On 25/09/13 05:47, Jean Raby wrote:
On 13-09-24 1:57 PM, Mark Pavlichuk wrote:
If I use the deprecated way of specifying a starttls ldap addess
things work ie. :
sudo -u sogo defaults write sogod SOGoUserSources '({CNFieldName = cn;
IDFieldName = cn; UIDFieldName = uid;
baseDN="ou=people,dc=strategicit,dc=homelinux,dc=net";
bindDN="cn=admin,dc=strategicit,dc=homelinux,dc=net";
bindFields = (uid); usePasswordAlgorithm = ssha;
bindPassword = xxxxxx; canAuthenticate = YES;
displayName =
"Shared Addresses"; hostname =
fusion.strategicit.homelinux.net;
id = shared;
port = 389;
encryption = starttls;
isAddressBook = YES;})'
...but if I do things the new way ... ie:
sudo -u sogo defaults write sogod SOGoUserSources '({CNFieldName = cn;
IDFieldName = cn; UIDFieldName = uid;
baseDN="ou=people,dc=strategicit,dc=homelinux,dc=net";
bindDN="cn=admin,dc=strategicit,dc=homelinux,dc=net";
bindFields = (uid); usePasswordAlgorithm = ssha;
bindPassword = xxxxxx; canAuthenticate = YES;
displayName =
"Shared Addresses"; hostname =
ldap://fusion.strategicit.homelinux.net/????!StartTLS; id = shared;
isAddressBook = YES;})'
I just tested again here and both works :
sogo.log
Sep 19 16:23:33 sogod [12048]: <0x0x7f1190e78bd0[NGLdapConnection]>
Using ldap_initialize for LDAP URL: ldap://127.0.0.1:3389/????!StartTLS
2013-09-19 16:23:33.527 sogod[12048] -[NGLdapConnection
_searchAtBaseDN:qualifier:attributes:scope:]: search at base
'ou=people,dc=example,dc=com' filter '(|(uid=sogo1)(mail=sogo1))' for
attrs '*'
slapd logs:
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 fd=16 ACCEPT from
IP=127.0.0.1:33868 (IP=0.0.0.0:3389)
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=0 STARTTLS
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=0 RESULT oid= err=0 text=
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 fd=16 TLS established
tls_ssf=128 ssf=128
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=1 BIND
dn="cn=admin,dc=example,dc=com" method=128
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=1 BIND
dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=1 RESULT tag=97 err=0
text=
Sep 19 16:23:33 sogo slapd[1169]: connection_input: conn=1938
deferring operation: binding
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=2 SRCH
base="ou=people,dc=example,dc=com" scope=2 deref=0
filter="(|(uid=sogo1)(mail=sogo1))"
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=2 SRCH attr=*
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
...SOGo fails to bind to LDAP. From /var/log/sogo/sogo.log :
Sep 25 03:21:21 sogod [7923]: <0x0x7ffc74b043f0[SOGoCache]> Using
host(s)
'localhost' as server(s)
2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): SoDebugKeyLookup
is enabled!
2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): SoDebugBaseURL is
enabled!
2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): relative base
URLs are enabled.
2013-09-25 03:21:21.240 sogod[7923] ERROR(-[NGBundleManager
bundleWithPath:]):
could not create bundle for path:
'/usr/share/GNUstep/Libraries/gnustep-base/Versions/1.22/Resources/SSL.bundle'
2013-09-25 03:21:21.246 sogod[7923] WOCompoundElement: pool embedding
is on.
2013-09-25 03:21:21.246 sogod[7923] WOCompoundElement: id logging is on.
192.168.1.109 - - [25/Sep/2013:03:21:21 GMT] "GET /SOGo HTTP/1.1" 302
0/0 0.129
- - 2M
2013-09-25 03:21:21.379 sogod[7923] WARNING(-[NSNull(misc) count]):
called
NSNull -count (returns 0) !!!
192.168.1.109 - - [25/Sep/2013:03:21:21 GMT] "GET /SOGo/ HTTP/1.1"
200 3874/0
0.020 11821 67% 1M
Sep 25 03:21:30 sogod [7923]: [ERROR] <0x0x7ffc74b7d930[LDAPSource]>
Could not
bind to the LDAP server
ldap://fusion.strategicit.homelinux.net????!StartTLS
(389) using the bind DN: cn=admin,dc=strategicit,dc=homelinux,dc=net
Sep 25 03:21:30 sogod [7923]: [ERROR] <0x0x7ffc74b7d930[LDAPSource]>
<NSException: 0x7ffc74af69e0> NAME:LDAPException REASON:operation
bind failed:
Confidentiality required (0xD) INFO:{login =
"cn=admin,dc=strategicit,dc=homelinux,dc=net"; }
Sep 25 03:21:30 sogod [7923]: SOGoRootPage Login from '192.168.1.109'
for user
'fd-admin' might not have worked - password policy: 65535 grace: -1
expire: -1
bound: 0
192.168.1.109 - - [25/Sep/2013:03:21:30 GMT] "POST /SOGo/connect
HTTP/1.1" 403
34/44 0.003 - - 476K
Sep 25 03:31:31 sogod [7899]: <0x0x7ffc74808b20[WOWatchDog]>
Terminating with
SIGINT or SIGTERM
The only strange things I'm doing are setting options requiring certs in
OpenLDAP, ie:
olcTLSVerifyClient: demand
olcLocalSSF: 256
olcTLSCipherSuite: SECURE256
olcSecurity: ssf=256
...although I'm not sure if that could be making a difference.
You realize that 'olcTLSVerifyClient: demand' means that the LDAP
server will validate the CLIENT certificate on TLS connection right?
SOGo doesn't send any certificate, so there's no way it will work.
Can you post slapd logs of both connection types? (use the 'stats'
loglevel)
It has been working for me for a while now... I have no idea why it
wasn't... even though I'm demanding the use of certificates. I'm
having issues with the integrator, but that's another story. I might
post another email if I still can't understand what's going on after
looking into it some more.
--
Mark Pavlichuk
Strategic IT
ph. (07)47242890
m. 0409 124577
--
users@sogo.nu
https://inverse.ca/sogo/lists