View Issue Details

IDProjectCategoryView StatusLast Update
0004192SOGoWeb Calendarpublic2017-07-21 14:20
Reportert.oldenbuerger Assigned Toludovic  
PrioritynormalSeverityminorReproducibilityalways
Status assignedResolutionreopened 
Platform[Server] LinuxOSRHEL/CentOSOS Version7
Product Version3.2.9 
Summary0004192: LDAP SoGo Multi Domain
Description

In SOGo Calendar, if a user wants to add a shared calendar/folder,
ALL users from different domains are shown in the dialog. We installed a test environment with SQL Backend: The issue did not happen, a user can only search for other users from it's domain. We then installed another
instance with LDAP backend, and had the issue: a user sees every other user in the
search dialog. The user cannot access the calendar, but can see every mail address from other domains of that mailserver,
which is not acceptable in LDAP multi domain installation.

Steps To Reproduce

Reproduce:

  • Login into SOGO as user1@domain1.com
  • Select calendar
  • Select "Subscription (+)"
  • Type at least 3 characters from another existing domain: ain2
    Result:
  • A list of all users from dom"ain2" is shown in the dialog.
  • If a user like "main2@domain1.com" exists, it is also shown.
    Expected result:
  • Only a user like "main2@domain1.com" shall be shown in the dialog.
  • No user from a domain containing the search string should be shown.
    Note:
  • The SQL installation shows the expected result, only the LDAP installation does not show the
    expected result.
Additional Information

Data source is a iRedMail-LDAP or iRedMail-SQL in PRO Version.

TagsNo tags attached.

Activities

Christian Mack

Christian Mack

2017-06-12 11:31

developer   ~0011918

Please show your sogo.conf.

t.oldenbuerger

t.oldenbuerger

2017-06-12 11:41

reporter   ~0011920

Default configuration from iRedAdmin, most standard comments stripped for size.

{
WOPort = 127.0.0.1:20000;
LDAPDebugEnabled = YES;
WOWorkersCount = 40;
SOGoMaximumPingInterval = 3540;
SOGoMaximumSyncInterval = 3540;
SOGoInternalSyncInterval = 30;
WOWatchDogRequestTimeout = 60;
SOGoMaximumSyncWindowSize = 100;
SOGoMaximumSyncResponseSize = 2048;
SxVMemLimit = 1024;
SOGoProfileURL = "mysql://sogo:<redacted>@127.0.0.1:3306/sogo/sogo_user_profile";
OCSFolderInfoURL = "mysql://sogo:<redacted>@127.0.0.1:3306/sogo/sogo_folder_info";
OCSSessionsFolderURL = "mysql://sogo:<redacted>@127.0.0.1:3306/sogo/sogo_sessions_folder";
OCSEMailAlarmsFolderURL = "mysql://sogo:<redacted>@127.0.0.1:3306/sogo/sogo_alarms_folder";

SOGoLanguage = English;
SOGoLoginModule = Mail;
SOGoForceExternalLoginWithEmail = YES;
SOGoMailCustomFromEnabled = YES;
SOGoEnableEMailAlarms = YES;
SOGoPageTitle = Mail;
SOGoIMAPServer = &quot;imap://127.0.0.1:143/&quot;;
SOGoSMTPServer = 127.0.0.1;
SOGoMailingMechanism = smtp;
SOGoSieveServer = sieve://127.0.0.1:4190;
SOGoSieveScriptsEnabled = YES;
SOGoVacationEnabled = YES;
SOGoForwardEnabled = YES;
SOGoSieveFolderEncoding = UTF-8;
SOGoMemcachedHost = 127.0.0.1;
SOGoTimeZone = &quot;Europe/Zurich&quot;;
SOGoFirstDayOfWeek = 1;
SOGoRefreshViewCheck = every_5_minutes;
SOGoMailReplyPlacement = below;
SOGoAppointmentSendEMailNotifications = YES;
SOGoFoldersSendEMailNotifications = YES;
SOGoACLsSendEMailNotifications = YES;
SOGoPasswordChangeEnabled = YES;

// Authentication using SQL
/* SQL backend
SOGoUserSources = (
    {
        type = sql;
        id = users;
        viewURL = &quot;mysql://sogo:&lt;redacted>@127.0.0.1:3306/sogo/users&quot;;
        canAuthenticate = YES;
        userPasswordAlgorithm = ssha;
        prependPasswordScheme = YES;
        isAddressBook = NO;
        displayName = &quot;Domain Address Book&quot;;
        SOGoEnableDomainBasedUID = YES;
        DomainFieldName = &quot;domain&quot;;
    }
);
SQL backend */

// Authentication using LDAP

SOGoUserSources = (
    {
        type = ldap;
        hostname = &quot;ldap://127.0.0.1:389&quot;;
        baseDN = &quot;o=domains,dc=server1,dc=organisation,dc=com&quot;;
        //bindAsCurrentUser = YES;
        bindDN = &quot;cn=vmailadmin,dc=server1,dc=organisation,dc=com&quot;;
        bindPassword = &quot;&lt;redacted>&quot;;
        filter = &quot;objectClass=mailUser AND accountStatus=active AND enabledService=mail AND enabledService=sogo&quot;;
        scope = SUB;
        userPasswordAlgorithm = ssha;

        IDFieldName = mail;
        bindFields = (mail);
        CNFieldName = cn;
        UIDFieldName = mail;
        IMAPLoginFieldName = mail;
        SearchFieldNames = (cn, sn, displayName, telephoneNumber, mail, shadowAddress);
        canAuthenticate = YES;
        displayName = &quot;Global Address Book&quot;;
        id = ldap_auth;
        isAddressBook = NO;
    }
);

}

ludovic

ludovic

2017-06-16 15:22

administrator   ~0011963

That is normal - DomainFieldName is for SQL sources only.

For LDAP sources, correctly define domains in SOGo.conf and set a SOGoUserSources per domain.

t.oldenbuerger

t.oldenbuerger

2017-06-19 10:33

reporter   ~0011989

The LDAP is our repository for all customer domains. This would mean I would have to add every domain (about 20 at the moment) into that configuration file. Is there a limit for SOGoUserSources and how does it impact performance?

After inserting two SOGoUserSources entries on the test system, ldap debug showed that all UserSources where queried regardless of the domain field, and again all emails were shown. So even when entered manually as described in https://sogo.nu/files/docs/SOGoInstallationGuide.html#_multi_domains_configuration the issue remains.

Christian Mack

Christian Mack

2017-06-19 11:43

developer   ~0011990

There is no limit in SOGo for the number of domains usable.
If your LDAp can handle it, there is no performance impact.

Did you set "SOGoEnableDomainBasedUID = YES;" ?

What have you set in SOGoDomainsVisibility ?

t.oldenbuerger

t.oldenbuerger

2017-07-04 11:40

reporter   ~0012026

As stated, I configured the system as described in your installation guide.
If it is incomplete, please add the missing information.

Or make clear that it is not possible to use SOGo with one ldap server and multiple domains/tenants that shall not see each others cid in the frontend.

I assume that it is working but I configured it wrong:
Is it planed to get this multi domain support with ldap without having to alter the configuration file each time a domain is added to the ldap/system, so the
functionality as in the sql version?

Christian Mack

Christian Mack

2017-07-05 08:09

developer   ~0012036

Perhaps you should provide your changed sogo.conf, so we can see where your problem is.

t.oldenbuerger

t.oldenbuerger

2017-07-21 08:33

reporter   ~0012117

Hello again.
Just had the time now to set up a test environment again - still with this issue.

I have one ldap server for all domains. I have attached the sogo.conf - no worries about the unredacted passwords, they are autogenerated at each new installation and exist on that internal VM only.

With this configuration, according to https://sogo.nu/files/docs/SOGoInstallationGuide.html#_multi_domains_configuration and https://sogo.nu/bugs/view.php?id=4192#c11990 I should be able to login to the system and not have access to other users data.

But I have.

Setup again:

  • example1.com with user1@example1.com, user2@example2.com
  • example2.com with user1@example2.com, user2@example2.com
  • vipdomain.com with user1@vipdomain.com

My steps again:

  • Login as user1@vipdomain.com
  • Goto Calendar
  • Click on Subscriptions "+" (dialog Subscribe to a shared folder opens)
  • Enter "user"
  • Dialog shows list "user1@example1.com, user2@example1.com, user1@example2.com, user2@example2.com"

So user1@vipdomain.com sees ALL email adresses on the system. This does not happen when not using ldap, but we rely on that ldap and need this functionality.

t.oldenbuerger

t.oldenbuerger

2017-07-21 08:33

reporter  

sogo.conf (12,708 bytes)   
{
    //
    //  - Official SOGo document: http://sogo.nu/support/index.html#/documentation
    //  - Mailing list: http://sogo.nu/support/index.html#/community
    //

    // Daemon address and port
    WOPort = 127.0.0.1:20000;

    // PID file
    //WOPidFile = /var/run/sogo/sogo.pid;

    // Log file
    //WOLogFile = /var/log/sogo/sogo.log;

    // Enable verbose logging. Reference:
    // http://www.sogo.nu/nc/support/faq/article/how-to-enable-more-verbose-logging-in-sogo.html
    //SOGoDebugRequests = YES;
    //SOGoEASDebugEnabled = YES;
    //ImapDebugEnabled = YES;
    LDAPDebugEnabled = YES;
    //MySQL4DebugEnabled = YES;
    //PGDebugEnabled = YES;

    // Define the URL to online help for SOGo. When set, an additional icon
    // will appear near the logout button in SOGo's web interface. The URL
    // will always be open in a blank target.
    //SOGoHelpURL = '';

    // set the maximum allowed size for content being sent to SOGo, this can
    // also limit the file attachment size being uploaded to SOGo when
    // composing a mail.
    // The value is in kilobyte. Default is 0 or disabled (unlimit).
    WOMaxUploadSize = 15360;

    // Parameter used to set the maximum allowed email message size when
    // composing a mail.
    // The value is in kilobytes. By default, the value is 0, or disabled so
    // no limit will be set.
    SOGoMaximumMessageSizeLimit = 15360;

    // Performance Tuning
    //
    // The amount of instances of SOGo that will be spawned to handle multiple
    // requests simultaneously. When started from the init script, that amount
    // is overriden by the `PREFORK=` setting in /etc/sysconfig/sogo or
    // /etc/default/sogo. A value of 3 is a reasonable default for low usage.
    // The maximum value depends on the CPU and IO power provided by your
    // machine: a value set too high will actually decrease performances under
    // high load.
    //
    // You should have at least one child per EAS device configured to use
    // "push". You must also have more children than you have EAS devices
    // configured to use "push" - in order to handle normal SOGo requests to
    // its Web or DAV interfaces.
    //
    // Defaults to 1 when unset, increase it if you see below error message in
    // sogo log file: 'No child available to handle incoming request'
    //
    // WARNING:
    //      - on RHEL/CentOS, this setting is controlled by parameter
    //        'PREFORK=' defined in /etc/sysconfig/sogo.
    //      - on Debian/Ubuntu, this setting is controlled by parameter
    //        'PREFORK=' defined in /etc/default/sogo.
    WOWorkersCount = 10;

    // Parameter used to set the maximum amount of time, in seconds, SOGo will
    // wait before replying to a Ping command.
    // If not set, it defaults to 10 seconds.
    SOGoMaximumPingInterval = 3540;

    // Parameter used to set the maximum amount of time, in seconds, SOGo will
    // wait before replying to a Sync command.
    // If not set, it defaults to 30 seconds.
    SOGoMaximumSyncInterval = 3540;

    // Parameter used to set the maximum amount of time, in seconds, SOGo will
    // wait before doing an internal check for data changes (add, delete, and
    // update). This parameter must be lower than SOGoMaximumSyncInterval and
    // SOGoMaximumPingInterval.
    // If not set, it defaults to 10 seconds.
    SOGoInternalSyncInterval = 30;

    // Specifies the number of minutes after which a busy child process will be
    // killed by the parent process.
    // Defaults to 10 (minutes).
    WOWatchDogRequestTimeout = 61;

    // Overwrite the maximum number of items returned during a Sync operation.
    // Defaults to 0, which means no overwrite is performed.
    // Setting this parameter to a value greater than 512 will have unexpected
    // behaviour with various ActiveSync clients.
    //SOGoMaximumSyncWindowSize = 100;

    // Overwrite the maximum response size during a Sync operation.
    // The value is in kilobytes. Setting this to 512 means the response size
    // will be of 524288 bytes or less (or a bit greater if needed for syncing
    // one item). Note that if you set the value too low and a mail message
    // (or any other object like calendar events, tasks and contacts) surpasses
    // it, it will still be synced but only this item will be.
    // Defaults to 0, which means no overwrite is performed.
    //
    // Say you have these five mails and you set the limit to 512KB:
    //  1.  250 KB
    //  2.  250 KB
    //  3.   25 KB
    //  4.  750 KB
    //  5.   10 KB
    // Sync iteration no. 1 will pick message 1, 2 and 3.
    // Sync iteration no. 2 will pick message 4.
    // Sync iteration no. 3 will pick message 5.
    SOGoMaximumSyncResponseSize = 2048;

    // The maximum amount of memory (in megabytes) that a child can use.
    // Reaching that value will force children processes to restart, in order
    // to preserve system memory.
    //
    // Error message when it reaches the value:
    // "terminating app, vMem size limit (xxx MB) has been reached (currently xxx MB)"
    //
    // Defaults to 384.
    SxVMemLimit = 500;

    // Enable XSRF (also known as CSRF) protection.
    SOGoXSRFValidationEnabled = YES;

    // IMAP connection pool.
    // Your performance will slightly increase, as you won't open a new
    // connection for every access to your IMAP server.
    // But you will get a lot of simultaneous open connections to your IMAP
    // server, so make sure he can handle them.
    // For debugging it is reasonable to turn pooling off.
    //NGImap4DisableIMAP4Pooling = NO;

    SOGoProfileURL = "mysql://sogo:MxIpwW834kkv2OdA0sr71A3mNNJ2pk@127.0.0.1:3306/sogo/sogo_user_profile";
    OCSFolderInfoURL = "mysql://sogo:MxIpwW834kkv2OdA0sr71A3mNNJ2pk@127.0.0.1:3306/sogo/sogo_folder_info";
    OCSSessionsFolderURL = "mysql://sogo:MxIpwW834kkv2OdA0sr71A3mNNJ2pk@127.0.0.1:3306/sogo/sogo_sessions_folder";
    OCSEMailAlarmsFolderURL = "mysql://sogo:MxIpwW834kkv2OdA0sr71A3mNNJ2pk@127.0.0.1:3306/sogo/sogo_alarms_folder";

    // With 3 parameters below, SOGo requires only 9 SQL tables in total
    // instead of creating 4 SQL tables for each user.
    OCSCacheFolderURL = "mysql://sogo:MxIpwW834kkv2OdA0sr71A3mNNJ2pk@127.0.0.1:3306/sogo/sogo_cache_folder";
    OCSStoreURL = "mysql://sogo:MxIpwW834kkv2OdA0sr71A3mNNJ2pk@127.0.0.1:3306/sogo/sogo_store";
    OCSAclURL = "mysql://sogo:MxIpwW834kkv2OdA0sr71A3mNNJ2pk@127.0.0.1:3306/sogo/sogo_acl";

    // Default language in the web interface
    SOGoLanguage = English;

    // Specify which module to show after login: Calendar, Mail, Contacts.
    SOGoLoginModule = Mail;

    // Must login with full email address
    SOGoForceExternalLoginWithEmail = YES;

    // Allow user to change full name and email address.
    SOGoMailCustomFromEnabled = NO;

    // IMAP server
    // Local connection is considered as secure by Dovecot, so 'imap://' is fine.
    // With remote IMAP server, use 'imaps://127.0.0.1:143/?tls=YES' instead;
    SOGoIMAPServer = "imap://127.0.0.1:143/";

    // Allow user to add other IMAP accounts that will be visible from the SOGo
    // Webmail interface.
    // Default is NO.
    //SOGoMailAuxiliaryUserAccountsEnabled = YES;

    // SMTP server
    SOGoSMTPServer = 127.0.0.1;
    SOGoMailingMechanism = smtp;
    //SOGoSMTPAuthenticationType = PLAIN;

    // Enable managesieve service
    //
    // WARNING: Sieve scripts generated by SOGo is not compatible with Roundcube
    //          webmail, don't use sieve service in both webmails, otherwise
    //          it will be messy.
    //
    //SOGoSieveServer = sieve://127.0.0.1:4190;
    //SOGoSieveScriptsEnabled = YES;
    //SOGoVacationEnabled = YES;
    //SOGoForwardEnabled = YES;
    SOGoSieveFolderEncoding = UTF-8;

    // Memcached
    SOGoMemcachedHost = 127.0.0.1;

    // Parameter used to set which usernames require administrative privileges
    // over all the users tables. For example, this could be used to post
    // events in the users calendar without requiring the user to configure
    // his/her ACLs. In this case you will need to specify those superuser's
    // usernames like this :
    // SOGoSuperUsernames = (<username1>[,<username2>, ...]);
    //SOGoSuperUsernames = ();

    SOGoTimeZone = "America/New_York";

    SOGoFirstDayOfWeek = 1;

    SOGoRefreshViewCheck = every_5_minutes;
    SOGoMailReplyPlacement = below;

    // Disable gravatar
    SOGoExternalAvatarsEnabled = NO;
    SOGoGravatarEnabled = NO;

    //
    // Notifications
    //
    // Enable email-based alarms on events and tasks.
    SOGoEnableEMailAlarms = YES;

    // Notify meeting participants
    SOGoAppointmentSendEMailNotifications = YES;

    // Notify if a calendar or an address book has been created.
    SOGoFoldersSendEMailNotifications = YES;

    // Notify involved users of a calendar or address book’s ACLs.
    SOGoACLsSendEMailNotifications = YES;

    // Notify when a modification is being done to his/her own calendar by someone else.
    SOGoNotifyOnExternalModifications = YES;

    // NOTE: PostgreSQL cannot update view in iRedMail
    SOGoPasswordChangeEnabled = YES;

    // Authentication using SQL
    /* SQL backend
    SOGoUserSources = (
        {
            type = sql;
            id = users;
            viewURL = "mysql://sogo:MxIpwW834kkv2OdA0sr71A3mNNJ2pk@127.0.0.1:3306/sogo/users";
            canAuthenticate = YES;

            // The algorithm used for password encryption when changing
            // passwords without Password Policies enabled.
            // Possible values are: plain, crypt, md5-crypt, ssha, ssha512.
            userPasswordAlgorithm = ssha;
            prependPasswordScheme = YES;

            // Use `vmail.mailbox` as per-domain address book.
            isAddressBook = YES;
            displayName = "Domain Address Book";
            SOGoEnableDomainBasedUID = YES;
            DomainFieldName = "domain";
        },

        //{
        //    //
        //    // WARNING: all mail users can see/search ALL accounts.
        //    //
        //    displayName = "Global Address Book";
        //    type = sql;
        //    id = global_address_book;
        //    viewURL = "mysql://sogo:MxIpwW834kkv2OdA0sr71A3mNNJ2pk@127.0.0.1:3306/sogo/users";
        //    canAuthenticate = NO;
        //    isAddressBook = YES;
        //}
    );
    SQL backend */

    // Authentication using LDAP


   domains = {
        example1.com = {
            SOGoMailDomain = example1.com;
            SOGoDraftsFolderName = Drafts;
            SOGoUserSources = (
                {
                    type = ldap;
        		userPasswordAlgorithm = ssha;
           		CNFieldName = cn;
            		IDFieldName = mail;
            		bindFields = (mail);
            		UIDFieldName = mail;
            		IMAPLoginFieldName = mail;
		        SOGoEnableDomainBasedUID = YES;
			hostname = "ldap://127.0.0.1:389";
			baseDN = "o=domains,dc=example,dc=com";
            		bindDN = "cn=vmail,dc=example,dc=com";
            		bindPassword = "kVV5DuLtKjdAU8GXdDN096a83l9D6W";
            		filter = "objectClass=mailUser AND accountStatus=active AND enabledService=mail AND enabledService=sogo";
            		scope = SUB;
                    canAuthenticate = YES;
                    displayName = "example1 Addresses";
                    id = users;
                    isAddressBook = no;
                    port = 389;
                }
            );
        };
        example2.com = {
            SOGoMailDomain = example2.com;
            SOGoUserSources = (
                {
                    type = ldap;
                        userPasswordAlgorithm = ssha;
                        CNFieldName = cn;
                        IDFieldName = mail;
                        bindFields = (mail);
                        UIDFieldName = mail;
                        IMAPLoginFieldName = mail;
                        SOGoEnableDomainBasedUID = YES;
                        hostname = "ldap://127.0.0.1:389";
                        baseDN = "o=domains,dc=example,dc=com";
                        bindDN = "cn=vmail,dc=example,dc=com";
                        bindPassword = "kVV5DuLtKjdAU8GXdDN096a83l9D6W";
                        filter = "objectClass=mailUser AND accountStatus=active AND enabledService=mail AND enabledService=sogo";
                        scope = SUB;
                    canAuthenticate = YES;
                    displayName = "example2 Addresses";
                    id = users;
                    isAddressBook = no;
                    port = 389;
                }
            );
        };
    };
}
sogo.conf (12,708 bytes)   
Christian Mack

Christian Mack

2017-07-21 09:23

developer   ~0012118

There should be no SOGoUserSources outside the domains.
You use a non domain aware sql SOGoUserSources:
SOGoUserSources = (
{
type = sql;
id = users;
viewURL = "mysql://sogo:MxIpwW834kkv2OdA0sr71A3mNNJ2pk@127.0.0.1:3306/sogo/users";
canAuthenticate = YES;

        // The algorithm used for password encryption when changing
        // passwords without Password Policies enabled.
        // Possible values are: plain, crypt, md5-crypt, ssha, ssha512.
        userPasswordAlgorithm = ssha;
        prependPasswordScheme = YES;

        // Use `vmail.mailbox` as per-domain address book.
        isAddressBook = YES;
        displayName = &quot;Domain Address Book&quot;;
        SOGoEnableDomainBasedUID = YES;
        DomainFieldName = &quot;domain&quot;;
    },

That is your problem, just remove it.

t.oldenbuerger

t.oldenbuerger

2017-07-21 09:41

reporter   ~0012119

In my file, this section is commented out and not used ?!

t.oldenbuerger

t.oldenbuerger

2017-07-21 09:42

reporter   ~0012120

Just confirmed: I removed the commented section and restarted the vm, to be sure to be sure.. same issue.

Christian Mack

Christian Mack

2017-07-21 14:20

developer   ~0012121

You have "id = users;" set for both domains.
They must be different.

Also you have identical filter for both domains, which do not restrict based on email domain at all.
Add an filter option with e.g. mail='*@example1.com'

Issue History

Date Modified Username Field Change
2017-06-10 06:51 t.oldenbuerger New Issue
2017-06-12 11:31 Christian Mack Note Added: 0011918
2017-06-12 11:41 t.oldenbuerger Note Added: 0011920
2017-06-16 15:22 ludovic Note Added: 0011963
2017-06-16 15:22 ludovic Status new => closed
2017-06-16 15:22 ludovic Assigned To => ludovic
2017-06-16 15:22 ludovic Resolution open => no change required
2017-06-19 10:33 t.oldenbuerger Note Added: 0011989
2017-06-19 10:33 t.oldenbuerger Status closed => feedback
2017-06-19 10:33 t.oldenbuerger Resolution no change required => reopened
2017-06-19 11:43 Christian Mack Note Added: 0011990
2017-06-29 11:29 ludovic Severity major => minor
2017-07-04 11:40 t.oldenbuerger Note Added: 0012026
2017-07-04 11:40 t.oldenbuerger Status feedback => assigned
2017-07-05 08:09 Christian Mack Note Added: 0012036
2017-07-21 08:33 t.oldenbuerger Note Added: 0012117
2017-07-21 08:33 t.oldenbuerger File Added: sogo.conf
2017-07-21 09:23 Christian Mack Note Added: 0012118
2017-07-21 09:41 t.oldenbuerger Note Added: 0012119
2017-07-21 09:42 t.oldenbuerger Note Added: 0012120
2017-07-21 14:20 Christian Mack Note Added: 0012121