Dear all,
I'm migrating to sogo nightly 4.0.7 and the filter to limit
authentication to users being member of a certain group doesn't work
anymore. I can still filter (enable/disable access to sogo) by checking
whether the account is disabled in Active directory (Windows 2012R2).
my ldap config:
SOGoUserSources = (
{
type = ldap;
CNFieldName = cn;
UIDFieldName = sAMAccountName;
IDFieldName = cn;
baseDN = "CN=Users,dc=ad,dc=xyz,dc=org";
bindDN = "CN=auth_sogo,CN=Users,DC=ad,DC=xyz,DC=org";
bindFields = (sAMAccountName);
bindPassword = "mypassw";
canAuthenticate = YES;
displayName = "xyz Staff";
bindAsCurrentUser = YES;
hostname = "ldaps://dc.ad.xyz.org:636";
filter = "memberOf = 'CN=access_sogo,CN=Users,DC=ad,DC=xyz,DC=org'
AND UserAccountControl:1.2.840.113556.1.4.803: <> 2";
id = directory;
isAddressBook = YES;
}
);
I tried different syntax (e.g. filter =
"(objectClass='access_sogo' .... as in the manual) but a test user
always gets authenticated, no matter whether he is in the group
"access_sogo" or not. It also doesn't matter when I temporarily don't
check whether the AD user is disabled or not (e.g. also
filter = "memberOf = 'CN=access_sogo,CN=Users,DC=ad,DC=xyz,DC=org'";
doesn't work (user is always authenticated).
-) "access_sogo" is a global security group.
the test user is only in "domain user" group, beside the "access_sogo"
group for testing.
-) auth_sogo bind user is in domain user group, nowhere else.
sogo.log:
....
May 16 14:35:10 sogod [22127]: <0x0x5652ad140220[NGLdapConnection]>
Using ldap_initialize for LDAP URL: ldaps://dc.xyz.org:636
May 16 14:35:10 sogod [22127]: SOGoRootPage successful login from
'10.11.1.51' for user 'it-test' - expire = -1 grace = -1
....
also
LDAPDebugEnabled = YES;
doesn't seem to do anything
--
[email protected]
https://inverse.ca/sogo/lists
