Re: [SOGo] depricated LDAP options working, new ones not
On 25/09/13 05:47, Jean Raby wrote: On 13-09-24 1:57 PM, Mark Pavlichuk wrote: If I use the deprecated way of specifying a starttls ldap addess things work ie. : sudo -u sogo defaults write sogod SOGoUserSources '({CNFieldName = cn; IDFieldName = cn; UIDFieldName = uid; baseDN="ou=people,dc=strategicit,dc=homelinux,dc=net"; bindDN="cn=admin,dc=strategicit,dc=homelinux,dc=net"; bindFields = (uid); usePasswordAlgorithm = ssha; bindPassword = xx; canAuthenticate = YES; displayName = "Shared Addresses"; hostname = fusion.strategicit.homelinux.net; id = shared; port = 389; encryption = starttls; isAddressBook = YES;})' ...but if I do things the new way ... ie: sudo -u sogo defaults write sogod SOGoUserSources '({CNFieldName = cn; IDFieldName = cn; UIDFieldName = uid; baseDN="ou=people,dc=strategicit,dc=homelinux,dc=net"; bindDN="cn=admin,dc=strategicit,dc=homelinux,dc=net"; bindFields = (uid); usePasswordAlgorithm = ssha; bindPassword = xx; canAuthenticate = YES; displayName = "Shared Addresses"; hostname = ldap://fusion.strategicit.homelinux.net/!StartTLS; id = shared; isAddressBook = YES;})' I just tested again here and both works : sogo.log Sep 19 16:23:33 sogod [12048]: <0x0x7f1190e78bd0[NGLdapConnection]> Using ldap_initialize for LDAP URL: ldap://127.0.0.1:3389/!StartTLS 2013-09-19 16:23:33.527 sogod[12048] -[NGLdapConnection _searchAtBaseDN:qualifier:attributes:scope:]: search at base 'ou=people,dc=example,dc=com' filter '(|(uid=sogo1)(mail=sogo1))' for attrs '*' slapd logs: Sep 19 16:23:33 sogo slapd[1169]: conn=1938 fd=16 ACCEPT from IP=127.0.0.1:33868 (IP=0.0.0.0:3389) Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=0 STARTTLS Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=0 RESULT oid= err=0 text= Sep 19 16:23:33 sogo slapd[1169]: conn=1938 fd=16 TLS established tls_ssf=128 ssf=128 Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=1 BIND dn="cn=admin,dc=example,dc=com" method=128 Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=1 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0 Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=1 RESULT tag=97 err=0 text= Sep 19 16:23:33 sogo slapd[1169]: connection_input: conn=1938 deferring operation: binding Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=2 SRCH base="ou=people,dc=example,dc=com" scope=2 deref=0 filter="(|(uid=sogo1)(mail=sogo1))" Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=2 SRCH attr=* Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= ...SOGo fails to bind to LDAP. From /var/log/sogo/sogo.log : Sep 25 03:21:21 sogod [7923]: <0x0x7ffc74b043f0[SOGoCache]> Using host(s) 'localhost' as server(s) 2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): SoDebugKeyLookup is enabled! 2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): SoDebugBaseURL is enabled! 2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): relative base URLs are enabled. 2013-09-25 03:21:21.240 sogod[7923] ERROR(-[NGBundleManager bundleWithPath:]): could not create bundle for path: '/usr/share/GNUstep/Libraries/gnustep-base/Versions/1.22/Resources/SSL.bundle' 2013-09-25 03:21:21.246 sogod[7923] WOCompoundElement: pool embedding is on. 2013-09-25 03:21:21.246 sogod[7923] WOCompoundElement: id logging is on. 192.168.1.109 - - [25/Sep/2013:03:21:21 GMT] "GET /SOGo HTTP/1.1" 302 0/0 0.129 - - 2M 2013-09-25 03:21:21.379 sogod[7923] WARNING(-[NSNull(misc) count]): called NSNull -count (returns 0) !!! 192.168.1.109 - - [25/Sep/2013:03:21:21 GMT] "GET /SOGo/ HTTP/1.1" 200 3874/0 0.020 11821 67% 1M Sep 25 03:21:30 sogod [7923]: [ERROR] <0x0x7ffc74b7d930[LDAPSource]> Could not bind to the LDAP server ldap://fusion.strategicit.homelinux.net!StartTLS (389) using the bind DN: cn=admin,dc=strategicit,dc=homelinux,dc=net Sep 25 03:21:30 sogod [7923]: [ERROR] <0x0x7ffc74b7d930[LDAPSource]> NAME:LDAPException REASON:operation bind failed: Confidentiality required (0xD) INFO:{login = "cn=admin,dc=strategicit,dc=homelinux,dc=net"; } Sep 25 03:21:30 sogod [7923]: SOGoRootPage Login from '192.168.1.109' for user 'fd-admin' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0 192.168.1.109 - - [25/Sep/2013:03:21:30 GMT] "POST /SOGo/connect HTTP/1.1" 403 34/44 0.003 - - 476K Sep 25 03:31:31 sogod [7899]: <0x0x7ffc74808b20[WOWatchDog]> Terminating with SIGINT or SIGTERM The only strange things I'm doing are setting options requiring certs in OpenLDAP, ie: olcTLSVerifyClient: demand olcLocalSSF: 256 olcTLSCipherSuite: SECURE256 olcSecurity: ssf=256 ...although I'm not sure if that could be making a difference. You realize that 'olcTLSVerifyClient: demand
Re: [SOGo] depricated LDAP options working, new ones not
On 13-09-24 1:57 PM, Mark Pavlichuk wrote: If I use the deprecated way of specifying a starttls ldap addess things work ie. : sudo -u sogo defaults write sogod SOGoUserSources '({CNFieldName = cn; IDFieldName = cn; UIDFieldName = uid; baseDN="ou=people,dc=strategicit,dc=homelinux,dc=net"; bindDN="cn=admin,dc=strategicit,dc=homelinux,dc=net"; bindFields = (uid); usePasswordAlgorithm = ssha; bindPassword = xx; canAuthenticate = YES; displayName = "Shared Addresses"; hostname = fusion.strategicit.homelinux.net; id = shared; port = 389; encryption = starttls; isAddressBook = YES;})' ...but if I do things the new way ... ie: sudo -u sogo defaults write sogod SOGoUserSources '({CNFieldName = cn; IDFieldName = cn; UIDFieldName = uid; baseDN="ou=people,dc=strategicit,dc=homelinux,dc=net"; bindDN="cn=admin,dc=strategicit,dc=homelinux,dc=net"; bindFields = (uid); usePasswordAlgorithm = ssha; bindPassword = xx; canAuthenticate = YES; displayName = "Shared Addresses"; hostname = ldap://fusion.strategicit.homelinux.net/!StartTLS; id = shared; isAddressBook = YES;})' I just tested again here and both works : sogo.log Sep 19 16:23:33 sogod [12048]: <0x0x7f1190e78bd0[NGLdapConnection]> Using ldap_initialize for LDAP URL: ldap://127.0.0.1:3389/!StartTLS 2013-09-19 16:23:33.527 sogod[12048] -[NGLdapConnection _searchAtBaseDN:qualifier:attributes:scope:]: search at base 'ou=people,dc=example,dc=com' filter '(|(uid=sogo1)(mail=sogo1))' for attrs '*' slapd logs: Sep 19 16:23:33 sogo slapd[1169]: conn=1938 fd=16 ACCEPT from IP=127.0.0.1:33868 (IP=0.0.0.0:3389) Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=0 STARTTLS Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=0 RESULT oid= err=0 text= Sep 19 16:23:33 sogo slapd[1169]: conn=1938 fd=16 TLS established tls_ssf=128 ssf=128 Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=1 BIND dn="cn=admin,dc=example,dc=com" method=128 Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=1 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0 Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=1 RESULT tag=97 err=0 text= Sep 19 16:23:33 sogo slapd[1169]: connection_input: conn=1938 deferring operation: binding Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=2 SRCH base="ou=people,dc=example,dc=com" scope=2 deref=0 filter="(|(uid=sogo1)(mail=sogo1))" Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=2 SRCH attr=* Sep 19 16:23:33 sogo slapd[1169]: conn=1938 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= ...SOGo fails to bind to LDAP. From /var/log/sogo/sogo.log : Sep 25 03:21:21 sogod [7923]: <0x0x7ffc74b043f0[SOGoCache]> Using host(s) 'localhost' as server(s) 2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): SoDebugKeyLookup is enabled! 2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): SoDebugBaseURL is enabled! 2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): relative base URLs are enabled. 2013-09-25 03:21:21.240 sogod[7923] ERROR(-[NGBundleManager bundleWithPath:]): could not create bundle for path: '/usr/share/GNUstep/Libraries/gnustep-base/Versions/1.22/Resources/SSL.bundle' 2013-09-25 03:21:21.246 sogod[7923] WOCompoundElement: pool embedding is on. 2013-09-25 03:21:21.246 sogod[7923] WOCompoundElement: id logging is on. 192.168.1.109 - - [25/Sep/2013:03:21:21 GMT] "GET /SOGo HTTP/1.1" 302 0/0 0.129 - - 2M 2013-09-25 03:21:21.379 sogod[7923] WARNING(-[NSNull(misc) count]): called NSNull -count (returns 0) !!! 192.168.1.109 - - [25/Sep/2013:03:21:21 GMT] "GET /SOGo/ HTTP/1.1" 200 3874/0 0.020 11821 67% 1M Sep 25 03:21:30 sogod [7923]: [ERROR] <0x0x7ffc74b7d930[LDAPSource]> Could not bind to the LDAP server ldap://fusion.strategicit.homelinux.net!StartTLS (389) using the bind DN: cn=admin,dc=strategicit,dc=homelinux,dc=net Sep 25 03:21:30 sogod [7923]: [ERROR] <0x0x7ffc74b7d930[LDAPSource]> NAME:LDAPException REASON:operation bind failed: Confidentiality required (0xD) INFO:{login = "cn=admin,dc=strategicit,dc=homelinux,dc=net"; } Sep 25 03:21:30 sogod [7923]: SOGoRootPage Login from '192.168.1.109' for user 'fd-admin' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0 192.168.1.109 - - [25/Sep/2013:03:21:30 GMT] "POST /SOGo/connect HTTP/1.1" 403 34/44 0.003 - - 476K Sep 25 03:31:31 sogod [7899]: <0x0x7ffc74808b20[WOWatchDog]> Terminating with SIGINT or SIGTERM The only strange things I'm doing are setting options requiring certs in OpenLDAP, ie: olcTLSVerifyClient: demand olcLocalSSF: 256 olcTLSCipherSuite: SECURE256 olcSecurity: ssf=256 ...although I'm not sure if that could be making a difference. You realize that 'olcTLSVerifyClient: demand' means that the LDAP server will validate the CLIENT certificate on TL
[SOGo] depricated LDAP options working, new ones not
If I use the deprecated way of specifying a starttls ldap addess things work ie. : sudo -u sogo defaults write sogod SOGoUserSources '({CNFieldName = cn; IDFieldName = cn; UIDFieldName = uid; baseDN="ou=people,dc=strategicit,dc=homelinux,dc=net"; bindDN="cn=admin,dc=strategicit,dc=homelinux,dc=net"; bindFields = (uid); usePasswordAlgorithm = ssha; bindPassword = xx; canAuthenticate = YES; displayName = "Shared Addresses"; hostname = fusion.strategicit.homelinux.net; id = shared; port = 389; encryption = starttls; isAddressBook = YES;})' ...but if I do things the new way ... ie: sudo -u sogo defaults write sogod SOGoUserSources '({CNFieldName = cn; IDFieldName = cn; UIDFieldName = uid; baseDN="ou=people,dc=strategicit,dc=homelinux,dc=net"; bindDN="cn=admin,dc=strategicit,dc=homelinux,dc=net"; bindFields = (uid); usePasswordAlgorithm = ssha; bindPassword = xx; canAuthenticate = YES; displayName = "Shared Addresses"; hostname = ldap://fusion.strategicit.homelinux.net/!StartTLS; id = shared; isAddressBook = YES;})' ...SOGo fails to bind to LDAP. From /var/log/sogo/sogo.log : Sep 25 03:21:21 sogod [7923]: <0x0x7ffc74b043f0[SOGoCache]> Using host(s) 'localhost' as server(s) 2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): SoDebugKeyLookup is enabled! 2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): SoDebugBaseURL is enabled! 2013-09-25 03:21:21.237 sogod[7923] Note(SoObject): relative base URLs are enabled. 2013-09-25 03:21:21.240 sogod[7923] ERROR(-[NGBundleManager bundleWithPath:]): could not create bundle for path: '/usr/share/GNUstep/Libraries/gnustep-base/Versions/1.22/Resources/SSL.bundle' 2013-09-25 03:21:21.246 sogod[7923] WOCompoundElement: pool embedding is on. 2013-09-25 03:21:21.246 sogod[7923] WOCompoundElement: id logging is on. 192.168.1.109 - - [25/Sep/2013:03:21:21 GMT] "GET /SOGo HTTP/1.1" 302 0/0 0.129 - - 2M 2013-09-25 03:21:21.379 sogod[7923] WARNING(-[NSNull(misc) count]): called NSNull -count (returns 0) !!! 192.168.1.109 - - [25/Sep/2013:03:21:21 GMT] "GET /SOGo/ HTTP/1.1" 200 3874/0 0.020 11821 67% 1M Sep 25 03:21:30 sogod [7923]: [ERROR] <0x0x7ffc74b7d930[LDAPSource]> Could not bind to the LDAP server ldap://fusion.strategicit.homelinux.net!StartTLS (389) using the bind DN: cn=admin,dc=strategicit,dc=homelinux,dc=net Sep 25 03:21:30 sogod [7923]: [ERROR] <0x0x7ffc74b7d930[LDAPSource]> NAME:LDAPException REASON:operation bind failed: Confidentiality required (0xD) INFO:{login = "cn=admin,dc=strategicit,dc=homelinux,dc=net"; } Sep 25 03:21:30 sogod [7923]: SOGoRootPage Login from '192.168.1.109' for user 'fd-admin' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0 192.168.1.109 - - [25/Sep/2013:03:21:30 GMT] "POST /SOGo/connect HTTP/1.1" 403 34/44 0.003 - - 476K Sep 25 03:31:31 sogod [7899]: <0x0x7ffc74808b20[WOWatchDog]> Terminating with SIGINT or SIGTERM The only strange things I'm doing are setting options requiring certs in OpenLDAP, ie: olcTLSVerifyClient: demand olcLocalSSF: 256 olcTLSCipherSuite: SECURE256 olcSecurity: ssf=256 ...although I'm not sure if that could be making a difference. -- Mark Pavlichuk Strategic IT ph. (07)47242890 m. 0409 124577 -- users@sogo.nu https://inverse.ca/sogo/lists