Re: [SOGo] LDAP entries with multiple mail addresses
On 18/09/2018 20:47, Gordon Messmer (gordon.mess...@gmail.com) wrote: On 9/18/18 10:58 AM, Andrei Goldchleger" (agoldchle...@vbtec.com.br) wrote: Anyway, I found a solution using LDAP ACLs in order to filter the record attributes that are returned to sogo. I will perform further testing, but this seems to do the trick. This is useful if: Did you try just removing the IMAPLoginFieldName setting? That should have solved the problem without adding any more accounts or ACLs to the directory. I reverted my ACLs and tested again without IMAPLoginFieldName - no, it doesn't seem to isolate the access to to the mailbox used in the login. -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] LDAP entries with multiple mail addresses
On 9/18/18 10:58 AM, Andrei Goldchleger" (agoldchle...@vbtec.com.br) wrote: Anyway, I found a solution using LDAP ACLs in order to filter the record attributes that are returned to sogo. I will perform further testing, but this seems to do the trick. This is useful if: Did you try just removing the IMAPLoginFieldName setting? That should have solved the problem without adding any more accounts or ACLs to the directory. -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] LDAP entries with multiple mail addresses
Yes, you are correct about IMAPLoginFieldName. As far as i understand, as designed, SOGo will consider all addresses returned in the LDAP record. Anyway, I found a solution using LDAP ACLs in order to filter the record attributes that are returned to sogo. I will perform further testing, but this seems to do the trick. This is useful if: 1) Your LDAP records contain more than one email, like: dn: uid=john-doe,ou=people,dc=example,dc=net objectClass: inetOrgPerson uid: john-doe sn: Doe givenName: John cn: John Doe userPassword: mail: john-...@example.net mail: john-...@example.com 2) Your email accounts are kept as separate mailboxes in the mail server This example assumes: 1) That you hold user records in ou=people,dc=example,dc=net and sogo "automation accounts" in ou=automation,dc=example,dc=net. Of course this is completely arbitrary and you can adapt as needed. 2) Two email/sogo domains: example.net and example.com 3) Users will log in with the email address and will see only the mailbox used to log in --- 1) Create a LDAP user per SOGo domain dn: uid=sogo-example-com,ou=automation,dc=example,dc=net objectClass: inetOrgPerson uid: sogo-example-com sn: Example Com givenName: SOGo cn: SOGo Example Com userPassword: dn: uid=sogo-example-net,ou=automation,dc=example,dc=net objectClass: inetOrgPerson uid: sogo-example-net sn: Example Net givenName: SOGo cn: SOGo Example Net userPassword: 2) Create LDAP ACLs to filter the returned mail attributes by domain (will DEFINITELY require adjustments depending on your existent ACLs). This will make sure that the sogo automation user only sees the email attribute that matches its domain. olcAccess: to dn.children="ou=people,dc=example,dc=net" filter=(objectClass=inetOrgPerson) attrs=mail val.regex="^.+example\.com$" by dn.base="uid=sogo-example-com,ou=automation,dc=example,dc=net" read by * break olcAccess: to dn.children="ou=people,dc=example,dc=net" filter=(objectClass=inetOrgPerson) attrs=mail val.regex="^.+example\.net$" by dn.base="uid=sogo-example-net,ou=automation,dc=example,dc=net" read 3) Attach each user to a specific SOGo domain (Contains extra fields such as passwordPolicy which might not be needed in your scenario): domains = { example.com = { SOGoMailDomain = example.com; SOGoUserSources = ( { type = ldap; CNFieldName = cn; UIDFieldName = mail; IDFieldName = uid; bindFields = (mail); baseDN = "ou=people,dc=example,dc=com"; bindDN = "uid=sogo-example-com,ou=automation,dc=example,dc=com"; bindPassword = ; canAuthenticate = YES; displayName = "example.com addressbook/login"; hostname = ldaps://ldaps.example.net; id = example.com; isAddressBook = YES; passwordPolicy = YES; } ); example.net = { SOGoMailDomain = example.net; SOGoUserSources = ( { type = ldap; CNFieldName = cn; UIDFieldName = mail; IDFieldName = uid; bindFields = (mail); baseDN = "ou=people,dc=example,dc=net"; bindDN = "uid=sogo-example-net,ou=automation,dc=example,dc=net"; bindPassword = ; canAuthenticate = YES; displayName = "example.net addressbook/login"; hostname = ldaps://ldaps.example.net; id = example.net; isAddressBook = YES; passwordPolicy = YES; } ); }; }; On 15/09/2018 18:47, Gordon Messmer (gordon.mess...@gmail.com) wrote: On 9/13/18, Andrei Goldchleger wrote: My LDAP users records contain multiple email addresses. For example: My SogoUsersSources is like the following: - SOGoUserSources = ( { IMAPLoginFieldName = mail; That setting is optional. IIRC, if it's not set, then SOGo will use the value provided in the login form, rather than an attribute from LDAP. -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] LDAP entries with multiple mail addresses
On 9/13/18, Andrei Goldchleger wrote: > My LDAP users records contain multiple email addresses. For example: > My SogoUsersSources is like the following: > - > SOGoUserSources = ( > { >IMAPLoginFieldName = mail; That setting is optional. IIRC, if it's not set, then SOGo will use the value provided in the login form, rather than an attribute from LDAP. -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] LDAP entries with multiple mail addresses
At this point I tried a bunch of things, like separate sogo domains for each TLD and indirect binds using bindFields. However, as far as I can see, there is no way to control which email should be used as the login in the IMAP/SMTP server, since SOGo will use whatever is returned in the LDAP record. Is there any way to do variable substitution in Sogo.conf. Something like: domains = { example.com = { SOGoMailDomain = example.com; SOGoUserSources = ( type = ldap; UIDFieldName = %{uid}'@example.com'; ... } I am just checking if there are any alternatives, otherwise I will just remodel the LDAP DIT so each record returns only mail attribute. Thanks, Andrei On 13/09/2018 19:08, Andrei Goldchleger (agoldchle...@vbtec.com.br) wrote: Hi, My LDAP users records contain multiple email addresses. For example: - dn: uid=john-doe,ou=people,dc=example,dc=net objectClass: inetOrgPerson uid: john-doe sn: Doe givenName: John cn: John Doe userPassword: mail: john-...@example.net mail: john-...@example.com mail: john-...@example.org - Each of those email addresses maps to a different mailbox. They are handled by a single SMTP/IMAP server. This was tested with Thunderbird and the mailbox isolation works fine. I would like to achieve in SOGo the same kind of isolation: 1) User logs in with the email address 2) User only sees the mailbox that correspond to the address used to log in SOGo 3) User can only send email with the login identity My SogoUsersSources is like the following: - SOGoUserSources = ( { type = ldap; CNFieldName = cn; UIDFieldName = mail; IDFieldName = uid; // first field of the DN for direct binds bindFields = (mail); // array of fields to use for indirect binds IMAPLoginFieldName = mail; baseDN = "ou=people,dc=example,dc=net"; bindDN = "uid=sogo,ou=automation,dc=example,dc=net"; bindPassword = ; canAuthenticate = YES; displayName = "Shared Addresses"; hostname = ldaps://ldap.example.net; id = public; isAddressBook = YES; } - With this configuration, the user logs in successfully with the email address (thus objective 1 is achieved). However, the mailbox that is loaded is always the mailbox listed in the first mail record in the LDAP attribute (In this example, john-...@example.net). Also, when composing email, the user can select the other accounts. Is there any way to achieve what I want without having separate LDAP records? Thanks, Andrei -- users@sogo.nu https://inverse.ca/sogo/lists