1

Topic: Sogo Authenticate without domain part in email address

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.5-1
- Linux/BSD distribution name and version: Debian 8 Jessie
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? no
- Related log if you're reporting an issue:
====

Hi!
I see http://www.iredmail.org/docs/authentica … .name.html to authenticate in roundcube, but doesn't work on Sogo. What the way to Sogo?

Thanks,

Fabiano.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Sogo Authenticate without domain part in email address

Seems sogo doesn't offer such feature, maybe you can ask for support in SOGo mailing list instead:
https://sogo.nu/support/index_new.html#/community

3 (edited by shinobi_b_92 2020-02-13 14:48:31)

Re: Sogo Authenticate without domain part in email address

ZhangHuangbin wrote:

Seems sogo doesn't offer such feature, maybe you can ask for support in SOGo mailing list instead:
https://sogo.nu/support/index_new.html#/community

Is this still the case with LDAP backend? I think it depends on the LDAP structure. I have an older version of SOGo that can authenticate without domain part, but I can't find the corresponding configuration line. The LDAP structure doesn't have "mail" parameter, so everyrhing is done via "uid".

4 (edited by shinobi_b_92 2020-02-14 17:25:23)

Re: Sogo Authenticate without domain part in email address

I have actually managed to make SOGo with LDAP backend authenticate without the domain part, but it is somehow buggy!

What I did was to add "uid" to "bindFields":

// Authentication using LDAP

    SOGoUserSources = (
        {
            // Used for user authentication
            type = ldap;
            id = users;
            canAuthenticate = YES;
            isAddressBook = NO;
            displayName = "LDAP Authentication";

            hostname = "ldap://127.0.0.1:389";
            baseDN = "domainName=%d,o=domains,dc=mydomain,dc=com";
            bindDN = "cn=vmail,dc=mydomain,dc=com";
            bindPassword = "xGdU6a0FtWrymbNm8ghFxrYFMuKvm9";
            filter = "objectClass=mailUser AND accountStatus=active AND enabledService=mail AND enabledService=sogo";
            scope = SUB;

            // always keep binding to the LDAP server using the DN of the
            // currently authenticated user. bindDN and bindPassword are still
            // required to find DN of the user.
            // Note: with default LDAP acl configured by iRedMail, user doesn't
            //       have privilege to query o=domains,dc=mydomain,dc=com.
            //       so this doesn't work.
            bindAsCurrentUser = YES;

            // The algorithm used for password encryption when changing
            // passwords without Password Policies enabled.
            // Possible values are: plain, crypt, md5-crypt, ssha, ssha512.
            userPasswordAlgorithm = ssha512;

            CNFieldName = cn;
            IDFieldName = uid;
            // value of UIDFieldName must be unique on entire server
            UIDFieldName = uid;
            IMAPLoginFieldName = uid;
            MailFieldNames = (mail);
            bindFields = (uid, mail);
        }

However it only works after I try to login with the domain part, logout and then log back in without the domain part. The effect applies to all the users, so that only one login attempt for a single user with domain part unlocks the others to be able to login without domain part.

And this has to be done everytime when the sogo service or the server is restarted!

My hyposis is that this has somethig to do with the iRedmail LDAP structure...



This is the log from SOGo when I try logging in without the domain part:

SOGoRootPage Login from '1.2.3.4' for user 'abcd' might not have worked password "policy: 65535" "grace: -1" "expire: -1" "bound: 0"

5

Re: Sogo Authenticate without domain part in email address

Please turn on debug mode (for LDAP) in sogo config file, we need to figure out whether sogo sends the correct ldap filter and what it gets in return.

FYI: https://docs.iredmail.org/debug.sogo.html

Your modification looks fine.

6

Re: Sogo Authenticate without domain part in email address

Hmm, one possible issue, please set “ bindFields = (uid);” and try again.

7 (edited by shinobi_b_92 2020-02-14 18:11:11)

Re: Sogo Authenticate without domain part in email address

2020-02-14 11:01:53.343 sogod[13466:13466] -[NGLdapConnection _searchAtBaseDN:qualifier:attributes:scope:]: search at base '' filter '(objectClass=*)' for attrs 'subschemaSubentry'
2020-02-14 11:01:53.344 sogod[13466:13466] -[NGLdapConnection _searchAtBaseDN:qualifier:attributes:scope:]: search at base 'cn=Subschema' filter '(objectClass=*)' for attrs 'objectclasses'
2020-02-14 11:01:53.352 sogod[13466:13466] -[NGLdapConnection _searchAtBaseDN:qualifier:attributes:scope:]: search at base 'domainname=%d,o=domains,dc=mydomain,dc=com' filter '(&(|(uid=abcd)(mail=abcd))(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=sogo))' for attrs 'dn'
Feb 14 11:01:53 sogod [13466]: SOGoRootPage Login from '1.2.3.4' for user 'abcd' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0

8 (edited by shinobi_b_92 2020-02-14 18:09:37)

Re: Sogo Authenticate without domain part in email address

ZhangHuangbin wrote:

Hmm, one possible issue, please set “ bindFields = (uid);” and try again.

does not authenticate at all, even with @mydomain.com


I have also set these in sogo.conf (tried with "uid" only and "uid, mail"):

SOGoForceExternalLoginWithEmail = NO;
SOGoEnableDomainBasedUID = NO;

9

Re: Sogo Authenticate without domain part in email address

Remove “ domainname=%d,” in baseDN, you login without domain part, it (%d) will cause empty value.

10 (edited by shinobi_b_92 2020-02-14 18:21:31)

Re: Sogo Authenticate without domain part in email address

shinobi_b_92 wrote:

2020-02-14 11:01:53.343 sogod[13466:13466] -[NGLdapConnection _searchAtBaseDN:qualifier:attributes:scope:]: search at base '' filter '(objectClass=*)' for attrs 'subschemaSubentry'
2020-02-14 11:01:53.344 sogod[13466:13466] -[NGLdapConnection _searchAtBaseDN:qualifier:attributes:scope:]: search at base 'cn=Subschema' filter '(objectClass=*)' for attrs 'objectclasses'
2020-02-14 11:01:53.352 sogod[13466:13466] -[NGLdapConnection _searchAtBaseDN:qualifier:attributes:scope:]: search at base 'domainname=%d,o=domains,dc=mydomain,dc=com' filter '(&(|(uid=abcd)(mail=abcd))(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=sogo))' for attrs 'dn'
Feb 14 11:01:53 sogod [13466]: SOGoRootPage Login from '1.2.3.4' for user 'abcd' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0

It's the filter. @mydomain.com is not appended to mail=abcd

11

Re: Sogo Authenticate without domain part in email address

ZhangHuangbin wrote:

Remove “ domainname=%d,” in baseDN, you login without domain part, it (%d) will cause empty value.

Yeah, that was the trick!!! Thanks a lot!!!