View Issue Details

IDProjectCategoryView StatusLast Update
0000333SOGoBackend Generalpublic2010-01-22 18:20
Reporterbertails Assigned To 
PrioritynormalSeverityfeatureReproducibilityalways
Status feedbackResolutionreopened 
Product Versionnightly v2 
Target VersionFixed in Version 
Summary0000333: No filter for users that can authenticated
DescriptionThere is no way to say so SOGo which users can authenticate against the LDAP server.

A typical usecase is when the LDAP is used with another system and so defines users that don't belong to the calendar system.
Additional InformationThe typical way to filter is to use a group.
TagsNo tags attached.

Activities

francis

francis

2010-01-14 19:12

administrator   ~0000440

You can use the "filter" attribute. Please see the documentation (page 14):

http://www.scalableogo.org/english/support/documentation.html
bertails

bertails

2010-01-14 19:28

reporter   ~0000441

This filter attribute (in the documentation) seems to be related with the address book. This is not clear.

By the way, I have already tried that:

[[
filter = "(|(|(|(cn=109)(cn=111))(cn=112))(cn=114))";
]]

This kind of query work perfectly using ldapsearch:

[[
$ ldapsearch -x -w **** -D "cn=admin,dc=w3,dc=org" -LLL '(|(|(|(cn=109)(cn=111))(cn=112))(cn=114))'
dn: cn=109,ou=groups,dc=w3,dc=org
objectClass: top
objectClass: groupOfNames
cn: 109
description: W3C Systeam
member: uid=ted,ou=people,dc=w3,dc=org
member: uid=bertails,ou=people,dc=w3,dc=org
.....
]]

But then I have this error:

[[
object not found: SOGo => bertails
]]

Trying something closer to the example in the documentation but without anything filtered:

[[
filter = "(cn=109 OR cn=111 OR cn=112 OR cn=114)";
]]
francis

francis

2010-01-14 21:06

administrator   ~0000442

Try using an indirect bind by defining the bindFields paramater. If you're running a nightly build, it should look like this:

  bindFields = (cn);
  filter = "(cn=109 OR cn=111 OR cn=112 OR cn=114)";
wsourdeau

wsourdeau

2010-01-14 23:26

viewer   ~0000446

You may also block access to the Mail or the Calendar module to certain users based on their LDAP entry. See the documentation for this, by searching for the "ModulesConstraints" key.
francis

francis

2010-01-21 16:50

administrator   ~0000493

Various solutions proposed.

This is not a bug.
bertails

bertails

2010-01-22 18:20

reporter   ~0000508

Actually, none of the proposed answers can solve the reported problem.

SOGo combines the filter with some other attributes before requesting the LDAP server. If the schema is the same as the one I gave in the example, it won't work. Using LDAP filters, it's _impossible_ to get the users such that the user is a *member* of a particular group. But it is possible to filter on the users such that they are *memberOf* a particular group.

I solved this problem in OpenLDAP using an overlay (cf. http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membership%20Maintenance ). But in many other softwares, there is a support for memberOf.

So now, in theory, it should work specifying a filter like this in SOGo:
[[
filter = "(memberOf=cn=109,ou=groups,dc=w3,dc=org)";
]]

But the generated LDAP request I can see in the OpenLDAP logs looks like this:
[[
filter="(objectClass=*)"
]]

It seems the problem comes from the several '=' because if I do that in SOGo:
[[
filter = PATTERN;
]]

where PATTERN contains more than one '=', then the generated request for the user "bertails" is:
[[
(&(|(uid=bertails)(mail=bertails))(PATTERN))
]]

Issue History

Date Modified Username Field Change
2010-01-14 18:33 bertails New Issue
2010-01-14 19:12 francis Note Added: 0000440
2010-01-14 19:28 bertails Note Added: 0000441
2010-01-14 21:06 francis Note Added: 0000442
2010-01-14 23:26 wsourdeau Note Added: 0000446
2010-01-21 16:50 francis Note Added: 0000493
2010-01-21 16:50 francis Status new => closed
2010-01-21 16:50 francis Resolution open => fixed
2010-01-22 18:20 bertails Note Added: 0000508
2010-01-22 18:20 bertails Status closed => feedback
2010-01-22 18:20 bertails Resolution fixed => reopened