Scalable OGo (SOGo)

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0004192SOGoWeb Calendarpublic2017-06-10 02:512017-07-21 10:20
Reportert.oldenbuerger 
Assigned Toludovic 
PrioritynormalSeverityminorReproducibilityalways
StatusassignedResolutionreopened 
Platform[Server] LinuxOSRHEL/CentOSOS Version7
Product Version3.2.9 
Target VersionFixed in Version 
Summary0004192: LDAP SoGo Multi Domain
DescriptionIn SOGo Calendar, if a user wants to add a shared calendar/folder,
ALL users from different domains are shown in the dialog. We installed a test environment with SQL Backend: The issue did not happen, a user can only search for other users from it's domain. We then installed another
instance with LDAP backend, and had the issue: a user sees every other user in the
search dialog. The user cannot access the calendar, but can see every mail address from other domains of that mailserver,
which is not acceptable in LDAP multi domain installation.
Steps To ReproduceReproduce:
- Login into SOGO as user1@domain1.com
- Select calendar
- Select "Subscription (+)"
- Type at least 3 characters from another existing domain: ain2
Result:
- A list of all users from dom"ain2" is shown in the dialog.
- If a user like "main2@domain1.com" exists, it is also shown.
Expected result:
- Only a user like "main2@domain1.com" shall be shown in the dialog.
- No user from a domain containing the search string should be shown.
Note:
- The SQL installation shows the expected result, only the LDAP installation does not show the
expected result.
Additional InformationData source is a iRedMail-LDAP or iRedMail-SQL in PRO Version.
TagsNo tags attached.
Attached Files? file icon sogo.conf [^] (12,708 bytes) 2017-07-21 04:33

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
User avatar (0011918)
Christian Mack (developer)
2017-06-12 07:31

Please show your sogo.conf.
(0011920)
t.oldenbuerger (reporter)
2017-06-12 07:41

Default configuration from iRedAdmin, most standard comments stripped for size.


{
    WOPort = 127.0.0.1:20000;
    LDAPDebugEnabled = YES;
    WOWorkersCount = 40;
    SOGoMaximumPingInterval = 3540;
    SOGoMaximumSyncInterval = 3540;
    SOGoInternalSyncInterval = 30;
    WOWatchDogRequestTimeout = 60;
    SOGoMaximumSyncWindowSize = 100;
    SOGoMaximumSyncResponseSize = 2048;
    SxVMemLimit = 1024;
    SOGoProfileURL = "mysql://sogo:<redacted>@127.0.0.1:3306/sogo/sogo_user_profile";
    OCSFolderInfoURL = "mysql://sogo:<redacted>@127.0.0.1:3306/sogo/sogo_folder_info";
    OCSSessionsFolderURL = "mysql://sogo:<redacted>@127.0.0.1:3306/sogo/sogo_sessions_folder";
    OCSEMailAlarmsFolderURL = "mysql://sogo:<redacted>@127.0.0.1:3306/sogo/sogo_alarms_folder";

    SOGoLanguage = English;
    SOGoLoginModule = Mail;
    SOGoForceExternalLoginWithEmail = YES;
    SOGoMailCustomFromEnabled = YES;
    SOGoEnableEMailAlarms = YES;
    SOGoPageTitle = Mail;
    SOGoIMAPServer = "imap://127.0.0.1:143/";
    SOGoSMTPServer = 127.0.0.1;
    SOGoMailingMechanism = smtp;
    SOGoSieveServer = sieve://127.0.0.1:4190;
    SOGoSieveScriptsEnabled = YES;
    SOGoVacationEnabled = YES;
    SOGoForwardEnabled = YES;
    SOGoSieveFolderEncoding = UTF-8;
    SOGoMemcachedHost = 127.0.0.1;
    SOGoTimeZone = "Europe/Zurich";
    SOGoFirstDayOfWeek = 1;
    SOGoRefreshViewCheck = every_5_minutes;
    SOGoMailReplyPlacement = below;
    SOGoAppointmentSendEMailNotifications = YES;
    SOGoFoldersSendEMailNotifications = YES;
    SOGoACLsSendEMailNotifications = YES;
    SOGoPasswordChangeEnabled = YES;

    // Authentication using SQL
    /* SQL backend
    SOGoUserSources = (
        {
            type = sql;
            id = users;
            viewURL = "mysql://sogo:<redacted>@127.0.0.1:3306/sogo/users";
            canAuthenticate = YES;
            userPasswordAlgorithm = ssha;
            prependPasswordScheme = YES;
            isAddressBook = NO;
            displayName = "Domain Address Book";
            SOGoEnableDomainBasedUID = YES;
            DomainFieldName = "domain";
        }
    );
    SQL backend */

    // Authentication using LDAP
    
    SOGoUserSources = (
        {
            type = ldap;
            hostname = "ldap://127.0.0.1:389";
            baseDN = "o=domains,dc=server1,dc=organisation,dc=com";
            //bindAsCurrentUser = YES;
            bindDN = "cn=vmailadmin,dc=server1,dc=organisation,dc=com";
            bindPassword = "<redacted>";
            filter = "objectClass=mailUser AND accountStatus=active AND enabledService=mail AND enabledService=sogo";
            scope = SUB;
            userPasswordAlgorithm = ssha;

            IDFieldName = mail;
            bindFields = (mail);
            CNFieldName = cn;
            UIDFieldName = mail;
            IMAPLoginFieldName = mail;
            SearchFieldNames = (cn, sn, displayName, telephoneNumber, mail, shadowAddress);
            canAuthenticate = YES;
            displayName = "Global Address Book";
            id = ldap_auth;
            isAddressBook = NO;
        }
    );
    
}
User avatar (0011963)
ludovic (administrator)
2017-06-16 11:22

That is normal - DomainFieldName is for SQL sources *only*.

For LDAP sources, correctly define *domains* in SOGo.conf and set a SOGoUserSources per domain.
(0011989)
t.oldenbuerger (reporter)
2017-06-19 06:33

The LDAP is our repository for all customer domains. This would mean I would have to add every domain (about 20 at the moment) into that configuration file. Is there a limit for SOGoUserSources and how does it impact performance?

After inserting two SOGoUserSources entries on the test system, ldap debug showed that all UserSources where queried regardless of the domain field, and again all emails were shown. So even when entered manually as described in https://sogo.nu/files/docs/SOGoInstallationGuide.html#_multi_domains_configuration [^] the issue remains.
User avatar (0011990)
Christian Mack (developer)
2017-06-19 07:43

There is no limit in SOGo for the number of domains usable.
If your LDAp can handle it, there is no performance impact.

Did you set "SOGoEnableDomainBasedUID = YES;" ?

What have you set in SOGoDomainsVisibility ?
(0012026)
t.oldenbuerger (reporter)
2017-07-04 07:40

As stated, I configured the system as described in your installation guide.
If it is incomplete, please add the missing information.

Or make clear that it is not possible to use SOGo with one ldap server and multiple domains/tenants that shall not see each others cid in the frontend.

I assume that it is working but I configured it wrong:
Is it planed to get this multi domain support with ldap without having to alter the configuration file each time a domain is added to the ldap/system, so the
functionality as in the sql version?
User avatar (0012036)
Christian Mack (developer)
2017-07-05 04:09

Perhaps you should provide your changed sogo.conf, so we can see where your problem is.
(0012117)
t.oldenbuerger (reporter)
2017-07-21 04:33

Hello again.
Just had the time now to set up a test environment again - still with this issue.

I have one ldap server for all domains. I have attached the sogo.conf - no worries about the unredacted passwords, they are autogenerated at each new installation and exist on that internal VM only.

With this configuration, according to https://sogo.nu/files/docs/SOGoInstallationGuide.html#_multi_domains_configuration [^] and https://sogo.nu/bugs/view.php?id=4192#c11990 [^] I should be able to login to the system and not have access to other users data.

But I have.

Setup again:
- example1.com with user1@example1.com, user2@example2.com
- example2.com with user1@example2.com, user2@example2.com
- vipdomain.com with user1@vipdomain.com

My steps again:
- Login as user1@vipdomain.com
- Goto Calendar
- Click on Subscriptions "+" (dialog Subscribe to a shared folder opens)
- Enter "user"
- Dialog shows list "user1@example1.com, user2@example1.com, user1@example2.com, user2@example2.com"


So user1@vipdomain.com sees ALL email adresses on the system. This does not happen when not using ldap, but we rely on that ldap and need this functionality.
User avatar (0012118)
Christian Mack (developer)
2017-07-21 05:23

There should be no SOGoUserSources outside the domains.
You use a non domain aware sql SOGoUserSources:
    SOGoUserSources = (
        {
            type = sql;
            id = users;
            viewURL = "mysql://sogo:MxIpwW834kkv2OdA0sr71A3mNNJ2pk@127.0.0.1:3306/sogo/users";
            canAuthenticate = YES;

            // The algorithm used for password encryption when changing
            // passwords without Password Policies enabled.
            // Possible values are: plain, crypt, md5-crypt, ssha, ssha512.
            userPasswordAlgorithm = ssha;
            prependPasswordScheme = YES;

            // Use `vmail.mailbox` as per-domain address book.
            isAddressBook = YES;
            displayName = "Domain Address Book";
            SOGoEnableDomainBasedUID = YES;
            DomainFieldName = "domain";
        },

That is your problem, just remove it.
(0012119)
t.oldenbuerger (reporter)
2017-07-21 05:41

In my file, this section is commented out and not used ?!
(0012120)
t.oldenbuerger (reporter)
2017-07-21 05:42

Just confirmed: I removed the commented section and restarted the vm, to be sure to be sure.. same issue.
User avatar (0012121)
Christian Mack (developer)
2017-07-21 10:20

You have "id = users;" set for both domains.
They must be different.

Also you have identical filter for both domains, which do not restrict based on email domain at all.
Add an filter option with e.g. mail='*@example1.com'

- Issue History
Date Modified Username Field Change
2017-06-10 02:51 t.oldenbuerger New Issue
2017-06-12 07:31 Christian Mack Note Added: 0011918
2017-06-12 07:41 t.oldenbuerger Note Added: 0011920
2017-06-16 11:22 ludovic Note Added: 0011963
2017-06-16 11:22 ludovic Status new => closed
2017-06-16 11:22 ludovic Assigned To => ludovic
2017-06-16 11:22 ludovic Resolution open => no change required
2017-06-19 06:33 t.oldenbuerger Note Added: 0011989
2017-06-19 06:33 t.oldenbuerger Status closed => feedback
2017-06-19 06:33 t.oldenbuerger Resolution no change required => reopened
2017-06-19 07:43 Christian Mack Note Added: 0011990
2017-06-29 07:29 ludovic Severity major => minor
2017-07-04 07:40 t.oldenbuerger Note Added: 0012026
2017-07-04 07:40 t.oldenbuerger Status feedback => assigned
2017-07-05 04:09 Christian Mack Note Added: 0012036
2017-07-21 04:33 t.oldenbuerger Note Added: 0012117
2017-07-21 04:33 t.oldenbuerger File Added: sogo.conf
2017-07-21 05:23 Christian Mack Note Added: 0012118
2017-07-21 05:41 t.oldenbuerger Note Added: 0012119
2017-07-21 05:42 t.oldenbuerger Note Added: 0012120
2017-07-21 10:20 Christian Mack Note Added: 0012121


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker