Yes, you are correct about IMAPLoginFieldName. As far as i understand,
as designed, SOGo will consider all addresses returned in the LDAP record.
Anyway, I found a solution using LDAP ACLs in order to filter the record
attributes that are returned to sogo. I will perform further testing,
but this seems to do the trick. This is useful if:
1) Your LDAP records contain more than one email, like:
dn: uid=john-doe,ou=people,dc=example,dc=net
objectClass: inetOrgPerson
uid: john-doe
sn: Doe
givenName: John
cn: John Doe
userPassword: <PASSWORD>
mail: [email protected]
mail: [email protected]
2) Your email accounts are kept as separate mailboxes in the mail server
This example assumes:
1) That you hold user records in ou=people,dc=example,dc=net and sogo
"automation accounts" in ou=automation,dc=example,dc=net. Of course this
is completely arbitrary and you can adapt as needed.
2) Two email/sogo domains: example.net and example.com
3) Users will log in with the email address and will see only the
mailbox used to log in
---
1) Create a LDAP user per SOGo domain
dn: uid=sogo-example-com,ou=automation,dc=example,dc=net
objectClass: inetOrgPerson
uid: sogo-example-com
sn: Example Com
givenName: SOGo
cn: SOGo Example Com
userPassword: <PASSWORD>
dn: uid=sogo-example-net,ou=automation,dc=example,dc=net
objectClass: inetOrgPerson
uid: sogo-example-net
sn: Example Net
givenName: SOGo
cn: SOGo Example Net
userPassword: <PASSWORD>
2) Create LDAP ACLs to filter the returned mail attributes by domain
(will DEFINITELY require adjustments depending on your existent ACLs).
This will make sure that the sogo automation user only sees the email
attribute that matches its domain.
olcAccess: to dn.children="ou=people,dc=example,dc=net"
filter=(objectClass=inetOrgPerson) attrs=mail val.regex="^.+example\.com$"
by dn.base="uid=sogo-example-com,ou=automation,dc=example,dc=net" read
by * break
olcAccess: to dn.children="ou=people,dc=example,dc=net"
filter=(objectClass=inetOrgPerson) attrs=mail val.regex="^.+example\.net$"
by dn.base="uid=sogo-example-net,ou=automation,dc=example,dc=net" read
3) Attach each user to a specific SOGo domain (Contains extra fields
such as passwordPolicy which might not be needed in your scenario):
domains = {
example.com = {
SOGoMailDomain = example.com;
SOGoUserSources = (
{
type = ldap;
CNFieldName = cn;
UIDFieldName = mail;
IDFieldName = uid;
bindFields = (mail);
baseDN = "ou=people,dc=example,dc=com";
bindDN =
"uid=sogo-example-com,ou=automation,dc=example,dc=com";
bindPassword = <PASSWORD>;
canAuthenticate = YES;
displayName = "example.com addressbook/login";
hostname = ldaps://ldaps.example.net;
id = example.com;
isAddressBook = YES;
passwordPolicy = YES;
}
);
example.net = {
SOGoMailDomain = example.net;
SOGoUserSources = (
{
type = ldap;
CNFieldName = cn;
UIDFieldName = mail;
IDFieldName = uid;
bindFields = (mail);
baseDN = "ou=people,dc=example,dc=net";
bindDN =
"uid=sogo-example-net,ou=automation,dc=example,dc=net";
bindPassword = <PASSWORD>;
canAuthenticate = YES;
displayName = "example.net addressbook/login";
hostname = ldaps://ldaps.example.net;
id = example.net;
isAddressBook = YES;
passwordPolicy = YES;
}
);
};
};
On 15/09/2018 18:47, Gordon Messmer ([email protected]) wrote:
On 9/13/18, Andrei Goldchleger<[email protected]> wrote:
My LDAP users records contain multiple email addresses. For example:
My SogoUsersSources is like the following:
-----
SOGoUserSources = (
{
IMAPLoginFieldName = mail;
That setting is optional. IIRC, if it's not set, then SOGo will use
the value provided in the login form, rather than an attribute from
LDAP.
--
[email protected]
https://inverse.ca/sogo/lists
