subject:"\"\\\\\\\[SOGo\\\\\\\] depricated LDAP options working, new ones not\""

Re: [SOGo] depricated LDAP options working, new ones not

2013-10-16 Thread Mark Pavlichuk


On 25/09/13 05:47, Jean Raby wrote:

On 13-09-24 1:57 PM, Mark Pavlichuk wrote:
If I use the deprecated way of specifying a starttls ldap addess 
things work ie. :


sudo -u sogo defaults write sogod SOGoUserSources '({CNFieldName = cn;
  IDFieldName = cn; UIDFieldName = uid;
  baseDN="ou=people,dc=strategicit,dc=homelinux,dc=net";
  bindDN="cn=admin,dc=strategicit,dc=homelinux,dc=net";
  bindFields = (uid); usePasswordAlgorithm = ssha;
  bindPassword = xx; canAuthenticate = YES; 
displayName =
  "Shared Addresses"; hostname = 
fusion.strategicit.homelinux.net;

id = shared;
  port = 389;
  encryption = starttls;
  isAddressBook = YES;})'

...but if I do things the new way ...  ie:

sudo -u sogo defaults write sogod SOGoUserSources '({CNFieldName = cn;
  IDFieldName = cn; UIDFieldName = uid;
  baseDN="ou=people,dc=strategicit,dc=homelinux,dc=net";
  bindDN="cn=admin,dc=strategicit,dc=homelinux,dc=net";
  bindFields = (uid); usePasswordAlgorithm = ssha;
  bindPassword = xx; canAuthenticate = YES; 
displayName =

  "Shared Addresses"; hostname =
ldap://fusion.strategicit.homelinux.net/!StartTLS; id = shared;
  isAddressBook = YES;})'


I just tested again here and both works :

sogo.log
Sep 19 16:23:33 sogod [12048]: <0x0x7f1190e78bd0[NGLdapConnection]> 
Using ldap_initialize for LDAP URL: ldap://127.0.0.1:3389/!StartTLS
2013-09-19 16:23:33.527 sogod[12048] -[NGLdapConnection 
_searchAtBaseDN:qualifier:attributes:scope:]: search at base 
'ou=people,dc=example,dc=com' filter '(|(uid=sogo1)(mail=sogo1))' for 
attrs '*'


slapd logs:
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 fd=16 ACCEPT from 
IP=127.0.0.1:33868 (IP=0.0.0.0:3389)
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=0 EXT 
oid=1.3.6.1.4.1.1466.20037

Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=0 STARTTLS
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=0 RESULT oid= err=0 text=
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 fd=16 TLS established 
tls_ssf=128 ssf=128
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=1 BIND 
dn="cn=admin,dc=example,dc=com" method=128
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=1 BIND 
dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=1 RESULT tag=97 err=0 
text=
Sep 19 16:23:33 sogo slapd[1169]: connection_input: conn=1938 
deferring operation: binding
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=2 SRCH 
base="ou=people,dc=example,dc=com" scope=2 deref=0 
filter="(|(uid=sogo1)(mail=sogo1))"

Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=2 SRCH attr=*
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=2 SEARCH RESULT tag=101 
err=0 nentries=1 text=




...SOGo fails to bind to LDAP.  From /var/log/sogo/sogo.log :

Sep 25 03:21:21 sogod [7923]: <0x0x7ffc74b043f0[SOGoCache]> Using 
host(s)

'localhost' as server(s)
2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): SoDebugKeyLookup 
is enabled!
2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): SoDebugBaseURL is 
enabled!
2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): relative base 
URLs are enabled.
2013-09-25 03:21:21.240 sogod[7923] ERROR(-[NGBundleManager 
bundleWithPath:]):

could not create bundle for path:
'/usr/share/GNUstep/Libraries/gnustep-base/Versions/1.22/Resources/SSL.bundle' 

2013-09-25 03:21:21.246 sogod[7923] WOCompoundElement: pool embedding 
is on.

2013-09-25 03:21:21.246 sogod[7923] WOCompoundElement: id logging is on.
192.168.1.109 - - [25/Sep/2013:03:21:21 GMT] "GET /SOGo HTTP/1.1" 302 
0/0 0.129

- - 2M
2013-09-25 03:21:21.379 sogod[7923] WARNING(-[NSNull(misc) count]): 
called

NSNull -count (returns 0) !!!
192.168.1.109 - - [25/Sep/2013:03:21:21 GMT] "GET /SOGo/ HTTP/1.1" 
200 3874/0

0.020 11821 67% 1M
Sep 25 03:21:30 sogod [7923]: [ERROR] <0x0x7ffc74b7d930[LDAPSource]> 
Could not
bind to the LDAP server 
ldap://fusion.strategicit.homelinux.net!StartTLS

(389) using the bind DN: cn=admin,dc=strategicit,dc=homelinux,dc=net
Sep 25 03:21:30 sogod [7923]: [ERROR] <0x0x7ffc74b7d930[LDAPSource]>
 NAME:LDAPException REASON:operation 
bind failed:

Confidentiality required (0xD) INFO:{login =
"cn=admin,dc=strategicit,dc=homelinux,dc=net"; }
Sep 25 03:21:30 sogod [7923]: SOGoRootPage Login from '192.168.1.109' 
for user
'fd-admin' might not have worked - password policy: 65535 grace: -1  
expire: -1

bound: 0
192.168.1.109 - - [25/Sep/2013:03:21:30 GMT] "POST /SOGo/connect 
HTTP/1.1" 403

34/44 0.003 - - 476K
Sep 25 03:31:31 sogod [7899]: <0x0x7ffc74808b20[WOWatchDog]> 
Terminating with

SIGINT or SIGTERM

The only strange things I'm doing are setting options requiring certs in
OpenLDAP, ie:

olcTLSVerifyClient: demand
olcLocalSSF: 256
olcTLSCipherSuite: SECURE256
olcSecurity: ssf=256

...although I'm not sure if that could be making a difference.

You realize that 'olcTLSVerifyClient: demand

Re: [SOGo] depricated LDAP options working, new ones not

2013-09-24 Thread Jean Raby


On 13-09-24 1:57 PM, Mark Pavlichuk wrote:

If I use the deprecated way of specifying a starttls ldap addess things work 
ie. :

sudo -u sogo defaults write sogod SOGoUserSources '({CNFieldName = cn;
  IDFieldName = cn; UIDFieldName = uid;
  baseDN="ou=people,dc=strategicit,dc=homelinux,dc=net";
  bindDN="cn=admin,dc=strategicit,dc=homelinux,dc=net";
  bindFields = (uid); usePasswordAlgorithm = ssha;
  bindPassword = xx; canAuthenticate = YES; displayName =
  "Shared Addresses"; hostname = fusion.strategicit.homelinux.net;
id = shared;
  port = 389;
  encryption = starttls;
  isAddressBook = YES;})'

...but if I do things the new way ...  ie:

sudo -u sogo defaults write sogod SOGoUserSources '({CNFieldName = cn;
  IDFieldName = cn; UIDFieldName = uid;
  baseDN="ou=people,dc=strategicit,dc=homelinux,dc=net";
  bindDN="cn=admin,dc=strategicit,dc=homelinux,dc=net";
  bindFields = (uid); usePasswordAlgorithm = ssha;
  bindPassword = xx; canAuthenticate = YES; displayName =
  "Shared Addresses"; hostname =
ldap://fusion.strategicit.homelinux.net/!StartTLS; id = shared;
  isAddressBook = YES;})'


I just tested again here and both works :

sogo.log
Sep 19 16:23:33 sogod [12048]: <0x0x7f1190e78bd0[NGLdapConnection]> Using 
ldap_initialize for LDAP URL: ldap://127.0.0.1:3389/!StartTLS
2013-09-19 16:23:33.527 sogod[12048] -[NGLdapConnection 
_searchAtBaseDN:qualifier:attributes:scope:]: search at base 
'ou=people,dc=example,dc=com' filter '(|(uid=sogo1)(mail=sogo1))' for attrs '*'


slapd logs:
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 fd=16 ACCEPT from IP=127.0.0.1:33868 
(IP=0.0.0.0:3389)

Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=0 STARTTLS
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=0 RESULT oid= err=0 text=
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 fd=16 TLS established tls_ssf=128 
ssf=128
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=1 BIND 
dn="cn=admin,dc=example,dc=com" method=128
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=1 BIND 
dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0

Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=1 RESULT tag=97 err=0 text=
Sep 19 16:23:33 sogo slapd[1169]: connection_input: conn=1938 deferring 
operation: binding
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=2 SRCH 
base="ou=people,dc=example,dc=com" scope=2 deref=0 
filter="(|(uid=sogo1)(mail=sogo1))"

Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=2 SRCH attr=*
Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=2 SEARCH RESULT tag=101 err=0 
nentries=1 text=




...SOGo fails to bind to LDAP.  From /var/log/sogo/sogo.log :

Sep 25 03:21:21 sogod [7923]: <0x0x7ffc74b043f0[SOGoCache]> Using host(s)
'localhost' as server(s)
2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): SoDebugKeyLookup is enabled!
2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): SoDebugBaseURL is enabled!
2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): relative base URLs are 
enabled.
2013-09-25 03:21:21.240 sogod[7923] ERROR(-[NGBundleManager bundleWithPath:]):
could not create bundle for path:
'/usr/share/GNUstep/Libraries/gnustep-base/Versions/1.22/Resources/SSL.bundle'
2013-09-25 03:21:21.246 sogod[7923] WOCompoundElement: pool embedding is on.
2013-09-25 03:21:21.246 sogod[7923] WOCompoundElement: id logging is on.
192.168.1.109 - - [25/Sep/2013:03:21:21 GMT] "GET /SOGo HTTP/1.1" 302 0/0 0.129
- - 2M
2013-09-25 03:21:21.379 sogod[7923] WARNING(-[NSNull(misc) count]): called
NSNull -count (returns 0) !!!
192.168.1.109 - - [25/Sep/2013:03:21:21 GMT] "GET /SOGo/ HTTP/1.1" 200 3874/0
0.020 11821 67% 1M
Sep 25 03:21:30 sogod [7923]: [ERROR] <0x0x7ffc74b7d930[LDAPSource]> Could not
bind to the LDAP server ldap://fusion.strategicit.homelinux.net!StartTLS
(389) using the bind DN: cn=admin,dc=strategicit,dc=homelinux,dc=net
Sep 25 03:21:30 sogod [7923]: [ERROR] <0x0x7ffc74b7d930[LDAPSource]>
 NAME:LDAPException REASON:operation bind failed:
Confidentiality required (0xD) INFO:{login =
"cn=admin,dc=strategicit,dc=homelinux,dc=net"; }
Sep 25 03:21:30 sogod [7923]: SOGoRootPage Login from '192.168.1.109' for user
'fd-admin' might not have worked - password policy: 65535 grace: -1  expire: -1
bound: 0
192.168.1.109 - - [25/Sep/2013:03:21:30 GMT] "POST /SOGo/connect HTTP/1.1" 403
34/44 0.003 - - 476K
Sep 25 03:31:31 sogod [7899]: <0x0x7ffc74808b20[WOWatchDog]> Terminating with
SIGINT or SIGTERM

The only strange things I'm doing are setting options requiring certs in
OpenLDAP, ie:

olcTLSVerifyClient: demand
olcLocalSSF: 256
olcTLSCipherSuite: SECURE256
olcSecurity: ssf=256

...although I'm not sure if that could be making a difference.

You realize that 'olcTLSVerifyClient: demand' means that the LDAP server will 
validate the CLIENT certificate on TL

[SOGo] depricated LDAP options working, new ones not

2013-09-24 Thread Mark Pavlichuk

If I use the deprecated way of specifying a starttls ldap addess things 
work ie. :


sudo -u sogo defaults write sogod SOGoUserSources '({CNFieldName = cn;
 IDFieldName = cn; UIDFieldName = uid;
 baseDN="ou=people,dc=strategicit,dc=homelinux,dc=net";
 bindDN="cn=admin,dc=strategicit,dc=homelinux,dc=net";
 bindFields = (uid); usePasswordAlgorithm = ssha;
 bindPassword = xx; canAuthenticate = YES; displayName =
 "Shared Addresses"; hostname = 
fusion.strategicit.homelinux.net; id = shared;

 port = 389;
 encryption = starttls;
 isAddressBook = YES;})'

...but if I do things the new way ...  ie:

sudo -u sogo defaults write sogod SOGoUserSources '({CNFieldName = cn;
 IDFieldName = cn; UIDFieldName = uid;
 baseDN="ou=people,dc=strategicit,dc=homelinux,dc=net";
 bindDN="cn=admin,dc=strategicit,dc=homelinux,dc=net";
 bindFields = (uid); usePasswordAlgorithm = ssha;
 bindPassword = xx; canAuthenticate = YES; displayName =
 "Shared Addresses"; hostname = 
ldap://fusion.strategicit.homelinux.net/!StartTLS; id = shared;

 isAddressBook = YES;})'

...SOGo fails to bind to LDAP.  From /var/log/sogo/sogo.log :

Sep 25 03:21:21 sogod [7923]: <0x0x7ffc74b043f0[SOGoCache]> Using 
host(s) 'localhost' as server(s)
2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): SoDebugKeyLookup is 
enabled!
2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): SoDebugBaseURL is 
enabled!
2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): relative base URLs 
are enabled.
2013-09-25 03:21:21.240 sogod[7923] ERROR(-[NGBundleManager 
bundleWithPath:]): could not create bundle for path: 
'/usr/share/GNUstep/Libraries/gnustep-base/Versions/1.22/Resources/SSL.bundle'

2013-09-25 03:21:21.246 sogod[7923] WOCompoundElement: pool embedding is on.
2013-09-25 03:21:21.246 sogod[7923] WOCompoundElement: id logging is on.
192.168.1.109 - - [25/Sep/2013:03:21:21 GMT] "GET /SOGo HTTP/1.1" 302 
0/0 0.129 - - 2M
2013-09-25 03:21:21.379 sogod[7923] WARNING(-[NSNull(misc) count]): 
called NSNull -count (returns 0) !!!
192.168.1.109 - - [25/Sep/2013:03:21:21 GMT] "GET /SOGo/ HTTP/1.1" 200 
3874/0 0.020 11821 67% 1M
Sep 25 03:21:30 sogod [7923]: [ERROR] <0x0x7ffc74b7d930[LDAPSource]> 
Could not bind to the LDAP server 
ldap://fusion.strategicit.homelinux.net!StartTLS (389) using the 
bind DN: cn=admin,dc=strategicit,dc=homelinux,dc=net
Sep 25 03:21:30 sogod [7923]: [ERROR] <0x0x7ffc74b7d930[LDAPSource]> 
 NAME:LDAPException REASON:operation bind 
failed: Confidentiality required (0xD) INFO:{login = 
"cn=admin,dc=strategicit,dc=homelinux,dc=net"; }
Sep 25 03:21:30 sogod [7923]: SOGoRootPage Login from '192.168.1.109' 
for user 'fd-admin' might not have worked - password policy: 65535  
grace: -1  expire: -1  bound: 0
192.168.1.109 - - [25/Sep/2013:03:21:30 GMT] "POST /SOGo/connect 
HTTP/1.1" 403 34/44 0.003 - - 476K
Sep 25 03:31:31 sogod [7899]: <0x0x7ffc74808b20[WOWatchDog]> Terminating 
with SIGINT or SIGTERM


The only strange things I'm doing are setting options requiring certs in 
OpenLDAP, ie:


olcTLSVerifyClient: demand
olcLocalSSF: 256
olcTLSCipherSuite: SECURE256
olcSecurity: ssf=256

...although I'm not sure if that could be making a difference.

--
Mark Pavlichuk
Strategic IT
ph. (07)47242890
m. 0409 124577

--
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] depricated LDAP options working, new ones not

Re: [SOGo] depricated LDAP options working, new ones not

[SOGo] depricated LDAP options working, new ones not

3 matches

Site Navigation

Mail list logo

Footer information