Re: [SOGo] SOGo v5.10.0 integration with Windows Server 2016 based domain

[Roman]

Because of your helpful suggestion, finally using logs on domain controller I was able to fix LDAP authentication with insecure 389 port. According to second paragraph of the official SOGo documentation ( https://www.sogo.nu/files/docs/SOGoInstallationGuide.html#_authentication_using_ldap ) it's workable to use an insecure LDAP connection settings with 389 port, and currently my LDAP connection settings allow to authenticate and look like that:

 

SOGoUserSources = (

    {

        type = ldap;

        CNFieldName = cn;

        IDFieldName = cn;

        UIDFieldName = sAMAccountName;

        baseDN = "cn=Users,dc=home,dc=arpa";

        bindDN = "cn=user1,cn=Users,dc=home,dc=arpa";

        bindFields = (sAMAccountName);

        bindPassword = "Password";

        canAuthenticate = YES;

        displayName = "Active Directory";

        hostname = "ldap://home.arpa:389";

        id = directory;

        isAddressBook = YES;

    }

);

 

But I'm not able to make it work securely and even if I try to connect with secure method using ldapsearch linux utility with command: 

 

ldapsearch -H ldaps://home.arpa -D "us...@home.arpa" -w "Password" -b "DC=home,DC=arpa" -d1

 

I keep getting these errors:

" TLS: can't connect: Error in the pull function..

ldap_err2string

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)"

 

Although if I run the same command without the "S" - ( ldapsearch -H ldap://home.arpa -D "us...@home.arpa" -w "Password" -b "DC=home,DC=arpa" -d1 ) everything works fine.

 

But the port 636 is open (checked with telnet).

 

It seems that secure authentication requires some additional configuration and maybe on client side too.

 

Any insights or suggestions would be greatly appreciated! Thank you very much for your precious time and help.

 

 

 

 

 

 

09.05.2024, 14:47, "Marco Moock (m...@dorfdsl.de)" <users@sogo.nu>:

Am 08.05.2024 um 20:56:01 Uhr schrieb Christian Naumer:
 

 Normally in AD you have to use ldaps, startTLS or Kerberos for Auth
 to the LDAP. In your config I don't see any of that.

I would assume an appropriate error message then that tells about this
- on the LDAP server and on the LDAP client.
 

--
Gruß
Marco

Send unsolicited bulk mail to 1715194561mu...@cartoonies.org