Hi Dennis, I've thought about that - as far as I can tell, that would still have the problem (except that all users could now see an address book for each domain, since the instance is shared). I'm also creating domains directly into LDAP, and if I use a different addressbook per domain, I need to edit configs & restart any SOGo instances whenever I do so (which is doable but messy). Is there a theoretical limit on the number of LDAP address books btw? Unless there's some way to perform a substitution on the LDAP base of the address book when queried? Something like (I'm no good @ ObjectiveC so pseudocode follows) : $ParentDomain = getUserDNComponent($UserDN,3); $ldapsearchbase = $ParentDomain + ",o=hosting,dc=my,dc=domain"; ?
On the other hand - I get the feeling it's possibly a good idea for ldap queries visible to the user, to respect ldap ACLs for that user, regardless of the specific use case... Thanks, -Nathanael Bettridge --- On Mon, 12/6/10, Dennis Petschull <[email protected]> wrote: From: Dennis Petschull <[email protected]> Subject: Re: [SOGo] LDAP Address Book Indirect Bind To: "Nathanael Bettridge" <[email protected]> Cc: [email protected] Date: Monday, December 6, 2010, 1:47 AM Hi Nathanael, Why not use a different subtree search for each of your domains, e.g. domainOU=testX.local,o=hosting,dc=my,dc=domain? Cheers, Dennis -- two4.IT http://www.two4.it On Sunday 05 December 2010 14:42:25 Nathanael Bettridge wrote: > Hi folks, > > I'm setting up a multi-tenant mail system at the moment, SOGo works a treat > with it all, however there's one quirk. > We're segregating different mail domains/organizations in LDAP within > different OUs (for example > [email protected],ou=users,domainOU=test1.local,o=hosting,dc=my,dc=dom > ain and > [email protected],ou=users,domainOU=test2.local,o=hosting,dc=my,dc=dom > ain ) with each UID only having read permissions to it's own domainOU and > below. > Address books use a subtree search from o=hosting,dc=my,dc=domain - ACLs > screen out unwanted entries. > When directly listing addresses from LDAP bound as a hosted user > ([email protected] for instance), it can only see cards from within > domainOU=test1.local, o=hos... > From within SOGo however, the user sees *all* configured domains' users, > not just his own. LDAP debugging indicates queries are made only as the DN > written into the defaults file (not the logged-in user) > It would be nice if the LDAP addressbooks could be enumerated based on an > indirect bind. Is there any way to get SOGo to do this, or is it into > patch territory? For the moment I'm assuming I'll just have to keep LDAP > addressbooks hidden, but it would be nice to have them work this way... > Thanks, > > Nathanael Bettridge > Prodigy Communications-- > [email protected] > https://inverse.ca/sogo/lists > -- [email protected] https://inverse.ca/sogo/lists
