[SOGo] Group Authentication with LDAP

Tue, 18 Dec 2012 15:46:05 -0800 

Hello,

I am trying to make SOGo work with LDAP group-authentication in a way
that allows only members of a certain group to log on to the web interface.

As basis I have taken the example of page 19 in the "SOGo Installation
Guide.pdf" and adopted to my needs.

I have the following Member-Group:

# member, groups, example.com
dn: cn=member,ou=groups,dc=example,dc=com
businessCategory: All Members
cn: member
description: Here all all members
objectClass: extensibleObject
objectClass: groupOfUniqueNames
objectClass: top
owner: cn=admin,dc=example,dc=com
mail: [email protected]
uniqueMember: uid=myself,ou=users,dc=example,dc=com
uniqueMember: uid=her,ou=users,dc=example,dc=com

and this SOGo config:

sogod SOGoUserSources '(
    {
        CNFieldName = cn;
        IDFieldName = cn;
        UIDFieldName = cn;
        baseDN = "ou=groups,dc=example,dc=com";
        bindDN = "cn=sogo,dc=example,dc=com";
        bindPassword = 12345;
        canAuthenticate = YES;
        displayName = "Member Group";
        hostname = localhost;
        id = member_groups;
        isAddressBook = YES;
        port = 389;
    }
)'

With this setup I try to log into the web interface and get rejected.

Here is the result of the ldap-log:
--- BEGIN ---
Dec 19 00:07:31 tribute slapd[26025]: conn=1816 op=0 BIND
dn="cn=mhoram,ou=groups,dc=tribute,dc=mooo,dc=com" method=128
Dec 19 00:07:31 tribute slapd[26025]: conn=1816 op=0 RESULT tag=97
err=49 text=
Dec 19 00:07:31 tribute slapd[26025]: conn=1816 fd=17 ACCEPT from
IP=127.0.0.1:49925 (IP=0.0.0.0:389)
Dec 19 00:07:31 tribute slapd[26025]: conn=1816 op=1 UNBIND
Dec 19 00:07:31 tribute slapd[26025]: conn=1816 fd=17 closed
--- END ---

And the sogo-log:
--- BEGIN ---
Dec 19 00:07:31 sogod [30209]: SOGoRootPage Login for user 'myself'
might not have worked - password policy: 65535  grace: -1  expire: -1
bound: 0
84.153.61.101 - - [19/Dec/2012:00:07:31 GMT] "POST /SOGo/connect
HTTP/1.1" 403 34/61 0.016 - - 0
--- END ---

When I change in this setup
   baseDN = "ou=groups,dc=example,dc=com";
to
   baseDN = "ou=users,dc=example,dc=com";
then all users within "ou=users,dc=example,dc=com" are able to log in.

It seems like SOGo does not use the Group-functionality of
"cn=member,ou=groups,dc=example,dc=com", but I can't find any way to
achieve this.

I could need some help with this configuration. Any ideas?

Regards
Markus

-- 
[email protected]
https://inverse.ca/sogo/lists

Reply via email to