View Issue Details

IDProjectCategoryView StatusLast Update
0003625SOGoBackend Generalpublic2016-05-09 15:14
Reporternfg Assigned Toludovic  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Platform[Server] LinuxOSUbuntuOS Version14.04 LTS
Product Versionnightly v2 
Fixed in Version3.1.0 
Summary0003625: Multi-domain setup using SOGoUserSources with different LDAP baseDN where different domains uses same uid.
Description

The SOGo Documentation says for the SOGoEnableDomainBasedUID property that:

Parameter used to enable user identification by domain. Users will be
able( without being required) to login using the form username@domain,
meaning that values of UIDFieldName no longer have to be unique among
all domains but only within the same domain.

I was expecting SOGo to use the domain part to select the correct domain and use that domain's SOGoUserSources. And from there use the uid to authenticate and to look up the user when traversing (lookupName). Now it uses uid@domain to look up the uid in LDAP during authentication, but used the uid when traversing the userobject even if it is use@customer1.com in the URL:
https://mail.example.com/SOGo/so/user@customer1.com/Mail/view

The LDAP looup is done on all SOGoUserSources, not just the one configured for the domain. If two domains have a user with uid 'admin', but under different baseDN, it will pick up the first it finds.

Multi-domain looks broken to me.

Steps To Reproduce

Use the following configuration where the main point is that SOGoEnableDomainBasedUID is true and that UIDFieldName is uid:

SOGoEnableDomainBasedUID = YES;
SOGoForceExternalLoginWithEmail = YES;
domains = {
customer1.com = {
SOGoMailDomain = customer1.com;
SOGoUserSources = ({
id = public_customer1;
type = ldap;
CNFieldName = cn;
IDFieldName = uid;
UIDFieldName = uid;
baseDN = "ou=users,ou=customer1.com,dc=example,dc=com";
bindDN = "cn=sogo,dc=example,dc=com";
bindPassword = ;
bindAsCurrentUser = NO;
canAuthenticate = YES;
displayName = "Shared Addresses";
hostname = ldap://localhost;
isAddressBook = YES;
});
};
customer2.com = {
SOGoMailDomain = customer2.com;
SOGoUserSources = ({
id = public_customer2;
type = ldap;
CNFieldName = cn;
IDFieldName = uid;
UIDFieldName = uid;
baseDN = "ou=users,ou=customer2.com,dc=example,dc=com";
bindDN = "cn=sogo,dc=example,dc=com";
bindPassword =
;
bindAsCurrentUser = NO;
canAuthenticate = YES;
displayName = "Shared Addresses";
hostname = ldap://localhost;
isAddressBook = YES;
});
}
};

  1. Login with user@customer1.com:
    It chooses the correct domain, but tries to look up the uid in LDAP with the domain appended ("uid=user@customer1.com,ou=users,ou=customer1.com,dc=appdev,dc=as").

  2. Adding the following to the SOGoUserSources in sogo.conf:
    bindFields = (uid,mail);

  3. Login with user@customer2.com:
    I am able to authenticate using the userSource from the correct domain and I get the message 'SOGoRootPage successful login from '127.0.0.1' for user 'user@customer2.com' in the log.

After that SOGo no longer care which domain the user belongs to and tries to do lookup using customer1.com's baseDN first, and customer2.com's baseDN second if it is not found. The result is that I pick up data for the customer.1.com user even if I log in as a customer2.com user.

Looking up using 'user@customer2.com':
search at base 'ou=users,ou=customer1.com,dc=example,dc=com' filter '(|(uid=user@customer2.com)(mail=user@customer2.com))' for attrs ''
search at base 'ou=users,ou=customer2.com,dc=example,dc=com' filter '(|(uid=user@customer2.com)(mail=user@customer2.com))' for attrs '
'

Looking up using 'user':
search at base 'ou=users,ou=customer1.com,dc=example,dc=com' filter '(|(uid=user)(mail=user))' for attrs '*'

TagsNo tags attached.

Activities

jem555

jem555

2016-05-06 12:45

reporter   ~0010054

I'm experimenting the exactly same problem with a config like the one that opened the bug, same effects.

ludovic

ludovic

2016-05-06 13:20

administrator   ~0010059

v2 or v3? Can you also try with a nightly build?

ludovic

ludovic

2016-05-06 13:55

administrator   ~0010060

Also, show LDIF entry samples in BOTH domains.

nfg

nfg

2016-05-06 15:52

reporter   ~0010068

The behaviour is the same for v2 and v3, and for the master branch at the time I reported this.

I will not call this a minor bug. This essentially means that multi-domain is broken using the uid field. It is also a security problem as you can end up showing data for customer1 when logging inn as customer2.

ludovic

ludovic

2016-05-06 15:55

administrator   ~0010069

I asked to show me the data.

If I downgraded it to minor, it is because:

1- a commit was done about 2 hours ago for this
2- I was NOT able to reproduce it

jem555

jem555

2016-05-06 16:17

reporter   ~0010072

It happened after upgrading from v2.2.17 to v2.3.10 (I installed from fresh 2.3.10 on other servers and everything is fine there)

I've noticed that after disconnect I can login again after about 5 minutes or so.
Perhaps this behavior gives you a hint about this issue.

I'll post both LDIF in a while. Thanks!

nfg

nfg

2016-05-06 16:56

reporter  

sogo.conf (4,256 bytes)
nfg

nfg

2016-05-06 16:57

reporter  

admin_appdev_as.ldif (646 bytes)   
# LDIF Export for uid=admin,ou=users,ou=appdev.as,dc=appdev,dc=as
# Server: AppDev LDAP Server (localhost)
# Search Scope: base
# Search Filter: (objectClass=*)
# Total Entries: 1
#
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on May 6, 2016 8:45 pm
# Version: 1.2.2

version: 1

# Entry 1: uid=admin,ou=users,ou=appdev.as,dc=appdev,dc=as
dn: uid=admin,ou=users,ou=appdev.as,dc=appdev,dc=as
cn: AppDev Administrator
givenname: AppDev
mail: admin@appdev.as
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
objectclass: gosaMailAccount
sn: Administrator
uid: admin
userpassword:
admin_appdev_as.ldif (646 bytes)   
nfg

nfg

2016-05-06 16:58

reporter  

admin_gjerull_net.ldif (661 bytes)   
# LDIF Export for uid=admin,ou=users,ou=gjerull.net,dc=appdev,dc=as
# Server: AppDev LDAP Server (localhost)
# Search Scope: base
# Search Filter: (objectClass=*)
# Total Entries: 1
#
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on May 6, 2016 8:50 pm
# Version: 1.2.2

version: 1

# Entry 1: uid=admin,ou=users,ou=gjerull.net,dc=appdev,dc=as
dn: uid=admin,ou=users,ou=gjerull.net,dc=appdev,dc=as
cn: Gjerull Administrator
givenname: Gjerull
mail: admin@gjerull.net
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: gosaMailAccount
preferredlanguage: nb
sn: Administrator
uid: admin
userpassword:
admin_gjerull_net.ldif (661 bytes)   
nfg

nfg

2016-05-06 17:17

reporter   ~0010073

I build from the HEAD of the master branch (commit: 8789db67b37e08a7ca75c4be98334f6c61d6aeb7). It is still pretty much the same behaviour, mixing the baseDN of the two domains.

I have uploaded the sogo.conf file I use for testing, perhaps it can help you reproduce it. I have also uploaded the ldif files of two users I use for testing.

ludovic

ludovic

2016-05-09 14:37

administrator   ~0010080

Since bindFields is set to uid, your users authenticate only using "admin" ?

There's no way SOGo can tell in which domain the user is if that is the case.

Why not set bindFields = (mail) and let the user authenticate with their email address?

VisitanteX

VisitanteX

2016-05-09 15:11

reporter   ~0010081

Last edited: 2016-05-09 15:14

View 3 revisions

Hi, I'm having the same issue, and my config was made following the examples at the documentation. I'm copying here a piece of my sogo.conf file.

            domain1.com = {
                    SOGoMailDomain = domain1.com;
                    SOGoUserSources = (
                        {
                                    type = ldap;
                                    CNFieldName = cn;
                                    IDFieldName = cn;
                                    UIDFieldName = mail;
                                    IMAPLoginFieldName = mail;
                                    MailFieldNames = (
                                            mail
                                    );
                                    SOGoLDAPContactInfoAttribute = uid;
                bindAsCurrentUser = YES;
                                    baseDN = "ou=accounts,dc=cartouch,dc=com,dc=ar";
                                    bindDN = "uid=sogoadmin,ou=accounts,dc=domain1,dc=com,dc=ar";
                                    bindFields = (
                                            mail
                                    );
                                    bindPassword = *****;
                                    canAuthenticate = YES;
                                    displayName = "Shared Addresses";
                                    filter = "(objectClass=inetOrgPerson)";
                hostname = ldap://127.0.0.1:389;
                                    id = public_domain1;
                                    isAddressBook = YES;
                        }
                    );
            };
    domain2.com.ar = {
                    SOGoMailDomain = domain2.com.ar;
                    SOGoUserSources = (
                        {
                                    type = ldap;
                                    CNFieldName = cn;
                                    IDFieldName = cn;
                                    UIDFieldName = mail;
                                    IMAPLoginFieldName = mail;
                                    MailFieldNames = (
                                            mail
                                    );
                                    SOGoLDAPContactInfoAttribute = uid;
                bindAsCurrentUser = YES;
                                    baseDN = "ou=accounts,dc=elevamundo,dc=com,dc=ar";
                                    bindDN = "uid=sogoadmin,ou=accounts,dc=domain2,dc=com,dc=ar";
                                    bindFields = (
                                            mail
                                    );
                                    bindPassword = *****;
                                    canAuthenticate = YES;
                                    displayName = "Shared Addresses";
                                    filter = "(objectClass=inetOrgPerson)";
                hostname = ldap://127.0.0.1:389;
                                    id = public_domain2;
                                    isAddressBook = YES;
                        }

The problem here is that after 5 minutes resets itself and I can login again. But, before those 5 minutes it's impossible to log again. It just keep going back to the login screen.

Meanwhile there are errors, it start to try to search the uid in all domanins, this thing ofcourse doesn't happen when it finally log in.

ludovic

ludovic

2016-05-09 15:14

administrator   ~0010082

A small fix was pushed: 29e0799b11c8409171296b619f366876add14fdc

With the structure below, you MUST use bindFields = (mail).

If you don't set it and or you set to uid (or uid, mail), SOGo has NO WAY of knowing in which domain the user is since it'll be in both. So logins can be "random".

You have to understand that SOGoEnableDomainBasedUID is used for storage purposes in SOGo - so the app doesn't only use the UID field, but rather a combination of the UID and the domain.

Fix also included for 2.3.11.

Issue History

Date Modified Username Field Change
2016-04-08 10:15 nfg New Issue
2016-05-06 12:45 jem555 Note Added: 0010054
2016-05-06 13:20 ludovic Note Added: 0010059
2016-05-06 13:55 ludovic Note Added: 0010060
2016-05-06 13:56 ludovic Severity crash => minor
2016-05-06 15:52 nfg Note Added: 0010068
2016-05-06 15:55 ludovic Note Added: 0010069
2016-05-06 16:17 jem555 Note Added: 0010072
2016-05-06 16:56 nfg File Added: sogo.conf
2016-05-06 16:57 nfg File Added: admin_appdev_as.ldif
2016-05-06 16:58 nfg File Added: admin_gjerull_net.ldif
2016-05-06 17:17 nfg Note Added: 0010073
2016-05-09 14:37 ludovic Note Added: 0010080
2016-05-09 15:11 VisitanteX Note Added: 0010081
2016-05-09 15:12 VisitanteX Note Edited: 0010081 View Revisions
2016-05-09 15:14 VisitanteX Note Edited: 0010081 View Revisions
2016-05-09 15:14 ludovic Note Added: 0010082
2016-05-09 15:14 ludovic Status new => resolved
2016-05-09 15:14 ludovic Fixed in Version => 3.1.0
2016-05-09 15:14 ludovic Resolution open => fixed
2016-05-09 15:14 ludovic Assigned To => ludovic