Create groups with LDAP Exchange users

Issue #517 resolved
Dr Evil created an issue

I try to create some groups in piler to allow access to other users mails. All of them are Exchange (2010) users. SSO for the webgui is already working, so LDAP lookups are fine.

But when I create a group and search for mailadresses the ldap query seems not to work corret :

Mar 4 07:44:45 mailpiler piler-webui[4265]: ldap query: base dn='DC=domain,DC=com', filter='(&(objectClass=user)(proxyAddresses=user*))', attr='', 0 hits

Since proxyAddresses in Exchange start with "smtp" i tried that and got 324 hits :

Mar 4 07:47:17 mailpiler piler-webui[9992]: ldap query: base dn='DC=domain,DC=com', filter='(&(objectClass=user)(proxyAddresses=smtp*))', attr='', 324 hits

So if I create a group and just add "user1.name1@domain.com" to email addresse and "user2.name2@domain.com" to assigned email addresses user1 can't see mails from user2 or vica verse. If I try to add the addesses with smtp: prefix (like "smtp:user1.name1@domain.com") I get "Failed to modify: 0" error message.

What to do to get groups working in this setup?

here the version infos :

piler 1.1.1, build 903, Janos SUTO sj@acts.hu

Build Date: Tue Mar 3 22:00:24 CET 2015 ldd version: ldd (Debian EGLIBC 2.13-38+deb7u7) 2.13 gcc version: gcc version 4.7.2 (Debian 4.7.2-5) Configure command: ./configure --localstatedir=/var --with-database=mysql --enable-starttls --enable-tcpwrappers

Comments (13)

  1. Janos SUTO repo owner

    Try setting the following in config-site.php:

    $config['LDAP_MAIL_ATTR'] = 'proxyAddresses';

    and it forces to use the 'smtp:' prefix.

  2. Dr Evil reporter

    Checked that, and it was already set Strange thing I realised : If I login with admin@local from a browser not using SSO I can see this beeing logged :

    Mar  4 11:53:22 mailpiler piler-webui[13788]: ldap query: base dn='DC=domain,DC=com', filter='(&(objectClass=user)(proxyAddresses=smtp:admin@local))', attr='', 0 hits
    

    And if I try to create a group after that login an search for users email addresses it switches back to search without prefix :

    Mar  4 11:53:33 mailpiler piler-webui[13662]: ldap query: base dn='DC=domain,DC=com', filter='(&(objectClass=user)(proxyAddresses=te*))', attr='', 0 hits
    Mar  4 11:53:33 mailpiler piler-webui[13662]: ldap query: base dn='DC=domain,DC=com', filter='(&(objectClass=user)(proxyAddresses=tes*))', attr='', 0 hits
    Mar  4 11:53:34 mailpiler piler-webui[13662]: ldap query: base dn='DC=domain,DC=com', filter='(&(objectClass=user)(proxyAddresses=test*))', attr='', 0 hits
    
  3. Janos SUTO repo owner

    admin@local is a local account, sso shouldn't work for it. However you have ldap auth enabled, that's why it check ldap authentication first.

    For the email search problem try the following diff:

    --- a/webui/model/group/group.php
    +++ b/webui/model/group/group.php
    @@ -178,16 +178,20 @@ class ModelGroupGroup extends Model {
    
        public function get_emails_by_string($s = '', $page = 0, $page_len = PAGE_LEN) {
           $emails = array();
    +      $username_prefix = '';
    
           $from = (int)$page * (int)$page_len;
    
           if(strlen($s) < 1) { return array(); }
    
           if(ENABLE_LDAP_AUTH == 1) {
    +
    +         if(LDAP_MAIL_ATTR == 'proxyAddresses') { $username_prefix = 'smtp:'; }
    +
              $ldap = new LDAP(LDAP_HOST, LDAP_HELPER_DN, LDAP_HELPER_PASSWORD);
              if($ldap->is_bind_ok()) {
    
    -            $query = $ldap->query(LDAP_BASE_DN, "(&(objectClass=" . LDAP_ACCOUNT_OBJECTCLASS . ")(" . LDAP_MAIL_ATTR . "=" . $s . "*))", array());
    +            $query = $ldap->query(LDAP_BASE_DN, "(&(objectClass=" . LDAP_ACCOUNT_OBJECTCLASS . ")(" . LDAP_MAIL_ATTR . "=" . $username_prefix$s . "*))", array());
    
                 if(isset($query->rows)) {
                    $emails = $this->model_user_auth->get_email_array_from_ldap_attr($query->rows);
    
  4. Dr Evil reporter

    After changing

    $query = $ldap->query(LDAP_BASE_DN, "(&(objectClass=" . LDAP_ACCOUNT_OBJECTCLASS . ")(" . LDAP_MAIL_ATTR . "=" . $username_prefix$s . "*))", array());
    

    to

    $query = $ldap->query(LDAP_BASE_DN, "(&(objectClass=" . LDAP_ACCOUNT_OBJECTCLASS . ")(" . LDAP_MAIL_ATTR . "=" . $username_prefix.$s . "*))", array());
    

    LDAP queries are now working from the groups page. Thank you so far.

    The problem that user1 can not see user2 mails or the other way round persists. Within the settings of user1 the created group gets listed. Something still seems to be wrong.

    Am I right that under "Email addresses" I have to put the users email address that wants to access other users mails and under "Assigned email addresses" enter the mail addresses to be visible to the user entered in first place?

  5. Janos SUTO repo owner

    Yeah, thanks for fixing the typo. Check if in the settings menu you can see all email addresses and group associations. Then just hit the search button, then check the maillog for the issued sphinx query - it should include all visible (=allowed) email addresses.

  6. Dr Evil reporter

    This is a screenshot of the group setup

    Group_setup.PNG

    And here the users settings : User_Settings.PNG

    This is the output in maillog :

    Mar  5 07:57:35 mailpiler piler-webui[26022]: sphinx query: 'SELECT id FROM main1,dailydelta1,delta1 WHERE        MATCH(' (@from abtXdomainXcom| vtaXdomainXcom| vtaXourXdomainXcom| admsXdomainXcom| admsXourXdomainXcom| edvXtestXdomainXcom | @to abtXdomainXcom| vtaXdomainXcom| vtaXourXdomainXcom| admsXdomainXcom| admsXourXdomainXcom| edvXtestXdomainXcom) ') ORDER BY `sent` DESC LIMIT 0,1000 OPTION max_matches=1000' in 0.02 s, 3 hits, 3 total found
    
  7. Janos SUTO repo owner

    Hmm, these pictues look good, except user1.name1@ can't be found in the search query. I need some more tests.

  8. Dr Evil reporter

    I'm sorry to say that this didn't do the trick :-( The results in the logs are the same.

    But additional to the groups mailaddresses not being search I realised that also some of users mailaddresses are missing in the settings overview. "edv.test@domain.com" is the primary address. but the user also has "edv.test@our-domain.com" and additional "edv-test@domain.com". The user can not see mails that have been send to "edv.test@our-domain.com". Looking at the search log output above the mailaddress "edvXtestXoutXdomainXcom" is missing.

    Maybe that helps ... if I can do any further testing please tell me.

    What I already tested was removing the X400 record from the active directory proxyAddresses attribute but that didn't change anything.

  9. Janos SUTO repo owner

    Unfortunately I couldn't reproduce it. Perhaps an onsite (remote) debugging would reveal the problem.

    Btw. is it true that all user@domain address has an alias like user@domain2?

  10. Dr Evil reporter

    We have multiple mail domains that are connected to different users by exchange email address polcies. So User1 can belong to maildomain domain1.com, our-domain1.com and someotherdomain1.com where User2 belongs to domain1.com and third-domain.net and so on.

    For the debugging i'll contact you directly.

  11. Janos SUTO repo owner

    Debugging revealed that there was a typo in the sso auth code. Now it's fixed, and it works properly.

  12. Log in to comment