SOGo | BTS

View Issue Details Jump to Notes ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0003685SOGoBackend Generalpublic2016-05-20 08:302019-02-22 01:41
Reporterzhb 
Assigned Toludovic 
PrioritynormalSeverityfeatureReproducibilityN/A
StatusassignedResolutionreopened 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version4.0.6 
Summary0003685: Feature request: support place holder in LDAP base dn, bind dn
DescriptionDear developers,

Please consider supporting place holders in LDAP base dn and bind dn, so that we can get flexible LDAP support.

For example, login as user 'john@mydomain.com':

- %s for full login username (full email address)
- %d for domain part in email address (mydomain.com)
- %u for username part in email address (john)

Then we can get flexible LDAP base dn and bind dn like this:

base dn: domainName=%d,o=domains,dc=iredmail,dc=org
bind dn: mail=%s,ou=Users,domainName=%d,o=domains,dc=iredmail,dc=org
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
(0011166)
zhb (reporter)
2017-01-05 00:23

Dear developers,

Can i pay you to implement this feature? How much?
User avatar (0011265)
Christian Mack (developer)
2017-02-03 05:32

@zhb

If you didn't already, use https://sogo.nu/support/index_new.html#/commercial [^] for such requests ;-)
(0013235)
modir (reporter)
2019-01-04 09:40

Is there already an update regarding this issue? I am intersted in this as well.
User avatar (0013295)
ludovic (administrator)
2019-01-31 14:35

I can understand having a dynamic baseDN but is a dynamic bindDN really useful?

We currently have bindAsCurrentUser has an option in SOGo.

So the bindDN can be used on the 'root' of the source to actually perform an initial lookup in case bindFields are being used.

Are you NOT using bindFields?
(0013303)
zhb (reporter)
2019-01-31 20:00

We can use bindAsCurrentUser instead of dynamic bind dn. The most important parts are base dn and ldap filter.
User avatar (0013304)
ludovic (administrator)
2019-01-31 20:24

So I guess %s and %u don't make sense either.
(0013305)
zhb (reporter)
2019-01-31 20:35

We need %s and %u also, especially in ldap filter.
User avatar (0013306)
ludovic (administrator)
2019-01-31 20:35

What do you mean by ldap filter?
(0013307)
zhb (reporter)
2019-01-31 20:44

Oops, i mixed SOGo with another use case. Sorry about this.
I think %d (domain) is enough for now.
User avatar (0013312)
ludovic (administrator)
2019-02-04 07:41

The feature was implemented. baseDN now accepts %d as a placeholder. Please give a try to the upcoming nightly builds (available in 24 hours from now).
(0013318)
zhb (reporter)
2019-02-04 11:00

Thanks very much. :)
(0013323)
zhb (reporter)
2019-02-10 09:54

Placeholder (%d) in base DN doesn't work with SOGo nightly build: 4.0.5.20190210-1.
(0013324)
zhb (reporter)
2019-02-10 09:59

Tested with SOGoUserSources below, it doesn't work. According to OpenLDAP log, the query base dn is "domainName=%d,o=domains,dc=a,dc=io", that means placeholder "%d" was not replaced by real domain name at all. When i remove "domainName=%d," and restart sogo service (all other settings are same), webmail login works fine.

OS: Ubuntu 18.04
OpenLDAP: 2.4.45
SOGo nightly build: 4.0.5.20190210-1

    SOGoUserSources = (
        {
            type = ldap;
            canAuthenticate = YES;
            isAddressBook = NO;
            displayName = "LDAP Authentication";

            hostname = "ldap://127.0.0.1:389";
            baseDN = "domainName=%d,o=domains,dc=a,dc=io";
            bindDN = "cn=vmail,dc=a,dc=io";
            bindPassword = "f70c8f378fa49c3684b84637d790da37";
            filter = "objectClass=mailUser AND accountStatus=active AND enabledService=mail AND enabledService=sogo";
            scope = SUB;

            bindAsCurrentUser = YES;

            // The algorithm used for password encryption when changing
            // passwords without Password Policies enabled.
            // Possible values are: plain, crypt, md5-crypt, ssha, ssha512.
            userPasswordAlgorithm = ssha512;

            CNFieldName = cn;
            IDFieldName = mail;
            // value of UIDFieldName must be unique on entire server
            UIDFieldName = mail;
            IMAPLoginFieldName = mail;
            MailFieldNames = (mail);
            bindFields = (mail);
        },
(0013325)
zhb (reporter)
2019-02-10 10:09

Could you implement %s (full login name) and %u (username part in email address) also? so that we can narrow down the base dn to user account itself, it will help improve ldap query performance. for example:

baseDN = "mail=%s,ou=Users,domainName=%d,o=domains,dc=a,dc=io";

I'm sorry that this issue was reported long time ago and i didn't remember all use cases. :(
User avatar (0013331)
ludovic (administrator)
2019-02-11 08:04

Which OS are you testing on? You tested a nightly build (Feb 2nd) and the code landed 2 days AFTER that so it's normal it doesn't work.

It makes NO sense to use mail=%s - that's the base of SOGo for all queries so it'll miserably for example in the shared address book. As said before, use bindAsCurrentUser.
(0013332)
zhb (reporter)
2019-02-11 09:57

Dear Ludovic,

- OS: Ubuntu 18.04 LTS.
- SOGo version: 4.0.5.20190210-1 (I suppose this version was packed on Feb 10 - 6 days after your commit).

About base dn "mail=%s,ou=Users,domainName=%d,o=domains,dc=xx,dc=xx", this is the best option if we can have for user authentication (with scope set to BASE), not for per-domain or global address book.
(0013333)
zhb (reporter)
2019-02-11 09:59

By the way, we use 2 sections in SOGoUserSources, one for user authentication, one for per-domain address book.

For the user authentication, we hope to narrow down the LDAP search base dn, this way we can get best performance due.

For the per-domain address book, we use "domainName=%d,o=domains,dc=xx,dc=xx" to build dynamic base dn (with ACL in OpenLDAP config file as well).
User avatar (0013335)
ludovic (administrator)
2019-02-11 13:42

The baseDN can NOT contain a user part as it is used everywhere in SOGo where there's no context of a user.

I see no reason why the baseDN's %d wouldn't work - the code is there, I use it and it works.
(0013342)
zhb (reporter)
2019-02-13 07:45

Dear Ludovic,

I tested again today, it does NOT work.

- OS: Debian 9
- SOGo: 4.0.5.20190213-1
- SOGoUserSources setting in sogo.conf: https://pastebin.com/xjDinJNe [^]

Neither user authentication nor global (per-domain actually) address book works.
If i remove "domainName=%d," from baseDN, it works.

Could you help double check? I believe there's something wrong in the code.
Also, could you implement the %s placeholder for testing? If it doesn't work, let's remove %s before final release. Please.
User avatar (0013343)
ludovic (administrator)
2019-02-13 08:02

I think I know what happens - the domain must not be extracted properly in your configuration while it is on mine. I'll do more testing tomorrow and push a fix.
(0013344)
zhb (reporter)
2019-02-13 08:12

Dear Ludovic,

Thanks for the reply.

Please also be so kind to implement '%s' support in baseDN, at least give me a chance to test it, i believe it works. If it doesn't, we can remove it before final release 4.0.6.
User avatar (0013354)
ludovic (administrator)
2019-02-14 09:51

Try the upcoming nightly build which will be available in 24 hours from now.
(0013370)
zhb (reporter)
2019-02-15 20:13

Tested with SOGo 4.0.5.20190215-1 on Debian 9, %d works in baseDN for user authentication, but NOT for separated global address book.

Also, could you implement the %s placeholder (for user authentication) for testing? If it doesn't work, let's remove %s before final release. Please please please.
User avatar (0013385)
ludovic (administrator)
2019-02-19 11:20

What do you mean by separated global address book?

Also, %s CANNOT be implemented, as I said earlier, we do not have the user's context all the time.
User avatar (0013392)
ludovic (administrator)
2019-02-19 13:44

I see what you mean in your previous comment. I pushed a fix for that and it works. Please test the nightly builds that will be available in about 16 hours from now.
(0013406)
zhb (reporter)
2019-02-21 10:47

%d doesn't work in separated ldap address book. Full SOGoUserResources here:
https://pastebin.com/5pq0Nbjx [^]

Note:

- %d works for user authentication (canAuthenticate = YES; isAddressBook = NO;).
- %d does NOT work for ldap address book (canAuthenticate = NO; isAddressBook = YES;).
(0013407)
zhb (reporter)
2019-02-21 10:48

Tested with SOGo 4.0.5.20190221, nightly build.
User avatar (0013408)
ludovic (administrator)
2019-02-21 10:50

That's normal for now, the domain is changed ON THE FLY when the user authenticates.
(0013409)
zhb (reporter)
2019-02-21 14:10

I don't get it.

After successfully logged in, the login username (full email) is fixed, so that %d should be always expanded to the domain part of login user's email address. Why is it changed on the fly?
User avatar (0013410)
ludovic (administrator)
2019-02-21 14:11

Because the authentication source is created once, upon SOGo's startup and reused over time. It is a singleton.
(0013412)
zhb (reporter)
2019-02-22 01:41

I understand that the latest SOGo release works this way, but can we re-build baseDN each time when we need to query ldap address book? This is the real DYNAMIC base dn, and it's the best per-domain global address book we can get with the flexible LDAP query, and get rid of the "Multi-domains Configuration" which requires updating sogo.conf manually and restart sogo daemon service.

Please please please, help implement this flexible ldap address book.

- Related Changesets
sogo: master d9943e55
Timestamp: 2019-02-04 07:37:56
Author: ludovic
Details ] Diff ]
(feat) baseDN now accept dynamic domain values (fixes 0003685)
mod - Documentation/SOGoInstallationGuide.asciidoc Diff ] File ]
mod - NEWS Diff ] File ]
mod - SoObjects/SOGo/LDAPSource.h Diff ] File ]
mod - SoObjects/SOGo/LDAPSource.m Diff ] File ]

- Issue History
Date Modified Username Field Change
2016-05-20 08:30 zhb New Issue
2016-05-20 11:02 ludovic Severity minor => feature
2017-01-05 00:23 zhb Note Added: 0011166
2017-02-03 05:32 Christian Mack Note Added: 0011265
2019-01-04 09:40 modir Note Added: 0013235
2019-01-31 14:35 ludovic Note Added: 0013295
2019-01-31 20:00 zhb Note Added: 0013303
2019-01-31 20:24 ludovic Note Added: 0013304
2019-01-31 20:35 zhb Note Added: 0013305
2019-01-31 20:35 ludovic Note Added: 0013306
2019-01-31 20:44 zhb Note Added: 0013307
2019-02-04 07:40 ludovic Changeset attached => sogo master d9943e55
2019-02-04 07:40 ludovic Assigned To => ludovic
2019-02-04 07:40 ludovic Resolution open => fixed
2019-02-04 07:41 ludovic Note Added: 0013312
2019-02-04 11:00 zhb Note Added: 0013318
2019-02-04 11:24 Christian Mack Status new => resolved
2019-02-10 09:54 zhb Note Added: 0013323
2019-02-10 09:54 zhb Status resolved => feedback
2019-02-10 09:54 zhb Resolution fixed => reopened
2019-02-10 09:59 zhb Note Added: 0013324
2019-02-10 09:59 zhb Status feedback => assigned
2019-02-10 10:09 zhb Note Added: 0013325
2019-02-11 08:04 ludovic Note Added: 0013331
2019-02-11 09:57 zhb Note Added: 0013332
2019-02-11 09:59 zhb Note Added: 0013333
2019-02-11 13:42 ludovic Note Added: 0013335
2019-02-13 07:45 zhb Note Added: 0013342
2019-02-13 08:02 ludovic Note Added: 0013343
2019-02-13 08:12 zhb Note Added: 0013344
2019-02-14 09:51 ludovic Note Added: 0013354
2019-02-15 20:13 zhb Note Added: 0013370
2019-02-19 11:20 ludovic Note Added: 0013385
2019-02-19 13:44 ludovic Note Added: 0013392
2019-02-19 13:44 ludovic Status assigned => resolved
2019-02-19 13:44 ludovic Fixed in Version => 4.0.6
2019-02-19 13:44 ludovic Resolution reopened => fixed
2019-02-21 10:47 zhb Note Added: 0013406
2019-02-21 10:47 zhb Status resolved => feedback
2019-02-21 10:47 zhb Resolution fixed => reopened
2019-02-21 10:48 zhb Note Added: 0013407
2019-02-21 10:48 zhb Status feedback => assigned
2019-02-21 10:50 ludovic Note Added: 0013408
2019-02-21 14:10 zhb Note Added: 0013409
2019-02-21 14:11 ludovic Note Added: 0013410
2019-02-22 01:41 zhb Note Added: 0013412


Copyright © 2000 - 2019 MantisBT Team
Powered by Mantis Bugtracker