Re: [SOGo] depricated LDAP options working, new ones not

Wed, 16 Oct 2013 06:47:37 -0700 

On 25/09/13 05:47, Jean Raby wrote:

On 13-09-24 1:57 PM, Mark Pavlichuk wrote:
If I use the deprecated way of specifying a starttls ldap addess things work ie. : 

sudo -u sogo defaults write sogod SOGoUserSources '({CNFieldName = cn;
              IDFieldName = cn; UIDFieldName = uid;
              baseDN="ou=people,dc=strategicit,dc=homelinux,dc=net";
              bindDN="cn=admin,dc=strategicit,dc=homelinux,dc=net";
              bindFields = (uid); usePasswordAlgorithm = ssha;

              bindPassword = xxxxxx; canAuthenticate = YES; 
displayName =
              "Shared Addresses"; hostname = 
fusion.strategicit.homelinux.net;

id = shared;
              port = 389;
              encryption = starttls;
              isAddressBook = YES;})'

...but if I do things the new way ...  ie:

sudo -u sogo defaults write sogod SOGoUserSources '({CNFieldName = cn;
              IDFieldName = cn; UIDFieldName = uid;
              baseDN="ou=people,dc=strategicit,dc=homelinux,dc=net";
              bindDN="cn=admin,dc=strategicit,dc=homelinux,dc=net";
              bindFields = (uid); usePasswordAlgorithm = ssha;

              bindPassword = xxxxxx; canAuthenticate = YES; 
displayName =

              "Shared Addresses"; hostname =
ldap://fusion.strategicit.homelinux.net/????!StartTLS; id = shared;
              isAddressBook = YES;})'


I just tested again here and both works :

sogo.log

Sep 19 16:23:33 sogod [12048]: <0x0x7f1190e78bd0[NGLdapConnection]> 
Using ldap_initialize for LDAP URL: ldap://127.0.0.1:3389/????!StartTLS
2013-09-19 16:23:33.527 sogod[12048] -[NGLdapConnection 
_searchAtBaseDN:qualifier:attributes:scope:]: search at base 
'ou=people,dc=example,dc=com' filter '(|(uid=sogo1)(mail=sogo1))' for 
attrs '*'


slapd logs:

Sep 19 16:23:33 sogo slapd[1169]: conn=1938 fd=16 ACCEPT from 
IP=127.0.0.1:33868 (IP=0.0.0.0:3389)
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=0 EXT 
oid=1.3.6.1.4.1.1466.20037

Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=0 STARTTLS
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=0 RESULT oid= err=0 text=

Sep 19 16:23:33 sogo slapd[1169]: conn=1938 fd=16 TLS established 
tls_ssf=128 ssf=128
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=1 BIND 
dn="cn=admin,dc=example,dc=com" method=128
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=1 BIND 
dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=1 RESULT tag=97 err=0 
text=
Sep 19 16:23:33 sogo slapd[1169]: connection_input: conn=1938 
deferring operation: binding
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=2 SRCH 
base="ou=people,dc=example,dc=com" scope=2 deref=0 
filter="(|(uid=sogo1)(mail=sogo1))"

Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=2 SRCH attr=*

Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=2 SEARCH RESULT tag=101 
err=0 nentries=1 text=




...SOGo fails to bind to LDAP.  From /var/log/sogo/sogo.log :


Sep 25 03:21:21 sogod [7923]: <0x0x7ffc74b043f0[SOGoCache]> Using 
host(s)

'localhost' as server(s)

2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): SoDebugKeyLookup 
is enabled!
2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): SoDebugBaseURL is 
enabled!
2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): relative base 
URLs are enabled.
2013-09-25 03:21:21.240 sogod[7923] ERROR(-[NGBundleManager 
bundleWithPath:]):

could not create bundle for path:

'/usr/share/GNUstep/Libraries/gnustep-base/Versions/1.22/Resources/SSL.bundle' 

2013-09-25 03:21:21.246 sogod[7923] WOCompoundElement: pool embedding 
is on.

2013-09-25 03:21:21.246 sogod[7923] WOCompoundElement: id logging is on.

192.168.1.109 - - [25/Sep/2013:03:21:21 GMT] "GET /SOGo HTTP/1.1" 302 
0/0 0.129

- - 2M

2013-09-25 03:21:21.379 sogod[7923] WARNING(-[NSNull(misc) count]): 
called

NSNull -count (returns 0) !!!

192.168.1.109 - - [25/Sep/2013:03:21:21 GMT] "GET /SOGo/ HTTP/1.1" 
200 3874/0

0.020 11821 67% 1M

Sep 25 03:21:30 sogod [7923]: [ERROR] <0x0x7ffc74b7d930[LDAPSource]> 
Could not
bind to the LDAP server 
ldap://fusion.strategicit.homelinux.net????!StartTLS

(389) using the bind DN: cn=admin,dc=strategicit,dc=homelinux,dc=net
Sep 25 03:21:30 sogod [7923]: [ERROR] <0x0x7ffc74b7d930[LDAPSource]>

<NSException: 0x7ffc74af69e0> NAME:LDAPException REASON:operation 
bind failed:

Confidentiality required (0xD) INFO:{login =
"cn=admin,dc=strategicit,dc=homelinux,dc=net"; }

Sep 25 03:21:30 sogod [7923]: SOGoRootPage Login from '192.168.1.109' 
for user
'fd-admin' might not have worked - password policy: 65535 grace: -1  
expire: -1

bound: 0

192.168.1.109 - - [25/Sep/2013:03:21:30 GMT] "POST /SOGo/connect 
HTTP/1.1" 403

34/44 0.003 - - 476K

Sep 25 03:31:31 sogod [7899]: <0x0x7ffc74808b20[WOWatchDog]> 
Terminating with

SIGINT or SIGTERM

The only strange things I'm doing are setting options requiring certs in
OpenLDAP, ie:

olcTLSVerifyClient: demand
olcLocalSSF: 256
olcTLSCipherSuite: SECURE256
olcSecurity: ssf=256

...although I'm not sure if that could be making a difference.


You realize that 'olcTLSVerifyClient: demand' means that the LDAP 
server will validate the CLIENT certificate on TLS connection right?  
SOGo doesn't send any certificate, so there's no way it will work.



Can you post slapd logs of both connection types? (use the 'stats' 
loglevel)





  It has been working for me for a while now...  I have no idea why it 
wasn't...  even though I'm demanding the use of certificates.  I'm 
having issues with the integrator, but that's another story.  I might 
post another email if I still can't understand what's going on after 
looking into it some more.


--
Mark Pavlichuk
Strategic IT
ph. (07)47242890
m. 0409 124577

--
users@sogo.nu
https://inverse.ca/sogo/lists






















					Reply via email to