[SOGo] openLDAP and groups ACLs not working

[Claus]

Dear SOGo community,

I've installed SOGo 5.3.0 (@shiva2.inverse 202112070624) with iRedmail-OpenLDAP, and I'm trying to get LDAP groups working (we already use SOGo in combination with Active Directory and groups work perfectly) - however, we are moving our mail + SOGo away from AD.

So far, groups show up in SOGo for e.g. a resource to be shared with. There is no error message in sogo.log. However, group members are not subscribed, nor do they see the shared resource when searching for resources of the sharer.

I suspect it is a mapping issue between how iRedmail identifies "users"/mailboxes (mail=....), and how SOGo can identify them by the memberuid/member attribute (uid=...., or cn=.... instead of mail=... ?).

So something is missing here. Ideally, I can manage group ACLs without touching the attributes of the iRedmail mailboxes/users, so in case of updates/LDAP changes, the group memberships stay active. E.g. by using posixGroup or groupOfNames objectClasses.

A) This is the SOGoUserSources to get the groups:

{
// Used for groups
type = ldap;
id = groups;
canAuthenticate = YES;
isAddressBook = NO;
displayName = "LDAP Authentication";

hostname = "ldap://127.0.0.1:389";
baseDN = "ou=Groups,domainName=%d,o=domains,dc=MYDOMAIN,dc=net";
bindDN = "cn=vmail,dc=MYDOMAIN,dc=net";
bindPassword = "XXXX";
filter = "objectClass=posixGroup OR objectClass=groupOfNames";
#scope = SUB;

// always keep binding to the LDAP server using the DN of the
// currently authenticated user. bindDN and bindPassword are still
// required to find DN of the user.
// Note: with default LDAP acl configured by iRedMail, user doesn't
// have privilege to query o=domains,dc=MYDOMAIN,dc=net.
// so this doesn't work.
bindAsCurrentUser = YES;
mapping = {
uid = ("mail");
};


// The algorithm used for password encryption when changing
// passwords without Password Policies enabled.
// Possible values are: plain, crypt, md5-crypt, ssha, ssha512.
userPasswordAlgorithm = ssha512;
#GroupObjectClasses = (posixGroup);

CNFieldName = cn;
IDFieldName = cn;
// value of UIDFieldName must be unique on entire server
UIDFieldName = cn;
}

B) these are example 2 LDAP groups which show up in SOGo as groups, but resources are not shared to the members of those groups:

# Entry 1 (posixGroup)
dn: cn=posix6,ou=Groups,domainName=MYDOMAIN.net,o=domains,dc=MYDOMAIN,dc=net
cn: posix6
gidnumber: 500
mail: posix6
memberuid: it6
memberuid: mail=i...@mydomain.net,ou=Users,domainName=MYDOMAIN.net,o=domains,dc=MYDOMAIN,dc=net
memberuid: cn=i...@mydomain.net,ou=Users,domainName=MYDOMAIN.net,o=domains,dc=MYDOMAIN,dc=net
objectclass: posixGroup
objectclass: top

# Entry 1: groupOfNames
dn: cn=grpnames2@localhost,ou=Groups,domainName=MYDOMAIN.net,o=domains,dc=MYDOMAIN,dc=net
cn: grpnames2@localhost
member: cn=i...@mydomain.net,ou=Users,domainName=MYDOMAIN.net,o=domains,dc=MYDOMAIN,dc=net
member: cn=i...@mydomain.net,ou=Users,domainName=MYDOMAIN.net,o=domains,dc=MYDOMAIN,dc=net
objectclass: groupOfNames
objectclass: top

C) this is how a mailbox/user is identified in iRedmail:

# Entry 1: mail=i...@mydomain.net,ou=Users,domainName=MYDOMAIN
dn: mail=i...@mydomain.net,ou=Users,domainName=MYDOMAIN.net,o=domains,dc=MYDOMAIN,dc=net
accountstatus: active
amavislocal: TRUE
cn: IT6
enabledservice: sogo
enabledservice: imap
enabledservice: sievetls
enabledservice: sievesecured
enabledservice: lmtp
enabledservice: dsync
enabledservice: shadowaddress
enabledservice: indexer-worker
enabledservice: sieve
enabledservice: imaptls
enabledservice: senderbcc
enabledservice: managesievesecured
enabledservice: deliver
enabledservice: recipientbcc
enabledservice: mail
enabledservice: smtpsecured
enabledservice: lib-storage
enabledservice: sogoactivesync
enabledservice: smtp
enabledservice: sogowebmail
enabledservice: smtptls
enabledservice: lda
enabledservice: displayedInGlobalAddressBook
enabledservice: imapsecured
enabledservice: doveadm
enabledservice: forward
enabledservice: quota-status
enabledservice: sogocalendar
enabledservice: managesievetls
enabledservice: internal
enabledservice: managesieve
homedirectory: /var/vmail/vmail1/MYDOMAIN.net/i/t/6/it6-2021.
 12.08.15.26.38/
mail: i...@mydomain.net
mailboxfolder: Maildir
mailboxformat: maildir
mailquota: 5368709120
objectclass: inetOrgPerson
objectclass: mailUser
objectclass: shadowAccount
objectclass: amavisAccount
preferredlanguage: en_US
shadowlastchange: 18969
sn: it6
uid: it6
userpassword: {SSHA512}XXXXX

D) and this is how a AD group looks like, and works:

cn: Group-AD-example
distinguishedname=CN=Group-AD-example,CN-Users,DC=ad,DC=MYDOMAIN,Dc=net
groupType=ACCOUNT_GROUP|security
mail=Group-AD-example@MYDOMAIN...
member=CN=NAME-OF-USER2,CN=NAME-of-USER2,....
name=Group-AD-example
objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=ad,....
objectClass=top;group
sAMAccountName=Group-AD-example
sAMAccountType= GROUP_OBJECT

--
users@sogo.nu
https://inverse.ca/sogo/lists