0003625: Multi-domain setup using SOGoUserSources with different LDAP baseDN where different domains uses same uid. - SOGo

ID	Project	Category	View Status	Date Submitted	Last Update

0003625	SOGo	Backend General	public	2016-04-08 14:15	2016-05-09 19:14

Reporter	nfg	Assigned To	ludovic
Priority	normal	Severity	minor	Reproducibility	always
Status	resolved	Resolution	fixed
Platform	[Server] Linux	OS	Ubuntu	OS Version	14.04 LTS
Product Version	nightly v2
Fixed in Version	3.1.0

Summary	0003625: Multi-domain setup using SOGoUserSources with different LDAP baseDN where different domains uses same uid.
Description	The SOGo Documentation says for the SOGoEnableDomainBasedUID property that: Parameter used to enable user identification by domain. Users will be able( without being required) to login using the form username@domain, meaning that values of UIDFieldName no longer have to be unique among all domains but only within the same domain. I was expecting SOGo to use the domain part to select the correct domain and use that domain's SOGoUserSources. And from there use the uid to authenticate and to look up the user when traversing (lookupName). Now it uses uid@domain to look up the uid in LDAP during authentication, but used the uid when traversing the userobject even if it is use@customer1.com in the URL: https://mail.example.com/SOGo/so/user@customer1.com/Mail/view The LDAP looup is done on all SOGoUserSources, not just the one configured for the domain. If two domains have a user with uid 'admin', but under different baseDN, it will pick up the first it finds. Multi-domain looks broken to me.
Steps To Reproduce	Use the following configuration where the main point is that SOGoEnableDomainBasedUID is true and that UIDFieldName is uid: SOGoEnableDomainBasedUID = YES; SOGoForceExternalLoginWithEmail = YES; domains = { customer1.com = { SOGoMailDomain = customer1.com; SOGoUserSources = ({ id = public_customer1; type = ldap; CNFieldName = cn; IDFieldName = uid; UIDFieldName = uid; baseDN = "ou=users,ou=customer1.com,dc=example,dc=com"; bindDN = "cn=sogo,dc=example,dc=com"; bindPassword = ; bindAsCurrentUser = NO; canAuthenticate = YES; displayName = "Shared Addresses"; hostname = ldap://localhost; isAddressBook = YES; }); }; customer2.com = { SOGoMailDomain = customer2.com; SOGoUserSources = ({ id = public_customer2; type = ldap; CNFieldName = cn; IDFieldName = uid; UIDFieldName = uid; baseDN = "ou=users,ou=customer2.com,dc=example,dc=com"; bindDN = "cn=sogo,dc=example,dc=com"; bindPassword = ; bindAsCurrentUser = NO; canAuthenticate = YES; displayName = "Shared Addresses"; hostname = ldap://localhost; isAddressBook = YES; }); } }; Login with user@customer1.com: It chooses the correct domain, but tries to look up the uid in LDAP with the domain appended ("uid=user@customer1.com,ou=users,ou=customer1.com,dc=appdev,dc=as"). Adding the following to the SOGoUserSources in sogo.conf: bindFields = (uid,mail); Login with user@customer2.com: I am able to authenticate using the userSource from the correct domain and I get the message 'SOGoRootPage successful login from '127.0.0.1' for user 'user@customer2.com' in the log. After that SOGo no longer care which domain the user belongs to and tries to do lookup using customer1.com's baseDN first, and customer2.com's baseDN second if it is not found. The result is that I pick up data for the customer.1.com user even if I log in as a customer2.com user. Looking up using 'user@customer2.com': search at base 'ou=users,ou=customer1.com,dc=example,dc=com' filter '(\|(uid=user@customer2.com)(mail=user@customer2.com))' for attrs '' search at base 'ou=users,ou=customer2.com,dc=example,dc=com' filter '(\|(uid=user@customer2.com)(mail=user@customer2.com))' for attrs '' Looking up using 'user': search at base 'ou=users,ou=customer1.com,dc=example,dc=com' filter '(\|(uid=user)(mail=user))' for attrs '*'
Tags	No tags attached.

jem555 2016-05-06 16:45 reporter ~0010054	I'm experimenting the exactly same problem with a config like the one that opened the bug, same effects.

ludovic 2016-05-06 17:20 administrator ~0010059	v2 or v3? Can you also try with a nightly build?

ludovic 2016-05-06 17:55 administrator ~0010060	Also, show LDIF entry samples in BOTH domains.

nfg 2016-05-06 19:52 reporter ~0010068	The behaviour is the same for v2 and v3, and for the master branch at the time I reported this. I will not call this a minor bug. This essentially means that multi-domain is broken using the uid field. It is also a security problem as you can end up showing data for customer1 when logging inn as customer2.

ludovic 2016-05-06 19:55 administrator ~0010069	I asked to show me the data. If I downgraded it to minor, it is because: 1- a commit was done about 2 hours ago for this 2- I was NOT able to reproduce it

jem555 2016-05-06 20:17 reporter ~0010072	It happened after upgrading from v2.2.17 to v2.3.10 (I installed from fresh 2.3.10 on other servers and everything is fine there) I've noticed that after disconnect I can login again after about 5 minutes or so. Perhaps this behavior gives you a hint about this issue. I'll post both LDIF in a while. Thanks!

nfg 2016-05-06 20:56 reporter	sogo.conf (4,256 bytes)

nfg 2016-05-06 20:57 reporter	admin_appdev_as.ldif (646 bytes) # LDIF Export for uid=admin,ou=users,ou=appdev.as,dc=appdev,dc=as # Server: AppDev LDAP Server (localhost) # Search Scope: base # Search Filter: (objectClass=*) # Total Entries: 1 # # Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on May 6, 2016 8:45 pm # Version: 1.2.2 version: 1 # Entry 1: uid=admin,ou=users,ou=appdev.as,dc=appdev,dc=as dn: uid=admin,ou=users,ou=appdev.as,dc=appdev,dc=as cn: AppDev Administrator givenname: AppDev mail: admin@appdev.as objectclass: inetOrgPerson objectclass: organizationalPerson objectclass: person objectclass: top objectclass: gosaMailAccount sn: Administrator uid: admin userpassword: admin_appdev_as.ldif (646 bytes)

nfg 2016-05-06 20:58 reporter	admin_gjerull_net.ldif (661 bytes) # LDIF Export for uid=admin,ou=users,ou=gjerull.net,dc=appdev,dc=as # Server: AppDev LDAP Server (localhost) # Search Scope: base # Search Filter: (objectClass=*) # Total Entries: 1 # # Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on May 6, 2016 8:50 pm # Version: 1.2.2 version: 1 # Entry 1: uid=admin,ou=users,ou=gjerull.net,dc=appdev,dc=as dn: uid=admin,ou=users,ou=gjerull.net,dc=appdev,dc=as cn: Gjerull Administrator givenname: Gjerull mail: admin@gjerull.net objectclass: inetOrgPerson objectclass: organizationalPerson objectclass: person objectclass: gosaMailAccount preferredlanguage: nb sn: Administrator uid: admin userpassword: admin_gjerull_net.ldif (661 bytes)

nfg 2016-05-06 21:17 reporter ~0010073	I build from the HEAD of the master branch (commit: 8789db67b37e08a7ca75c4be98334f6c61d6aeb7). It is still pretty much the same behaviour, mixing the baseDN of the two domains. I have uploaded the sogo.conf file I use for testing, perhaps it can help you reproduce it. I have also uploaded the ldif files of two users I use for testing.

ludovic 2016-05-09 18:37 administrator ~0010080	Since bindFields is set to uid, your users authenticate only using "admin" ? There's no way SOGo can tell in which domain the user is if that is the case. Why not set bindFields = (mail) and let the user authenticate with their email address?

VisitanteX 2016-05-09 19:11 reporter ~0010081 Last edited: 2016-05-09 19:14	Hi, I'm having the same issue, and my config was made following the examples at the documentation. I'm copying here a piece of my sogo.conf file. domain1.com = { SOGoMailDomain = domain1.com; SOGoUserSources = ( { type = ldap; CNFieldName = cn; IDFieldName = cn; UIDFieldName = mail; IMAPLoginFieldName = mail; MailFieldNames = ( mail ); SOGoLDAPContactInfoAttribute = uid; bindAsCurrentUser = YES; baseDN = "ou=accounts,dc=cartouch,dc=com,dc=ar"; bindDN = "uid=sogoadmin,ou=accounts,dc=domain1,dc=com,dc=ar"; bindFields = ( mail ); bindPassword = ***; canAuthenticate = YES; displayName = "Shared Addresses"; filter = "(objectClass=inetOrgPerson)"; hostname = ldap://127.0.0.1:389; id = public_domain1; isAddressBook = YES; } ); }; domain2.com.ar = { SOGoMailDomain = domain2.com.ar; SOGoUserSources = ( { type = ldap; CNFieldName = cn; IDFieldName = cn; UIDFieldName = mail; IMAPLoginFieldName = mail; MailFieldNames = ( mail ); SOGoLDAPContactInfoAttribute = uid; bindAsCurrentUser = YES; baseDN = "ou=accounts,dc=elevamundo,dc=com,dc=ar"; bindDN = "uid=sogoadmin,ou=accounts,dc=domain2,dc=com,dc=ar"; bindFields = ( mail ); bindPassword = ***; canAuthenticate = YES; displayName = "Shared Addresses"; filter = "(objectClass=inetOrgPerson)"; hostname = ldap://127.0.0.1:389; id = public_domain2; isAddressBook = YES; } The problem here is that after 5 minutes resets itself and I can login again. But, before those 5 minutes it's impossible to log again. It just keep going back to the login screen. Meanwhile there are errors, it start to try to search the uid in all domanins, this thing ofcourse doesn't happen when it finally log in.

ludovic 2016-05-09 19:14 administrator ~0010082	A small fix was pushed: 29e0799b11c8409171296b619f366876add14fdc With the structure below, you MUST use bindFields = (mail). If you don't set it and or you set to uid (or uid, mail), SOGo has NO WAY of knowing in which domain the user is since it'll be in both. So logins can be "random". You have to understand that SOGoEnableDomainBasedUID is used for storage purposes in SOGo - so the app doesn't only use the UID field, but rather a combination of the UID and the domain. Fix also included for 2.3.11.

Date Modified	Username	Field	Change
2016-04-08 14:15	nfg	New Issue
2016-05-06 16:45	jem555	Note Added: 0010054
2016-05-06 17:20	ludovic	Note Added: 0010059
2016-05-06 17:55	ludovic	Note Added: 0010060
2016-05-06 17:56	ludovic	Severity	crash => minor
2016-05-06 19:52	nfg	Note Added: 0010068
2016-05-06 19:55	ludovic	Note Added: 0010069
2016-05-06 20:17	jem555	Note Added: 0010072
2016-05-06 20:56	nfg	File Added: sogo.conf
2016-05-06 20:57	nfg	File Added: admin_appdev_as.ldif
2016-05-06 20:58	nfg	File Added: admin_gjerull_net.ldif
2016-05-06 21:17	nfg	Note Added: 0010073
2016-05-09 18:37	ludovic	Note Added: 0010080
2016-05-09 19:11	VisitanteX	Note Added: 0010081
2016-05-09 19:12	VisitanteX	Note Edited: 0010081
2016-05-09 19:14	VisitanteX	Note Edited: 0010081
2016-05-09 19:14	ludovic	Note Added: 0010082
2016-05-09 19:14	ludovic	Status	new => resolved
2016-05-09 19:14	ludovic	Fixed in Version	=> 3.1.0
2016-05-09 19:14	ludovic	Resolution	open => fixed
2016-05-09 19:14	ludovic	Assigned To	=> ludovic

View Issue Details

The SOGo Documentation says for the SOGoEnableDomainBasedUID property that:

Parameter used to enable user identification by domain. Users will be
able( without being required) to login using the form username@domain,
meaning that values of UIDFieldName no longer have to be unique among
all domains but only within the same domain.

Use the following configuration where the main point is that SOGoEnableDomainBasedUID is true and that UIDFieldName is uid:

Activities

Issue History

View Issue Details

The SOGo Documentation says for the SOGoEnableDomainBasedUID property that:

Parameter used to enable user identification by domain. Users will be able( without being required) to login using the form username@domain, meaning that values of UIDFieldName no longer have to be unique among all domains but only within the same domain.

Use the following configuration where the main point is that SOGoEnableDomainBasedUID is true and that UIDFieldName is uid:

Activities

Issue History

Parameter used to enable user identification by domain. Users will be
able( without being required) to login using the form username@domain,
meaning that values of UIDFieldName no longer have to be unique among
all domains but only within the same domain.