Re: [SOGo] LDAP entries with multiple mail addresses
On 18/09/2018 20:47, Gordon Messmer (gordon.mess...@gmail.com) wrote: On 9/18/18 10:58 AM, Andrei Goldchleger" (agoldchle...@vbtec.com.br) wrote: Anyway, I found a solution using LDAP ACLs in order to filter the record attributes that are returned to sogo. I will perform further testing, but this seems to do the trick. This is useful if: Did you try just removing the IMAPLoginFieldName setting? That should have solved the problem without adding any more accounts or ACLs to the directory. I reverted my ACLs and tested again without IMAPLoginFieldName - no, it doesn't seem to isolate the access to to the mailbox used in the login. -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] LDAP entries with multiple mail addresses
On 9/18/18 10:58 AM, Andrei Goldchleger" (agoldchle...@vbtec.com.br) wrote: Anyway, I found a solution using LDAP ACLs in order to filter the record attributes that are returned to sogo. I will perform further testing, but this seems to do the trick. This is useful if: Did you try just removing the IMAPLoginFieldName setting? That should have solved the problem without adding any more accounts or ACLs to the directory. -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] LDAP entries with multiple mail addresses
Yes, you are correct about IMAPLoginFieldName. As far as i understand,
as designed, SOGo will consider all addresses returned in the LDAP record.
Anyway, I found a solution using LDAP ACLs in order to filter the record
attributes that are returned to sogo. I will perform further testing,
but this seems to do the trick. This is useful if:
1) Your LDAP records contain more than one email, like:
dn: uid=john-doe,ou=people,dc=example,dc=net
objectClass: inetOrgPerson
uid: john-doe
sn: Doe
givenName: John
cn: John Doe
userPassword:
mail: john-...@example.net
mail: john-...@example.com
2) Your email accounts are kept as separate mailboxes in the mail server
This example assumes:
1) That you hold user records in ou=people,dc=example,dc=net and sogo
"automation accounts" in ou=automation,dc=example,dc=net. Of course this
is completely arbitrary and you can adapt as needed.
2) Two email/sogo domains: example.net and example.com
3) Users will log in with the email address and will see only the
mailbox used to log in
---
1) Create a LDAP user per SOGo domain
dn: uid=sogo-example-com,ou=automation,dc=example,dc=net
objectClass: inetOrgPerson
uid: sogo-example-com
sn: Example Com
givenName: SOGo
cn: SOGo Example Com
userPassword:
dn: uid=sogo-example-net,ou=automation,dc=example,dc=net
objectClass: inetOrgPerson
uid: sogo-example-net
sn: Example Net
givenName: SOGo
cn: SOGo Example Net
userPassword:
2) Create LDAP ACLs to filter the returned mail attributes by domain
(will DEFINITELY require adjustments depending on your existent ACLs).
This will make sure that the sogo automation user only sees the email
attribute that matches its domain.
olcAccess: to dn.children="ou=people,dc=example,dc=net"
filter=(objectClass=inetOrgPerson) attrs=mail val.regex="^.+example\.com$"
by dn.base="uid=sogo-example-com,ou=automation,dc=example,dc=net" read
by * break
olcAccess: to dn.children="ou=people,dc=example,dc=net"
filter=(objectClass=inetOrgPerson) attrs=mail val.regex="^.+example\.net$"
by dn.base="uid=sogo-example-net,ou=automation,dc=example,dc=net" read
3) Attach each user to a specific SOGo domain (Contains extra fields
such as passwordPolicy which might not be needed in your scenario):
domains = {
example.com = {
SOGoMailDomain = example.com;
SOGoUserSources = (
{
type = ldap;
CNFieldName = cn;
UIDFieldName = mail;
IDFieldName = uid;
bindFields = (mail);
baseDN = "ou=people,dc=example,dc=com";
bindDN =
"uid=sogo-example-com,ou=automation,dc=example,dc=com";
bindPassword = ;
canAuthenticate = YES;
displayName = "example.com addressbook/login";
hostname = ldaps://ldaps.example.net;
id = example.com;
isAddressBook = YES;
passwordPolicy = YES;
}
);
example.net = {
SOGoMailDomain = example.net;
SOGoUserSources = (
{
type = ldap;
CNFieldName = cn;
UIDFieldName = mail;
IDFieldName = uid;
bindFields = (mail);
baseDN = "ou=people,dc=example,dc=net";
bindDN =
"uid=sogo-example-net,ou=automation,dc=example,dc=net";
bindPassword = ;
canAuthenticate = YES;
displayName = "example.net addressbook/login";
hostname = ldaps://ldaps.example.net;
id = example.net;
isAddressBook = YES;
passwordPolicy = YES;
}
);
};
};
On 15/09/2018 18:47, Gordon Messmer (gordon.mess...@gmail.com) wrote:
On 9/13/18, Andrei Goldchleger wrote:
My LDAP users records contain multiple email addresses. For example:
My SogoUsersSources is like the following:
-
SOGoUserSources = (
{
IMAPLoginFieldName = mail;
That setting is optional. IIRC, if it's not set, then SOGo will use
the value provided in the login form, rather than an attribute from
LDAP.
--
users@sogo.nu
https://inverse.ca/sogo/lists
Re: [SOGo] LDAP entries with multiple mail addresses
On 9/13/18, Andrei Goldchleger wrote:
> My LDAP users records contain multiple email addresses. For example:
> My SogoUsersSources is like the following:
> -
> SOGoUserSources = (
> {
>IMAPLoginFieldName = mail;
That setting is optional. IIRC, if it's not set, then SOGo will use
the value provided in the login form, rather than an attribute from
LDAP.
--
users@sogo.nu
https://inverse.ca/sogo/lists
Re: [SOGo] LDAP entries with multiple mail addresses
At this point I tried a bunch of things, like separate sogo domains for
each TLD and indirect binds using bindFields. However, as far as I can
see, there is no way to control which email should be used as the login
in the IMAP/SMTP server, since SOGo will use whatever is returned in the
LDAP record.
Is there any way to do variable substitution in Sogo.conf. Something like:
domains = {
example.com = {
SOGoMailDomain = example.com;
SOGoUserSources = (
type = ldap;
UIDFieldName = %{uid}'@example.com';
...
}
I am just checking if there are any alternatives, otherwise I will just
remodel the LDAP DIT so each record returns only mail attribute.
Thanks,
Andrei
On 13/09/2018 19:08, Andrei Goldchleger (agoldchle...@vbtec.com.br) wrote:
Hi,
My LDAP users records contain multiple email addresses. For example:
-
dn: uid=john-doe,ou=people,dc=example,dc=net
objectClass: inetOrgPerson
uid: john-doe
sn: Doe
givenName: John
cn: John Doe
userPassword:
mail: john-...@example.net
mail: john-...@example.com
mail: john-...@example.org
-
Each of those email addresses maps to a different mailbox. They are
handled by a single SMTP/IMAP server. This was tested with Thunderbird
and the mailbox isolation works fine.
I would like to achieve in SOGo the same kind of isolation:
1) User logs in with the email address
2) User only sees the mailbox that correspond to the address used to
log in SOGo
3) User can only send email with the login identity
My SogoUsersSources is like the following:
-
SOGoUserSources = (
{
type = ldap;
CNFieldName = cn;
UIDFieldName = mail;
IDFieldName = uid; // first field of the DN for direct binds
bindFields = (mail); // array of fields to use for indirect binds
IMAPLoginFieldName = mail;
baseDN = "ou=people,dc=example,dc=net";
bindDN = "uid=sogo,ou=automation,dc=example,dc=net";
bindPassword = ;
canAuthenticate = YES;
displayName = "Shared Addresses";
hostname = ldaps://ldap.example.net;
id = public;
isAddressBook = YES;
}
-
With this configuration, the user logs in successfully with the email
address (thus objective 1 is achieved). However, the mailbox that is
loaded is always the mailbox listed in the first mail record in the
LDAP attribute (In this example, john-...@example.net). Also, when
composing email, the user can select the other accounts.
Is there any way to achieve what I want without having separate LDAP
records?
Thanks,
Andrei
--
users@sogo.nu
https://inverse.ca/sogo/lists
