0002730: LDAPS in hostname URL field in SOGoUserSources does not work - SOGo | BTS

ID	Project	Category	View Status	Date Submitted	Last Update

0002730	SOGo	Backend General	public	2014-04-22 19:14	2016-03-16 14:11

Reporter	Pegasus	Assigned To	ludovic
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	suspended
Platform	[Server] Linux	OS	Debian	OS Version	7 (Wheezy)
Product Version	2.2.3

Summary	0002730: LDAPS in hostname URL field in SOGoUserSources does not work
Description	According to the 2.2.3 documentation, I should be able to use a URL in the form "ldaps://fully.qualified.domain.name" in the 'hostname' field of SOGoUserSources, and I can, however SOGo proceeds to talk on the wrong port number (389) instead of 686. If I force the port using the deprecated 'port' field, it connects on the correct port but still can't authenticate. The LDAP server is fine as I can authenticate using LDAPS and the same bind DN & password using another method (Apache Directory Studio.) And I can authenticate fine with no encryption.
Steps To Reproduce	1) Configure sogo.conf with: SOGoUserSources = ( { type = ldap; ... bindDN = "CN=SOGo,CN=Users,DC=ad,DC=example,DC=com"; bindPassword = "secret"; canAuthenticate = YES; hostname = "ldaps://server.sub.example.com"; } ); 2) Restart SOGo and attempt to log in with valid or even invalid credentials 3) Notice the 'Could not bind to the LDAP server' message in SOGo's log file
Additional Information	Apr 22 19:12:31 sogod [11831]: [ERROR] <0x0x7f1eef03cf30[LDAPSource]> Could not bind to the LDAP server ldaps://server.sub.example.com (389) using the bind DN: CN=SOGo,CN=Users,DC=ad,DC=example,DC=com Apr 22 19:12:31 sogod [11831]: [ERROR] <0x0x7f1eef03cf30[LDAPSource]> <NSException: 0x7f1eef477c40> NAME:LDAPException REASON:operation bind failed: Can't contact LDAP server (0xFFFFFFFF) INFO:{login = "CN=SOGo,CN=Users,DC=ad,DC=example,DC=com"; } Apr 22 19:12:31 sogod [11831]: SOGoRootPage Login from '108.40.145.234' for user 'testuser' might not have worked - password policy: 65535 grace: -1 expire: -1 bound: 0 108.40.145.234 - - [22/Apr/2014:19:12:31 GMT] "POST /synapse/connect HTTP/1.1" 403 34/56 0.203 - - 3M
Tags	No tags attached.

Pegasus 2014-04-22 19:18 reporter ~0006951 Last edited: 2014-04-22 19:23	FWIW, using "ldap://fully.qualified.domain.name????!StartTLS" does work, though I don't see a way to tell if it's really using an encrypted connection. I can put garbage instead of 'StartTLS' in the URL and it still connects, so I suspect it's not really encrypting even with it spelled correctly.

Christian Mack 2014-05-20 15:53 developer ~0007055	What does your LDAP log show while connecting?

ludovic 2014-05-23 15:46 administrator ~0007100	hostname = "ldaps://server.sub.example.com:636"; should do the trick. That will be LDAP over SSL. If you want to use TLS, you should use: hostname = "ldap://server.sub.example.com/????!StartTLS";

Date Modified	Username	Field	Change
2014-04-22 19:14	Pegasus	New Issue
2014-04-22 19:18	Pegasus	Note Added: 0006951
2014-04-22 19:23	Pegasus	Note Edited: 0006951
2014-05-20 15:53	Christian Mack	Note Added: 0007055
2014-05-23 15:46	ludovic	Note Added: 0007100
2015-06-11 13:02	ludovic	Status	new => closed
2015-06-11 13:02	ludovic	Assigned To	=> ludovic
2015-06-11 13:02	ludovic	Resolution	open => suspended