| Description | Hello everyone,
I have SOGo setup with LDAP usersource, it works fine.
My AD servers synced to MS Entra ID, we have some apps that already using
OpenID connect (Moodle) and it works fine.
I'm trying to make SOGo authenticate with Entra ID as well.
Here is my sogo.conf (OpenID portion)
/ OpenID /
OCSOpenIdURL = "mysql://sogo:===mysql sogo password===@127.0.0.1:3306/
sogo/sogo_openid";
SOGoAuthenticationType = openid;
SOGoXSRFValidationEnabled = NO;
SOGoOpenIdConfigUrl = "https://login.microsoftonline.com/==Long string
that pointed to my APP ID==/v2.0/.well-known/openid-configuration";
SOGoOpenIdClient = "===oidc client id ===";
SOGoOpenIdClientSecret = "===oidc secret===";
SOGoOpenIdScope = "profile email openid";
SOGoOpenIdEmailParam = "mail";
SOGoOpenIdEnableRefreshToken = NO;
SOGoOpenIdTokenCheckInterval = 200;
On Entra ID I put "https://myactualsite.domain/SOGo/"; as the redirect URI.
After I restart sogo service on Ubuntu 24.04, sogo_openid table is created in
sogo database.
But when I tried to login, authentication process on Microsoft authentication
portal is successful until it got redirected, it shows blank page for minutes
and it end up with NGINX error.
Here is my sogo.log
May 14 15:16:15 sogod [301625]: |SOGo| starting method 'GET' on uri '/SOGo/'
May 14 15:16:15 sogod [301625]: <0x0x58b6a36f21a0[SOGoCache]> Cache cleanup
interval set every 300.000000 seconds
May 14 15:16:15 sogod [301625]: <0x0x58b6a36f21a0[SOGoCache]> Using host(s)
'127.0.0.1' as server(s)
May 14 15:16:15 sogod [301625]: [WARN] <0x0x78181bad01e0[WOxElemBuilder]>
could not locate builders: WOxExtElemBuilder,WOxExtElemBuilder
May 14 15:16:15 sogod [301625]: |SOGo| request took 0.556267 seconds to
execute
May 14 15:16:15 sogod [301625]: 172.16.14.19 "GET /SOGo/ HTTP/1.0" 302 0/0
0.559 - - 5M - 11
May 14 15:16:18 sogod [301625]: |SOGo| starting method 'GET' on uri '/SOGo/?
code=1.AVQA6i==VERY LONG STRINGS==&session_state=2a2cdd81-8446-4284-af1d-
b6dc12e886b1'
May 14 15:17:18 sogod [301613]: [WARN] <0x0x58b6a39b13f0[WOWatchDogChild]> pid
301625 has been hanging in the same request for 1 minutes
May 14 15:18:18 sogod [301613]: [WARN] <0x0x58b6a39b13f0[WOWatchDogChild]> pid
301625 has been hanging in the same request for 2 minutes
2025-05-14 15:18:28.431 sogod[301625:301625] caught SIGPIPE - ignoring!
May 14 15:18:28 sogod [301625]: [ERROR] <0x0x58b6a3f7fcd0[GSCBufferString]>
json parser: Expected value while parsing array, attempting once more after
unescaping...
May 14 15:18:28 sogod [301625]: [ERROR] <0x0x58b6a3f7fcd0[GSCBufferString]>
total failure. Original string is: E5
{"sub":"AgbeINzGF6Oao3N_mW4RzY6EQmbZM1dF1bbiz-CUrTo","name":"==My name on
AD==","family_name":"==My family name on AD==","given_name":"==My given name
on
AD==","picture":"https://graph.microsoft.com/v1.0/me/photo/$value","email":"==My
email on AD=="}
0
May 14 15:18:28 sogod [301625]: [ERROR] <0x0x78181c11f160[SOGoSession]> Value
to be secured is too big (2601 > 1575) -- secured value will be corrupted
May 14 15:18:28 sogod [301625]: |SOGo| request took 130.323775 seconds to
execute
May 14 15:18:28 sogod [301625]: [ERROR] <0x0x58b6a3e91750[WOHttpTransaction]>
client disconnected during delivery of response for
<WORequest[0x0x58b6a39c5500]: method=GET uri=/SOGo/?code=1.AVQA6i==VERY LONG
STRINGS==&session_state=2a2cdd81-8446-4284-af1d-b6dc12e886b1 app=SOGo rqKey=
rqPath=(null)> (len=0): the socket was shutdown
May 14 15:18:28 sogod [301625]: 172.16.14.19 "GET /SOGo/?code=1.AVQA6i==VERY
LONG STRINGS==&session_state=2a2cdd81-8446-4284-af1d-b6dc12e886b1 HTTP/1.0"
302 0/0 130.327 - - 2M - 13
I see a lot of errors from this authentication attemp, and I have no idea what
this is --> [ERROR] <0x0x78181c11f160[SOGoSession]> Value to be secured is too
big (2601 > 1575) -- secured value will be corrupted
Maybe it's the cause why it fail to redirect, right?
Please help me figure out what's wrong with my setup. |
|---|
| Steps To Reproduce | If you already have a working SOGo with LDAP user source (Can authenticate with LDAP account)
Create Entra ID app for SOGo, add redirect URI at this app by going to Azure portal --> Entra ID --> App Registration --> Choose your app --> Authentication --> + Add platform --> Choose Web --> Add Redirect URI as "https://your.domain/SOGo/"
Then add this portion of OIDC configuration to /etc/sogo/sogo.conf and restart sogo service.
SOGo will create another DB table named "sogo_openid" (Check with sql command)
/ OpenID /
OCSOpenIdURL = "mysql://sogo:===mysql sogo password===@127.0.0.1:3306/
sogo/sogo_openid";
SOGoAuthenticationType = openid;
SOGoXSRFValidationEnabled = NO;
SOGoOpenIdConfigUrl = "https://login.microsoftonline.com/==Long string
that pointed to my APP ID==/v2.0/.well-known/openid-configuration";
SOGoOpenIdClient = "===oidc client id ===";
SOGoOpenIdClientSecret = "===oidc secret===";
SOGoOpenIdScope = "profile email openid";
SOGoOpenIdEmailParam = "mail";
SOGoOpenIdEnableRefreshToken = NO;
SOGoOpenIdTokenCheckInterval = 200;
After all done, try to access your SOGo app, it will redirected to MS authentication portal.
After login successfully, it will redirect to the URI you've setup which return blank page for minutes then it will shows NGINX error.
Check /var/log/sogo/sogo.log for errors. |
|---|
| Additional Information | LDAP user source portion
// Authentication using LDAP
SOGoUserSources = (
{
// Used for user authentication
type = ldap;
id = users;
canAuthenticate = YES;
isAddressBook = NO;
displayName = "LDAP Authentication";
hostname = "ldap://my.domain:389"; // <- Set to ldaps://ad.example.com:636 for LDAPS.
baseDN = "dc=my,dc=domain";
bindDN = "CN=ldapadmin,OU=Service Accounts,OU=Groups,dc=my,dc=domain";
bindPassword = "secret";
filter = "objectClass=person AND userPrincipalName='*' AND (NOT userAccountControl:1.2.840.113556.1.4.803:=2)";
scope = SUB;
// always keep binding to the LDAP server using the DN of the
// currently authenticated user. bindDN and bindPassword are still
// required to find DN of the user.
// Note: with default LDAP acl configured by iRedMail, user doesn't
// have privilege to query o=domains,dc=delmsgs,dc=freeddns,dc=org.
// so this doesn't work.
bindAsCurrentUser = YES;
// The algorithm used for password encryption when changing
// passwords without Password Policies enabled.
// Possible values are: plain, crypt, md5-crypt, ssha, ssha512.
userPasswordAlgorithm = ssha512;
CNFieldName = cn;
IDFieldName = userPrincipalName;
// value of UIDFieldName must be unique on entire server
UIDFieldName = userPrincipalName;
IMAPLoginFieldName = userPrincipalName;
MailFieldNames = (userPrincipalName);
bindFields = (userPrincipalName);
},
{
// Used for global address book
type = ldap;
id = global_addressbook;
canAuthenticate = NO;
isAddressBook = YES;
displayName = "Global Address Book";
bindAsCurrentUser = YES;
// Listing of this LDAP source is only possible when performing a
// search (respecting the SOGoSearchMinimumWordLength parameter)
// or when explicitely typing a single dot.
// Defaults to YES when unset.
//
// WARNING: if you have many accounts in this address book, it may
// reach server-side query size limit, or cause
// performance issue.
listRequiresDot = NO;
// Set to ldaps://ad.example.com:636 for LDAPS.
hostname = "ldap://my.domain:389";
baseDN = "dc=my,dc=domain";
bindDN = "CN=ldapadmin,OU=Service Accounts,OU=Groups,dc=my,dc=domain";
bindPassword = "secret";
filter = "(objectClass=person OR (objectClass=group AND mail='*')) AND (NOT userAccountControl:1.2.840.113556.1.4.803:=2)";
scope = SUB;
IDFieldName = userPrincipalName;
bindFields = (userPrincipalName);
// value of UID field must be unique on whole server.
UIDFieldName = userPrincipalName;
IMAPLoginFieldName = userPrincipalName;
CNFieldName = cn;
SearchFieldNames = (mail, cn, sAMAccountName, displayName, sn, givenName);
mapping = {
ou = ("department", "ou");
street = ("streetAddress", "street");
mozillaworkurl = ("wWWHomePage", "mozillaworkurl");
description = ("info", "description");
};
},
{
// Used for distribution lists
type = ldap;
id = distribution_lists;
canAuthenticate = NO;
isAddressBook = NO;
displayName = "Distribution Lists";
bindAsCurrentUser = YES;
// Set to ldaps://ad.example.com:636 for LDAPS.
hostname = "ldap://my.domain:389";
baseDN = "dc=my,dc=domain";
bindDN = "CN=ldapadmin,OU=Service Accounts,OU=Groups,dc=my,dc=domain";
bindPassword = "secret";
filter = "(objectClass=group) AND (mail=*)";
scope = SUB;
IDFieldName = cn;
bindFields = (cn);
// value of UID field must be unique on whole server.
UIDFieldName = cn;
IMAPLoginFieldName = mail;
CNFieldName = cn;
SearchFieldNames = (mail, cn, displayName);
mapping = {
description = ("description");
};
},
{
// Used for resource accounts
type = ldap;
id = resources;
canAuthenticate = NO;
isAddressBook = NO;
displayName = "Resources";
bindAsCurrentUser = YES;
hostname = "ldap://my.domain:389";
baseDN = "OU=Exchange Resources,OU=Service Accounts,OU=Groups,dc=my,dc=domain";
bindDN = "CN=ldapadmin,OU=Service Accounts,OU=Groups,dc=my,dc=domain";
bindPassword = "secret";
filter = "(employeeType=Resource)";
// scope = SUB;
IDFieldName = cn;
bindFields = (cn);
UIDFieldName = cn;
IMAPLoginFieldName = mail;
CNFieldName = cn;
SearchFieldNames = (mail, cn, displayName);
// MultipleBookingsFieldName = customMultipleBookings;
KindFieldName = physicalDeliveryOfficeName;
mapping = {
description = ("description");
};
}
);
|
|---|
