Re: [SOGo] Sogo and samba 4 AD authentification

2018-03-21 Thread Luca Olivetti 
El 20/03/18 a les 19:05, Goetz Reinicke (goetz.reini...@filmakademie.de) 
ha escrit:




Am 20.03.2018 um 18:30 schrieb Luca Olivetti (l...@wetron.es) :

El 20/03/18 a les 18:02, Goetz Reinicke (goetz.reini...@filmakademie.de) ha 
escrit:

I did that and it works, but disabling encryption as i understand that, is 
notes good option.


use

ldap server require strong auth = allow_sasl_over_tls

(I suppose you already enabled tls in samba)


Not yet, as i was not aware that I have to need it. Tls enable etc are the 
options?!



https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC


Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es/
Tel. +34 93 5883004 (Ext.3010)  Fax +34 93 5883007
--
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] Sogo and samba 4 AD authentification - SOLVED

2018-03-21 Thread goetz.reini...@filmakademie.de 
Thanks to all, I got it up and running. (For now with TLS_REQCERT never).

Regards . Götz
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] Sogo and samba 4 AD authentification

2018-03-21 Thread Christian Naumer 
Am 20.03.2018 um 15:56 schrieb Götz Reinicke
(goetz.reini...@filmakademie.de):
> Hi,
> 
> I try to use our samba 4 ad as the user source but looks like I miss an point 
> or option.
> 
> I have added a dedicated user to the ad, edited the config and restarted 
> SOGo
> 
> From the logs so far I guess it’s a SSL problem.

Yes it is. You need to install the certificates at the distro level
(localtion can be specified in /etc/openldap/ldap.conf) or configure
/etc/openldap/ldap.conf to not check the certificates with:

TLS_REQCERT never


Location of the files may vary. This is for Centos.

Sogo.conf looks like this:

SOGoUserSources = (
{
CNFieldName = displayName;
IDFieldName = sAMAccountName;
UIDFieldName = sAMAccountName;
bindAsCurrentUser =YES;
baseDN = "cn=xx,dc=xx,dc=xx,dc=xx";
bindDN = "CN=xx,CN=xx,DC=xx,DC=xx,DC=xx";
bindFields = (
sAMAccountName
);
bindPassword = "xx";
listRequiresDot = NO;
canAuthenticate = YES;
displayName = xx;
hostname = "ldaps://xx.xx.xx";
id = xx;
isAddressBook = YES;
SearchFieldNames =
(sAMAccountName,displayName,mail);
}

As you can see we have the domain name as ldap server this des a "crude"
load balancing as the DNS returns the IPs of all DCs in the ActiveDirectory.


regards



> 
> May be someone has already a working set and can share the hints and doc how 
> to use that?
> 
>   Thanks & Regards . Götz
> 
> 

-- 
Dr. Christian Naumer
Research Scientist
Plattform-Koordinator Bioprozesstechnik

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail c...@brain-biotech.de, homepage www.brain-biotech.de
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel
Aufsichtsratsvorsitzender: Dr. Ludger Mueller
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] Sogo and samba 4 AD authentification

2018-03-21 Thread mj 

Hi,

On 03/20/2018 06:05 PM, Goetz Reinicke (goetz.reini...@filmakademie.de) 
wrote:

So haproxy is Talking encrypted to the samba servers? With the option of 
failover this sounds interesting. How hard is the haproxy configuration?


Yes, like that. Config not very complicated, and it works very nicely. 
In fact we do this on all servers that require ldap connections.


Relevant bits from haproxy.cfg:


frontend ldap_service_front
  mode  tcp
  bind  localhost:389
  description   LDAP Service
  optionsocket-stats
  optiontcpka
  timeout client5s
  default_backend   ldaps_service_back

backend ldaps_service_back
  mode  tcp
  balance   roundrobin
  serverdc2 ldap.server.ip.1:636 check fall 1 rise 1 inter 2s 
verify none check check-ssl ssl
  serverdc3 ldap.server.ip.2:636 check fall 1 rise 1 inter 2s 
verify none check check-ssl ssl
  serverdc4 ldap.server.ip.3:636 check fall 1 rise 1 inter 2s 
verify none check check-ssl ssl
  optionlog-health-checks
  optionldap-check
  timeout server2s
  timeout connect   2s


As you can see, we are currently not checking the certificates, which is 
not good. This is still on our to-do list.


MJ
--
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] Sogo and samba 4 AD authentification

2018-03-21 Thread Goetz Reinicke 


> Am 20.03.2018 um 18:30 schrieb Luca Olivetti (l...@wetron.es) :
> 
> El 20/03/18 a les 18:02, Goetz Reinicke (goetz.reini...@filmakademie.de) ha 
> escrit:
>> I did that and it works, but disabling encryption as i understand that, is 
>> notes good option.
> 
> use
> 
> ldap server require strong auth = allow_sasl_over_tls
> 
> (I suppose you already enabled tls in samba)

Not yet, as i was not aware that I have to need it. Tls enable etc are the 
options?! 

Thanks and regards . Götz
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] Sogo and samba 4 AD authentification

2018-03-20 Thread Luca Olivetti 
El 20/03/18 a les 18:02, Goetz Reinicke (goetz.reini...@filmakademie.de) 
ha escrit:
I did that and it works, but disabling encryption as i understand that, 
is notes good option.


use

ldap server require strong auth = allow_sasl_over_tls

(I suppose you already enabled tls in samba)

Bye

--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es/
Tel. +34 93 5883004 (Ext.3010)  Fax +34 93 5883007
--
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] Sogo and samba 4 AD authentification

2018-03-20 Thread Goetz Reinicke 
I did that and it works, but disabling encryption as i understand that, is 
notes good option.

Suggestions? Regards Götz 

> Am 20.03.2018 um 16:33 schrieb Sauro Cerri (sauro.ce...@isi-it.eu) 
> :
> 
> Hello, did you tried this on smb.con?
> ldap server require strong auth = No
> 
> 
> Il 20/03/2018 15:56, Götz Reinicke (goetz.reini...@filmakademie.de) ha 
> scritto:
>> Hi,
>> 
>> I try to use our samba 4 ad as the user source but looks like I miss an 
>> point or option.
>> 
>> I have added a dedicated user to the ad, edited the config and restarted 
>> SOGo
>> 
>> From the logs so far I guess it’s a SSL problem.
>> 
>> May be someone has already a working set and can share the hints and doc how 
>> to use that?
>> 
>>  Thanks & Regards . Götz
>> 
>> 
> 
> -- 
> Sauro Cerri
> ISI-IT S.r.l.
> Via Murada, 200
> 23018 Talamona (SO)
> Tel. 0342-670320
> Fax. 0342-671812
> e-mail: sauro.ce...@isi-it.eu
> 
> Avviso importante: Le informazioni contenute nel presente documento e negli 
> allegati sono riservate al destinatario indicato. A chi legge il presente 
> avviso, se non è l'effettivo destinatario, o un dipendente, o la persona 
> responsabile della consegna della comunicazione, si notifica che è proibito 
> qualsiasi uso, copia, distribuzione o divulgazione di quanto in esso 
> contenuto ai sensi dell'art. 616 C.P. e di quanto stabilisce la legge 675/96 
> e 196/2003 sulla tutela dei dati personali. Se questa comunicazione Vi è 
> pervenuta per errore Vi preghiamo di informarci immediatamente; il contenuto 
> del presente documento e degli allegati non va letto ma distrutto.
> 
> CONFIDENTIALITY NOTICE The contents of this e-mail are confidential to the 
> ordinary user of the e-mail address to which it was addressed, and may also 
> be privileged. If you are not the addressee of this e-mail you may not copy, 
> forward, disclose or otherwise use it or any part of it in any form 
> whatsoever. If you have received this e-mail in error, please e-mail the 
> sender by replying to this message.
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] Sogo and samba 4 AD authentification

2018-03-20 Thread Goetz Reinicke 


> Am 20.03.2018 um 16:44 schrieb lists (li...@merit.unu.edu) :
> 
> Hi,
> 
> We have been doing that for years. Config like this:
> 
>> SOGoUserSources = (
>>{
>>type = ldap;
>>CNFieldName = displayName;
>>IDFieldName = cn;
>>UIDFieldName = uid;
>>bindFields = (sAMAccountName, cn);
>>baseDN = "CN=Users,DC=samba,DC=company,DC=com";
>>canAuthenticate = YES;
>>listRequiresDot = NO;
>>bindDN = "cn=sogo_search,cn=users,dc=samba,dc=company,dc=com";
>>bindPassword = very_secret;
>>displayName = "AD Internal Users";
>>MailFieldNames =(mail, otherMailbox, proxyAddresses);
>>hostname = "ldap://127.0.0.1:389;;
>>id = ad-users;
>>isAddressBook = YES;
>>port = 389;
>>scope = "SUB";
>>filter = "((samAccountType=805306368) AND (mail='*') AND (NOT 
>> userAccountControl:1.2.840.113556.1.4.803:=2))";
>>}
> 
> As you can see, we have sogo talk ldap to 127.0.0.1:389, which is where 
> haproxy is listening. HAProxy is configured to talk to our three AD servers, 
> doing the failover etc.
> 
> Hope this helps?

So haproxy is Talking encrypted to the samba servers? With the option of 
failover this sounds interesting. How hard is the haproxy configuration? 

Regards Götz
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] Sogo and samba 4 AD authentification

2018-03-20 Thread Sauro Cerri 

Hello, did you tried this on smb.con?
ldap server require strong auth = No


Il 20/03/2018 15:56, Götz Reinicke (goetz.reini...@filmakademie.de) ha 
scritto:

Hi,

I try to use our samba 4 ad as the user source but looks like I miss an point 
or option.

I have added a dedicated user to the ad, edited the config and restarted 
SOGo

 From the logs so far I guess it’s a SSL problem.

May be someone has already a working set and can share the hints and doc how to 
use that?

Thanks & Regards . Götz




--

/*Sauro Cerri
*/ISI-IT S.r.l.
Via Murada, 200
23018 Talamona (SO)
Tel. 0342-670320
Fax. 0342-671812
e-mail: sauro.ce...@isi-it.eu



Avviso importante: Le informazioni contenute nel presente documento e 
negli allegati sono riservate al destinatario indicato. A chi legge il 
presente avviso, se non è l'effettivo destinatario, o un dipendente, o 
la persona responsabile della consegna della comunicazione, si notifica 
che è proibito qualsiasi uso, copia, distribuzione o divulgazione di 
quanto in esso contenuto ai sensi dell'art. 616 C.P. e di quanto 
stabilisce la legge 675/96 e 196/2003 sulla tutela dei dati personali. 
Se questa comunicazione Vi è pervenuta per errore Vi preghiamo di 
informarci immediatamente; il contenuto del presente documento e degli 
allegati non va letto ma distrutto.


CONFIDENTIALITY NOTICE The contents of this e-mail are confidential to 
the ordinary user of the e-mail address to which it was addressed, and 
may also be privileged. If you are not the addressee of this e-mail you 
may not copy, forward, disclose or otherwise use it or any part of it in 
any form whatsoever. If you have received this e-mail in error, please 
e-mail the sender by replying to this message.



--
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] Sogo and samba 4 AD authentification

2018-03-20 Thread lists 

Hi,

We have been doing that for years. Config like this:


SOGoUserSources = (
{
type = ldap;
CNFieldName = displayName;
IDFieldName = cn;
UIDFieldName = uid;
bindFields = (sAMAccountName, cn);
baseDN = "CN=Users,DC=samba,DC=company,DC=com";
canAuthenticate = YES;
listRequiresDot = NO;
bindDN = "cn=sogo_search,cn=users,dc=samba,dc=company,dc=com";
bindPassword = very_secret;
displayName = "AD Internal Users";
MailFieldNames =(mail, otherMailbox, proxyAddresses);
hostname = "ldap://127.0.0.1:389;;
id = ad-users;
isAddressBook = YES;
port = 389;
scope = "SUB";
filter = "((samAccountType=805306368) AND (mail='*') AND (NOT 
userAccountControl:1.2.840.113556.1.4.803:=2))";
}


As you can see, we have sogo talk ldap to 127.0.0.1:389, which is where 
haproxy is listening. HAProxy is configured to talk to our three AD 
servers, doing the failover etc.


Hope this helps?

MJ

On 20-3-2018 15:56, Götz Reinicke (goetz.reini...@filmakademie.de) wrote:

Hi,

I try to use our samba 4 ad as the user source but looks like I miss an point 
or option.

I have added a dedicated user to the ad, edited the config and restarted 
SOGo

 From the logs so far I guess it’s a SSL problem.

May be someone has already a working set and can share the hints and doc how to 
use that?

Thanks & Regards . Götz



--
users@sogo.nu
https://inverse.ca/sogo/lists

[SOGo] Sogo and samba 4 AD authentification

2018-03-20 Thread goetz.reini...@filmakademie.de 
Hi,

I try to use our samba 4 ad as the user source but looks like I miss an point 
or option.

I have added a dedicated user to the ad, edited the config and restarted 
SOGo

From the logs so far I guess it’s a SSL problem.

May be someone has already a working set and can share the hints and doc how to 
use that?

Thanks & Regards . Götz


-- 
users@sogo.nu
https://inverse.ca/sogo/lists