Discussion:
[SOGo] Restrict EAS usage?
Chris
2016-03-13 10:10:23 UTC
Permalink
Dear all,

is it possible to allow Exchange Active Sync for some users only?

- Chris
--
***@sogo.nu
https://inverse.ca/sogo/lists
Ludovic Marcotte
2016-03-13 13:32:20 UTC
Permalink
Post by Chris
is it possible to allow Exchange Active Sync for some users only?
Yes - have a look at ModulesConstraints in the documentation.
--
Ludovic Marcotte
***@inverse.ca :: +1.514.755.3630 :: http://inverse.ca
Inverse inc. :: Leaders behind SOGo (http://sogo.nu) and PacketFence (http://packetfence.org)
--
***@sogo.nu
https://inverse.ca/sogo/lists
Chris
2016-03-13 15:11:43 UTC
Permalink
Post by Ludovic Marcotte
Post by Chris
is it possible to allow Exchange Active Sync for some users only?
Yes - have a look at ModulesConstraints in the documentation.
Thank you! Haven't found that.

- Chris
--
***@sogo.nu
https://inverse.ca/sogo/lists
Zhang Huangbin
2016-03-13 14:31:54 UTC
Permalink
Post by Ludovic Marcotte
Yes - have a look at ModulesConstraints in the documentation.
Excuse me, i don't quite understand this parameter in SOGo document.

it says: "Limits the access of any module through a constraint based on an LDAP attribute;"

ModulesConstraints = {
Calendar = {
ou = employees;
}; };

Does it mean SOGo will query mail users with ldap filter "(&(...)(ou=employees))"? Or, only users under dn "ou=employees,...,dc=xx,dc=xx"?

Is it possible to restrict with ldap filter like "(ldap_attr_name=value)"? or "(!(ldap_attr_name=value))"?

----
Zhang Huangbin, founder of iRedMail project: http://www.iredmail.org/
Time zone: GMT+8 (China/Beijing).
--
***@sogo.nu
https://inverse.ca/sogo/lists
Ludovic Marcotte
2016-03-13 16:30:34 UTC
Permalink
Post by Zhang Huangbin
Excuse me, i don't quite understand this parameter in SOGo document.
it says: "Limits the access of any module through a constraint based on an LDAP attribute;"
ModulesConstraints = {
Calendar = {
ou = employees;
}; };
Does it mean SOGo will query mail users with ldap filter "(&(...)(ou=employees))"? Or, only users under dn "ou=employees,...,dc=xx,dc=xx"?
The former.
Post by Zhang Huangbin
Is it possible to restrict with ldap filter like "(ldap_attr_name=value)"? or "(!(ldap_attr_name=value))"?
No but you can combine it with filter = "...";
--
Ludovic Marcotte
***@inverse.ca :: +1.514.755.3630 :: http://inverse.ca
Inverse inc. :: Leaders behind SOGo (http://sogo.nu) and PacketFence (http://packetfence.org)
--
***@sogo.nu
https://inverse.ca/sogo/lists
Chris
2016-03-13 17:05:17 UTC
Permalink
Post by Zhang Huangbin
Is it possible to restrict with ldap filter like "(ldap_attr_name=value)"?
or "(!(ldap_attr_name=value))"?
Syntax in your SOGo user sources section is:

ModulesConstraints = {
ActiveSync = {
filter = "(objectClass='inetOrgPerson') AND
eas='enabled'";
};
};

Clients geht 403 if they're not allowed, but 1. don't display any error
message and 2. try again and again and again. I guess this is an Android
issue and not SOGo's fault.

- Chris
--
***@sogo.nu
https://inverse.ca/sogo/lists
Ludovic Marcotte
2016-03-13 17:27:05 UTC
Permalink
This post might be inappropriate. Click to display it.
Chris
2016-03-13 19:10:49 UTC
Permalink
Post by Zhang Huangbin
Post by Zhang Huangbin
Is it possible to restrict with ldap filter like
"(ldap_attr_name=value)"?
or "(!(ldap_attr_name=value))"?
ModulesConstraints = {
ActiveSync = {
filter = "(objectClass='inetOrgPerson') AND
eas='enabled'";
};
};
Well there's an error. It isn't working like expected. Changing the LDAP
attribute has no influence.

- Chris
--
***@sogo.nu
https://inverse.ca/sogo/lists
Ludovic Marcotte
2016-03-13 19:20:18 UTC
Permalink
Post by Chris
Well there's an error. It isn't working like expected. Changing the LDAP
attribute has no influence.
You cannot use filter = ... inside ModulesConstraints - which is limited
to a single key/value pair.

But you can combine ModulesConstraints and filter = ... within your
SOGoUserSources.
--
Ludovic Marcotte
***@inverse.ca :: +1.514.755.3630 :: http://inverse.ca
Inverse inc. :: Leaders behind SOGo (http://sogo.nu) and PacketFence (http://packetfence.org)
--
***@sogo.nu
https://inverse.ca/sogo/lists
Chris
2016-03-13 21:33:01 UTC
Permalink
Post by Ludovic Marcotte
Post by Chris
Well there's an error. It isn't working like expected. Changing the LDAP
attribute has no influence.
You cannot use filter = ... inside ModulesConstraints - which is limited
to a single key/value pair.
But you can combine ModulesConstraints and filter = ... within your
SOGoUserSources.
Now, I've added an additional user source, but it isn't working:

...
baseDN = "dc=myorganization,dc=org";
hostname = ...
canAuthenticate = YES
...
id = eas;
isAddressBook = NO;
filter = "(objectClass='inetOrgPerson') AND active-sync='enabled'";
ModulesConstraints = {
ActiveSync = {
ou = people;
};
};
...

Users are all in the same LDAP branch, but some have the active-sync
attribute enabled.

- Chris
--
***@sogo.nu
https://inverse.ca/sogo/lists
Loading...