OK, it seems I can answer the question myself, after taking 10 minutes to crafting below email it suddenly worked. I guess because the AD group membership caching was renewed
the old sogo is authenticating towards a much faster DC, so there seems to be no caching delay. for the new sogo 4.0.7 deployment I authenticated towards a much slower DC, so group membership caching seems to be an issue .... I tried it now 3 times, waiting a couple of minutes, and the filter is working. So I think it was the AD group caching all the time ... hopefully this is useful information to not waste hours On 16.05.19 16:38, "[email protected]" ([email protected]) wrote: > Dear all, > > I'm migrating to sogo nightly 4.0.7 and the filter to limit > authentication to users being member of a certain group doesn't work > anymore. I can still filter (enable/disable access to sogo) by checking > whether the account is disabled in Active directory (Windows 2012R2). > > my ldap config: > > SOGoUserSources = ( > { > type = ldap; > CNFieldName = cn; > UIDFieldName = sAMAccountName; > IDFieldName = cn; > baseDN = "CN=Users,dc=ad,dc=xyz,dc=org"; > bindDN = "CN=auth_sogo,CN=Users,DC=ad,DC=xyz,DC=org"; > bindFields = (sAMAccountName); > bindPassword = "mypassw"; > canAuthenticate = YES; > displayName = "xyz Staff"; > bindAsCurrentUser = YES; > hostname = "ldaps://dc.ad.xyz.org:636"; > filter = "memberOf = 'CN=access_sogo,CN=Users,DC=ad,DC=xyz,DC=org' > AND UserAccountControl:1.2.840.113556.1.4.803: <> 2"; > id = directory; > isAddressBook = YES; > } > ); > > > I tried different syntax (e.g. filter = > "(objectClass='access_sogo' .... as in the manual) but a test user > always gets authenticated, no matter whether he is in the group > "access_sogo" or not. It also doesn't matter when I temporarily don't > check whether the AD user is disabled or not (e.g. also > filter = "memberOf = 'CN=access_sogo,CN=Users,DC=ad,DC=xyz,DC=org'"; > > doesn't work (user is always authenticated). > > -) "access_sogo" is a global security group. > the test user is only in "domain user" group, beside the "access_sogo" > group for testing. > > -) auth_sogo bind user is in domain user group, nowhere else. > > sogo.log: > .... > May 16 14:35:10 sogod [22127]: <0x0x5652ad140220[NGLdapConnection]> > Using ldap_initialize for LDAP URL: ldaps://dc.xyz.org:636 > May 16 14:35:10 sogod [22127]: SOGoRootPage successful login from > '10.11.1.51' for user 'it-test' - expire = -1 grace = -1 > .... > > also > LDAPDebugEnabled = YES; > > doesn't seem to do anything > -- [email protected] https://inverse.ca/sogo/lists
