c97a00[WOWatchDog]> child spawned with pid 158May 07 05:50:49 sogod [152]: <0x0x55beb1c97a00[WOWatchDog]> child spawned with pid 159May 07 05:50:49 sogod [152]: <0x0x55beb1c97a00[WOWatchDog]> child spawned with pid 160May 07 05:50:49 sogod [156]: <0x0x55beb1f2e2e0[WOHttpAdaptor]> notified the watchdog that we are readyMay 07 05:50:49 sogod [153]: <0x0x55beb1f2e2c0[WOHttpAdaptor]> notified the watchdog that we are readyMay 07 05:50:49 sogod [155]: <0x0x55beb1f2e2c0[WOHttpAdaptor]> notified the watchdog that we are readyMay 07 05:50:49 sogod [159]: <0x0x55beb1f2e2d0[WOHttpAdaptor]> notified the watchdog that we are readyMay 07 05:50:49 sogod [158]: <0x0x55beb1f2e2d0[WOHttpAdaptor]> notified the watchdog that we are readyMay 07 05:50:49 sogod [157]: <0x0x55beb1f2dea0[WOHttpAdaptor]> notified the watchdog that we are readyMay 07 05:50:49 sogod [160]: <0x0x55beb1f2dea0[WOHttpAdaptor]> notified the watchdog that we are readyMay 07 05:50:49 sogod [154]: <0x0x55beb1f2dea0[WOHttpAdaptor]> notified the watchdog that we are readyMay 07 05:50:59 sogod [154]: |SOGo| starting method 'GET' on uri '/SOGo/'May 07 05:50:59 sogod [154]: <0x0x55beb1f8bd30[SOGoCache]> Cache cleanup interval set every 300.00 secondsMay 07 05:50:59 sogod [154]: <0x0x55beb1f8bd30[SOGoCache]> Using host(s) '192.168.5.229' as server(s)May 07 05:50:59 sogod [154]: [WARN] <0x0x7f0b0b363160[WOxElemBuilder]> could not locate builders: WOxExtElemBuilder,WOxExtElemBuilderMay 07 05:50:59 sogod [154]: |SOGo| request took 0.042288 seconds to executeMay 07 05:50:59 sogod [154]: 51.15.104.199, 192.168.5.9 "GET /SOGo/ HTTP/1.1" 200 9137/0 0.044 37167 75% 5M - 11May 07 05:51:09 sogod [154]: |SOGo| starting method 'POST' on uri '/SOGo/connect'May 07 05:51:09 sogod [154]: <0x0x55beb1f8b890[LDAPSource]> NAME:LDAPException REASON:operation bind failed: Invalid credentials (0x31) INFO:{"error_code" = 49; login = "uid=user1,ou=users,dc=ldap,dc=local"; }May 07
