Create groups with LDAP Exchange users

Issue #517 resolved

Dr Evil created an issue 2015-03-04

I try to create some groups in piler to allow access to other users mails. All of them are Exchange (2010) users. SSO for the webgui is already working, so LDAP lookups are fine.

But when I create a group and search for mailadresses the ldap query seems not to work corret :

Mar 4 07:44:45 mailpiler piler-webui[4265]: ldap query: base dn='DC=domain,DC=com', filter='(&(objectClass=user)(proxyAddresses=user*))', attr='', 0 hits

Since proxyAddresses in Exchange start with "smtp" i tried that and got 324 hits :

Mar 4 07:47:17 mailpiler piler-webui[9992]: ldap query: base dn='DC=domain,DC=com', filter='(&(objectClass=user)(proxyAddresses=smtp*))', attr='', 324 hits

So if I create a group and just add "user1.name1@domain.com" to email addresse and "user2.name2@domain.com" to assigned email addresses user1 can't see mails from user2 or vica verse. If I try to add the addesses with smtp: prefix (like "smtp:user1.name1@domain.com") I get "Failed to modify: 0" error message.

What to do to get groups working in this setup?

here the version infos :

piler 1.1.1, build 903, Janos SUTO sj@acts.hu

Build Date: Tue Mar 3 22:00:24 CET 2015 ldd version: ldd (Debian EGLIBC 2.13-38+deb7u7) 2.13 gcc version: gcc version 4.7.2 (Debian 4.7.2-5) Configure command: ./configure --localstatedir=/var --with-database=mysql --enable-starttls --enable-tcpwrappers

Comments (13)

Janos SUTO repo owner
Try setting the following in config-site.php:

$config['LDAP_MAIL_ATTR'] = 'proxyAddresses';

and it forces to use the 'smtp:' prefix.
- 2015-03-04T10:09:02+00:00

Dr Evil reporter

Checked that, and it was already set Strange thing I realised : If I login with admin@local from a browser not using SSO I can see this beeing logged :

Mar  4 11:53:22 mailpiler piler-webui[13788]: ldap query: base dn='DC=domain,DC=com', filter='(&(objectClass=user)(proxyAddresses=smtp:admin@local))', attr='', 0 hits

And if I try to create a group after that login an search for users email addresses it switches back to search without prefix :

Mar  4 11:53:33 mailpiler piler-webui[13662]: ldap query: base dn='DC=domain,DC=com', filter='(&(objectClass=user)(proxyAddresses=te*))', attr='', 0 hits
Mar  4 11:53:33 mailpiler piler-webui[13662]: ldap query: base dn='DC=domain,DC=com', filter='(&(objectClass=user)(proxyAddresses=tes*))', attr='', 0 hits
Mar  4 11:53:34 mailpiler piler-webui[13662]: ldap query: base dn='DC=domain,DC=com', filter='(&(objectClass=user)(proxyAddresses=test*))', attr='', 0 hits

2015-03-04T11:01:24+00:00

Janos SUTO repo owner

admin@local is a local account, sso shouldn't work for it. However you have ldap auth enabled, that's why it check ldap authentication first.

For the email search problem try the following diff:

--- a/webui/model/group/group.php
+++ b/webui/model/group/group.php
@@ -178,16 +178,20 @@ class ModelGroupGroup extends Model {

    public function get_emails_by_string($s = '', $page = 0, $page_len = PAGE_LEN) {
       $emails = array();
+      $username_prefix = '';

       $from = (int)$page * (int)$page_len;

       if(strlen($s) < 1) { return array(); }

       if(ENABLE_LDAP_AUTH == 1) {
+
+         if(LDAP_MAIL_ATTR == 'proxyAddresses') { $username_prefix = 'smtp:'; }
+
          $ldap = new LDAP(LDAP_HOST, LDAP_HELPER_DN, LDAP_HELPER_PASSWORD);
          if($ldap->is_bind_ok()) {

-            $query = $ldap->query(LDAP_BASE_DN, "(&(objectClass=" . LDAP_ACCOUNT_OBJECTCLASS . ")(" . LDAP_MAIL_ATTR . "=" . $s . "*))", array());
+            $query = $ldap->query(LDAP_BASE_DN, "(&(objectClass=" . LDAP_ACCOUNT_OBJECTCLASS . ")(" . LDAP_MAIL_ATTR . "=" . $username_prefix$s . "*))", array());

             if(isset($query->rows)) {
                $emails = $this->model_user_auth->get_email_array_from_ldap_attr($query->rows);

2015-03-04T12:58:51+00:00

Dr Evil reporter
After changing
```
$query = $ldap->query(LDAP_BASE_DN, "(&(objectClass=" . LDAP_ACCOUNT_OBJECTCLASS . ")(" . LDAP_MAIL_ATTR . "=" . $username_prefix$s . "*))", array());
```
to
```
$query = $ldap->query(LDAP_BASE_DN, "(&(objectClass=" . LDAP_ACCOUNT_OBJECTCLASS . ")(" . LDAP_MAIL_ATTR . "=" . $username_prefix.$s . "*))", array());
```
LDAP queries are now working from the groups page. Thank you so far.

The problem that user1 can not see user2 mails or the other way round persists. Within the settings of user1 the created group gets listed. Something still seems to be wrong.

Am I right that under "Email addresses" I have to put the users email address that wants to access other users mails and under "Assigned email addresses" enter the mail addresses to be visible to the user entered in first place?
- 2015-03-04T16:59:36+00:00
Janos SUTO repo owner
Yeah, thanks for fixing the typo. Check if in the settings menu you can see all email addresses and group associations. Then just hit the search button, then check the maillog for the issued sphinx query - it should include all visible (=allowed) email addresses.
- 2015-03-04T20:10:58+00:00

Dr Evil reporter

This is a screenshot of the group setup

And here the users settings :

This is the output in maillog :

Mar  5 07:57:35 mailpiler piler-webui[26022]: sphinx query: 'SELECT id FROM main1,dailydelta1,delta1 WHERE        MATCH(' (@from abtXdomainXcom| vtaXdomainXcom| vtaXourXdomainXcom| admsXdomainXcom| admsXourXdomainXcom| edvXtestXdomainXcom | @to abtXdomainXcom| vtaXdomainXcom| vtaXourXdomainXcom| admsXdomainXcom| admsXourXdomainXcom| edvXtestXdomainXcom) ') ORDER BY `sent` DESC LIMIT 0,1000 OPTION max_matches=1000' in 0.02 s, 3 hits, 3 total found

2015-03-05T07:34:16+00:00

Janos SUTO repo owner
Hmm, these pictues look good, except user1.name1@ can't be found in the search query. I need some more tests.
- 2015-03-10T12:43:08+00:00
Janos SUTO repo owner
Just check it against the latest master branch, and it seems it should use email addresses for the given group as well. So try this: upgrade to 1.1.1 (https://bitbucket.org/jsuto/piler/downloads/piler-1.1.1.tar.gz), and try again. It's a bugfix release to 1.1.0, so nothing special to worry during the upgrade process. Let me know if it fixes the issue.
- 2015-03-10T19:42:35+00:00
Dr Evil reporter
I'm sorry to say that this didn't do the trick :-( The results in the logs are the same.

But additional to the groups mailaddresses not being search I realised that also some of users mailaddresses are missing in the settings overview. "edv.test@domain.com" is the primary address. but the user also has "edv.test@our-domain.com" and additional "edv-test@domain.com". The user can not see mails that have been send to "edv.test@our-domain.com". Looking at the search log output above the mailaddress "edvXtestXoutXdomainXcom" is missing.

Maybe that helps ... if I can do any further testing please tell me.

What I already tested was removing the X400 record from the active directory proxyAddresses attribute but that didn't change anything.
- 2015-03-12T12:33:21+00:00
Janos SUTO repo owner
Unfortunately I couldn't reproduce it. Perhaps an onsite (remote) debugging would reveal the problem.

Btw. is it true that all user@domain address has an alias like user@domain2?
- 2015-03-13T12:21:12+00:00
Dr Evil reporter
We have multiple mail domains that are connected to different users by exchange email address polcies. So User1 can belong to maildomain domain1.com, our-domain1.com and someotherdomain1.com where User2 belongs to domain1.com and third-domain.net and so on.

For the debugging i'll contact you directly.
- 2015-03-13T16:11:24+00:00
Janos SUTO repo owner
Debugging revealed that there was a typo in the sso auth code. Now it's fixed, and it works properly.
- 2015-03-16T15:05:54+00:00
Janos SUTO repo owner
- changed status to resolved
- 2015-03-16T15:06:02+00:00
Log in to comment

Assignee: Janos SUTO

Type: bug

Priority: major

Status: resolved

Votes: 0

Watchers: 2