0005917: SOGo can't authenticate users when using Active Directory LDAPs - SOGo | BTS

ID	Project	Category	View Status	Date Submitted	Last Update

0005917	SOGo	with SOGo	public	2024-02-02 13:27	2024-02-07 13:42

Reporter	abdunazarov	Assigned To
Priority	normal	Severity	major	Reproducibility	always
Status	new	Resolution	open
Platform	[Server] Linux	OS	RHEL/CentOS	OS Version	7
Product Version	5.9.1

Summary	0005917: SOGo can't authenticate users when using Active Directory LDAPs
Description	Hello guys! I'm trying to install on CentOS 8 and Rocky Linux 9 SOGo 5.9.1. On both systems there is a problem with users authentication using LDAPS. Configuration used from running instance of 5.7 version of SOGo. When i'm trying set in configuration encryption = SSL; and hostname = "ldaps://ad.server"; in logs appears errors below Feb 02 16:03:10 sogod [6419]: [ERROR] <0x0x55e74cbe6bc0[LDAPSource]> Could not bind to the LDAP server ldaps://ad.server (636) using the bind DN: binduser@ad.server Feb 02 16:03:10 sogod [6419]: [ERROR] <0x0x55e74cbe6bc0[LDAPSource]> <NSException: 0x55e74cced2f0> NAME:LDAPException REASON:operation bind failed: Can't contact LDAP server (0xFFFFFFFF) INFO:{"error_code" = "-1"; login = binduser@ad.server"; } But when i'm running without encryption = SSL; in config everything works fine. Please, coul'd somebody tell. Is there some changes in configs to upgrade from 5.7 to 5.9.1? Or maybe any ideas what is going wrong?
Steps To Reproduce	Install SOGo 5.9.1 from nightly build and add SOGoUserSources type = ldap Set encryption = SSL; and hostname = "ldaps://ad.server"; Try login from web interface
Tags	ldaps, sogo

Christian Mack 2024-02-07 12:59 developer ~0017561	Without encryption you use port 389 on the LDAP/AD server. With encryption you use port 636. As the error message states " Can't contact LDAP server" , you probably have a firewall in between. That firewall blocks access from your SOGo server to your AD server on Port 636, but allows access on Port 389.

abdunazarov 2024-02-07 13:17 reporter ~0017562	Of course, the firewall was checked first. Both ports 389 without ssl and 636 with ssl were specified correctly. Moreover, these ports are accessible via telnet. If we rule out the assumption that port 636 is blocked by firewall, what else could be wrong?

Christian Mack 2024-02-07 13:42 developer ~0017563	Then it could be, that the SOGo server can not verify your AD certificate. Check that with: `openssl s_client -connect ad.server:636`

Date Modified	Username	Field	Change
2024-02-02 13:27	abdunazarov	New Issue
2024-02-02 13:27	abdunazarov	Tag Attached: ldaps
2024-02-02 13:27	abdunazarov	Tag Attached: sogo
2024-02-07 12:59	Christian Mack	Note Added: 0017561
2024-02-07 13:17	abdunazarov	Note Added: 0017562
2024-02-07 13:42	Christian Mack	Note Added: 0017563