View Issue Details

IDProjectCategoryView StatusLast Update
0005917SOGowith SOGopublic2024-02-07 13:42
Reporterabdunazarov Assigned To 
Status newResolutionopen 
Platform[Server] LinuxOSRHEL/CentOSOS Version7
Product Version5.9.1 
Summary0005917: SOGo can't authenticate users when using Active Directory LDAPs

Hello guys!
I'm trying to install on CentOS 8 and Rocky Linux 9 SOGo 5.9.1. On both systems there is a problem with users authentication using LDAPS.
Configuration used from running instance of 5.7 version of SOGo.
When i'm trying set in configuration encryption = SSL; and hostname = "ldaps://ad.server"; in logs appears errors below
Feb 02 16:03:10 sogod [6419]: [ERROR] <0x0x55e74cbe6bc0[LDAPSource]> Could not bind to the LDAP server ldaps://ad.server (636) using the bind DN: binduser@ad.server
Feb 02 16:03:10 sogod [6419]: [ERROR] <0x0x55e74cbe6bc0[LDAPSource]> <NSException: 0x55e74cced2f0> NAME:LDAPException REASON:operation bind failed: Can't contact LDAP server (0xFFFFFFFF) INFO:{"error_code" = "-1"; login = binduser@ad.server"; }

But when i'm running without encryption = SSL; in config everything works fine.
Please, coul'd somebody tell. Is there some changes in configs to upgrade from 5.7 to 5.9.1? Or maybe any ideas what is going wrong?

Steps To Reproduce

Install SOGo 5.9.1 from nightly build and add SOGoUserSources type = ldap
Set encryption = SSL; and hostname = "ldaps://ad.server";
Try login from web interface

Tagsldaps, sogo


Christian Mack

Christian Mack

2024-02-07 12:59

developer   ~0017561

Without encryption you use port 389 on the LDAP/AD server.
With encryption you use port 636.
As the error message states " Can't contact LDAP server" , you probably have a firewall in between.
That firewall blocks access from your SOGo server to your AD server on Port 636, but allows access on Port 389.



2024-02-07 13:17

reporter   ~0017562

Of course, the firewall was checked first.
Both ports 389 without ssl and 636 with ssl were specified correctly.
Moreover, these ports are accessible via telnet.
If we rule out the assumption that port 636 is blocked by firewall, what else could be wrong?

Christian Mack

Christian Mack

2024-02-07 13:42

developer   ~0017563

Then it could be, that the SOGo server can not verify your AD certificate.
Check that with:

openssl s_client -connect ad.server:636

Issue History

Date Modified Username Field Change
2024-02-02 13:27 abdunazarov New Issue
2024-02-02 13:27 abdunazarov Tag Attached: ldaps
2024-02-02 13:27 abdunazarov Tag Attached: sogo
2024-02-07 12:59 Christian Mack Note Added: 0017561
2024-02-07 13:17 abdunazarov Note Added: 0017562
2024-02-07 13:42 Christian Mack Note Added: 0017563