Re: [SOGo] Login EAS with email address

Fri, 18 Dec 2015 10:04:48 -0800 

Oh, I'm think I wasn't crear, sorry... :(
Not the imap/smtp connection the problem.
Externam users through EAS cannot authenticate to SOGo with they email address, only just their uid (cn - exactly). When the user fill the first page on his mobile device (email and password), and push the next, the autodiscover try to find his email provider with various methods. One of the is the SRV DNS record, what is point to my server. 
When the autodiscover find it, send a POST request to it with this data:

   <?xml version="1.0" encoding="utf-8"?>
   <Autodiscover
   
xmlns="http://schemas.microsoft.com/exchange/autodiscover/mobilesync/requestschema/2006";>
      <Request>
        <EMailAddress>[email protected]</EMailAddress>
   
<AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006</AcceptableResponseSchema>
      </Request>
   </Autodiscover>
My PHP script approve it, and send back to device a response (something like this): 

   <?xml version="1.0"?>
   <Autodiscover
   
xmlns='http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006'
   xmlns:xsd='http://www.w3.org/2001/XMLSchema' xmlns:xsi='http
   ://www.w3.org/2001/XMLSchema-instance'>
      <Response
   
xmlns='http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006'>
   <Culture>en:us</Culture>
   <User>
   <DisplayName>User's full name</DisplayName>
          <EMailAddress>[email protected]</EMailAddress>
   </User>
        <Action>
   <Settings>
   <Server>
   <Type>MobileSync</Type>
   <Url>https://myserver.mydomain.tld/Microsoft-Server-ActiveSync</Url>
   <Name>https://myserver.mydomain.tld/Microsoft-Server-ActiveSync</Name>
   </Server>
   </Settings>
        </Action>
   </Response>
   </Autodiscover>
After that, the device try to authenticate to my server through EAS protocoll (Apache log): 

   mysqerver.mydomain.tld:443 so.m.e.ip - - [17/Dec/2015:17:12:28
   +0100] "OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1" 401 4639 "-"
   "MobilDeviceID"

And the SOGo log:

   Dec 17 17:12:28 sogod [22918]: <0x0x7f951d50c068[SOGoCache]> Cache
   cleanup interval set every 300.000000 seconds
   Dec 17 17:12:28 sogod [22918]: <0x0x7f951d50c068[SOGoCache]> Using
   host(s) 'localhost' as server(s)
   Dec 17 17:12:28 sogod [22918]: <0x0x7f951d4ae448[LDAPSource]>
   <NSException: 0x7f951d824af8> NAME:LDAPException REASON:operation
   bind failed: Invalid credentials (0x31) INFO:{"error_code" = 49;
   login = "[email protected],ou=domain.tld,ou=parent,dc=some,dc=where"; }
   Dec 17 17:12:28 sogod [22918]:
   <0x0x7f951d4fdc48[SOGoDAVAuthenticator]> tried wrong password for
   user '[email protected]'!
   Dec 17 17:12:28 sogod [22918]: so.m.e.ip "OPTIONS
   /SOGo/Microsoft-Server-ActiveSync HTTP/1.1" 401 12/0 0.005 - - 836K
So, the problem is: how can I tell the SOGo, it needs to authenticate email too, not just uid (red part) - the SOGoUserSource is matched on it, but the cn is wrong. 

Thanks,
Peti

2015-12-18 09:43 keltezéssel, "Daniel Müller" írta:

What about something like this:
base = cn=Users,dc=your,dc=dom
scope = subtree
user_filter = (mail=%u)
pass_filter = (mail=%u)
pass_attrs = mail=%u,= userPassword=password
Tis way I auth my Users with dovecot in a samba4 domain using the "mail".
You need to sogo to find the user in "mail".
 SOGoUserSources = (
    {
      type = ldap;
      CNFieldName = cn;
      UIDFieldName = sAMAccountName;
      IMAPLoginFieldName = mail;
      baseDN = "CN=users,dc=your,dc=domain";
      bindDN = "CN=sogo MS,CN=users,DC=your,DC=domain";
      bindFields = (sAMAccountName, mail);
      bindPassword = password;
      canAuthenticate = YES;
      displayName = "Public";
      hostname = ldap://your.own.server:389 <ldap://192.168.135.253:389>;
      filter = "mail = '*'";
      id = directory;
      isAddressBook = YES;
    }
*Gesendet:* Donnerstag, 17. Dezember 2015 um 17:23 Uhr
*Von:* "Szládovics Péter" <[email protected]>
*An:* "SOGo lista" <[email protected]>
*Betreff:* [SOGo] Login EAS with email address
Hi Guys,

I have multidomain supported environment based on SambaAD. It's working
fine.
I created a php script for handling EAS autodiscover. The test is OK in
MS test page (domain zones has correct SRV records).
But the phone cannot configurable automatically, because the phone tries
the first login with the email address.
I configured the bindfields in all sogo usersources for handle the mail
property, not just the cn.
The cn is already usable for login, but the mail address is not.
This is the log:
Dec 17 17:13:42 sogod [22918]: <0x0x7f951d4ae448[LDAPSource]>
<NSException: 0x7f951de30108> NAME:LDAPException REASON:operation bind
failed: Invalid credentials (0x31) INFO:{"error_code" = 49; login =
"cn=user@domain,ou=oneofous,ou=mailou,dc=some,dc=where"; }

The dn is invalid, because the cn != the mail...

How can I configure this feature correctly?

Thanks,
Peti
--
[email protected]
https://inverse.ca/sogo/lists


--
[email protected]
https://inverse.ca/sogo/lists

Reply via email to