LDAP Group Membership not working


I have a problem with configuring Kopano with LDAP. It seems to ignore certain config parameters (or i’ve missed something…).

All my groups appear empty, Kopano doesn’t seem to find the group members.
They are all listed under the attribute “member” as full DN.

LDAP Structure of a example group:

# example@domain1.de, groups, domain1.de, domains, domain2.net
dn: mail=example@domain1.de,ou=groups,ou=domain1.de,o=domains,dc=domain2,dc=net
member: mail=user1@domain1.de,ou=people,ou=domain1.de,o=domains,dc=domain2,dc=
member: mail=user2@domain1.de,ou=people,ou=domain1.de,o=domains,dc=domain2,dc
objectClass: groupOfNames
objectClass: kopano-group
mail: example@domain1.de
kopanoSendAsPrivilege: user2@domain1.de
kopanoSendAsPrivilege: user1@domain1.de
cn:: SW1tbyBBw59lbG1hbm4=
kopanoAccount: 1

(Yes, the DN Syntax is not the usual one, sadly I cannot change it easily)



# Select implementation.
# If you have any reason to override settings from /usr/share/kopano/*.cfg,
# do so at the end of this (/etc-resident) config file.
!include /usr/share/kopano/ldap.openldap.cfg
#!include /usr/share/kopano/ldap.active-directory.cfg

# LDAP host name/IP address
ldap_host = localhost

# LDAP port
# Optional, default = 389
# Use 636 for ldaps
ldap_port = 636

# LDAP protocol
# Optional, default = ldap
# use 'ldaps' for Implicit SSL encryption. Make sure /etc/ldap/ldap.conf is
# configured correctly with TLS_CACERT
ldap_protocol = ldaps

# Optional, override ldap_host, ldap_port and ldap_protocol if set
# e.g. ldaps://servername:port. You may also specify multiple space-separated
# URIs
ldap_uri = ldaps:///

# The charset that strings are stored in on the LDAP server. Normally this
# is utf-8, but this can differ according to your setup. The charset specified
# here must be supported by your iconv(1) setup. See iconv -l for all charset
#ldap_server_charset = utf-8

# The DN of the user to bind as for normal operations (not used for
# authentication if ldap_authentication_method is set to "bind".
# When empty, uses anonymous binding.
# The userPassword attribute must be readable for this user if the
# ldap_authentication_method option is set to password.
ldap_bind_user = cn=kopano,ou=security,dc=domain2,dc=net

# LDAP bind password
ldap_bind_passwd = <snip>

# The timeout for network operations in seconds
#ldap_network_timeout = 30
# ldap_page_size limits the number of results from a query that will be downloaded at a time.
# Default ADS MaxPageSize is 1000.
#ldap_page_size = 1000

# Object settings

# Top level search base, every object should be available under this tree
ldap_search_base = o=domains,dc=domain2,dc=net

# Use custom defined LDAP property mappings
# This is not a requirement for most environments but allows custom mappings of
# special LDAP properties to custom MAPI attributes
#!propmap /etc/kopano/ldap.propmap.cfg

# Custom LDAP Settings

# Mappings
ldap_user_type_attribute_value = inetOrgPerson
ldap_group_type_attribute_value = groupOfNames
ldap_contact_type_attribute_value = kopano-contact
ldap_company_type_attribute_value = kopano-company

# Filter
ldap_user_search_filter = (&(objectClass=kopano-user)(kopanoAccount=1))
ldap_group_search_filter = (&(objectClass=kopano-group)(kopanoAccount=1))

# UIDs
ldap_user_unique_attribute = mail
ldap_loginname_attribute = mail
ldap_sendas_relation_attribute = mail
ldap_group_unique_attribute = mail

# Group membership
ldap_groupmembers_attribute = member
ldap_groupmembers_relation_attribute = 
ldap_groupmembers_attribute_type = dn

ldap_company_search_filter = (&(objectClass=kopano-company)(kopanoAccount=1))

ldap_addresslist_search_filter = (&(objectClass=kopano-addresslist)(kopanoAccount=1))
ldap_dynamicgroup_search_filter = (&(objectClass=kopano-dynamicgroup)(kopanoAccount=1))

What am I missing? AFAIK I’ve correctly configured the Parameters:
ldap_groupmembers_attribute, ldap_groupmembers_relation_attribute and ldap_groupmembers_attribute_type

Thanks for your Help :-)

Hi @olia ,

you are not specifying which version of Kopano you are using. I did a small test with a system running 8.6.2 and for me it works as expected:

$ grep ldap_groupmembers /etc/kopano/ldap.cfg
# Warning: the value "ldap_groupmembers_attribute_type" has been set via UCR variable "kopano/cfg/ldap/ldap_groupmembers_attribute_type"
ldap_groupmembers_attribute_type = dn
# Warning: the value "ldap_groupmembers_attribute" has been set via UCR variable "kopano/cfg/ldap/ldap_groupmembers_attribute"
ldap_groupmembers_attribute = uniqueMember
# Warning: the value "ldap_groupmembers_relation_attribute" has been set via UCR variable "kopano/cfg/ldap/ldap_groupmembers_relation_attribute"
ldap_groupmembers_relation_attribute =
$ kopano-cli --group "users office berlin"
Name:           users office berlin
Email address:
Address Book:   visible
Users (17):
            User           Full Name          Homeserver                                   Store
            anna         Anna Alster            ucs-4639        F316DDEB96AE423E831AB7CDBEED623D
           bernd        Bernd Brotox            ucs-4639        3D2ED01D943640439315052BD6D4E91C
          claudi      Claudia Conrad            ucs-4639        7262F0763A57448896BF3426E683CAA2
            dagi       Dagmar Dackel            ucs-4639        5E2CDFE357AC4A18B36BECEA047672B7
           fritz         Fritz Funke            ucs-4639        C33723FB35A44E3DA16CD86A522485CE
           heinzHeinz-Rüdiger Hochstettenhauser            ucs-4639        4273D464C7CA4269AF09F4496BB49475
             ina            Ina Igel            ucs-4639        384456CEB0F145D2AB0D599F442C5B64
          justus     Justus Jonathan            ucs-4639        34BC71B8236E4B1FA592D67B084B375C
            karl       Karl Klampfer            ucs-4639        23F7C94737724DDCBB15CE05DBC68AE2
            nora        Nora Nockerl            ucs-4639        7D812F894E0441D9A5D9DB6189D92001
            olli        Oliver Ohlig            ucs-4639        1E78A14FF6434968BC0A10EC4751498A
           peter         Peter Panik            ucs-4639        DE857CAD13214F2780210F6C2D4BFB77
           sarah         Sarah Sahne            ucs-4639        829C2DC7695D442F86129FBE712963F2
             ute        Ute Untertan            ucs-4639        0A790A9DB3F34E0DAFECE00A4F3B0EE0
            wineWilhelmine Winkelmann-Wüstig            ucs-4639        949EB767CF56475DAE1C07C835DFD4F6
            xena        Xena Xanadoo            ucs-4639        BF1B756CDA8F434684D9ECAA45B15B17
          zoltan         Zoltan Zorn            ucs-4639        424ED0E45E414EF9A01D810CA9413877
$ univention-ldapsearch "cn=users office berlin"
# extended LDIF
# LDAPv3
# base <dc=kopano,dc=intranet> (default) with scope subtree
# filter: cn=users office berlin
# requesting: ALL

# users office Berlin, People, univention-demo-data, kopano.intranet
dn: cn=users office Berlin,ou=People,ou=univention-demo-data,dc=kopano,dc=intr
sambaGroupType: 2
cn: users office Berlin
univentionObjectType: groups/group
sambaSID: S-1-5-21-3863128490-1868122676-1605069003-11021
gidNumber: 5010
univentionGroupType: -2147483646
uniqueMember: uid=karl,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,d
uniqueMember: uid=peter,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,
uniqueMember: uid=claudi,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano
uniqueMember: uid=bernd,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,
uniqueMember: uid=olli,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,d
uniqueMember: uid=sarah,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,
uniqueMember: uid=wine,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,d
uniqueMember: uid=zoltan,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano
uniqueMember: uid=fritz,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,
uniqueMember: uid=heinz,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,
uniqueMember: uid=ute,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,dc
uniqueMember: uid=nora,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,d
uniqueMember: uid=dagi,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,d
uniqueMember: uid=justus,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano
uniqueMember: uid=anna,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,d
uniqueMember: uid=ina,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,dc
uniqueMember: uid=xena,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,d
memberUid: karl
memberUid: peter
memberUid: claudi
memberUid: bernd
memberUid: olli
memberUid: sarah
memberUid: wine
memberUid: zoltan
memberUid: fritz
memberUid: heinz
memberUid: ute
memberUid: nora
memberUid: dagi
memberUid: justus
memberUid: anna
memberUid: ina
memberUid: xena
kopanoAccount: 1
objectClass: sambaGroupMapping
objectClass: top
objectClass: univentionGroup
objectClass: univentionObject
objectClass: kopano-group
objectClass: posixGroup

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

Thanks for answering.

Forgot to include the version, it’s also 8.6.2.

I didn’t know the "kopano-cli --group “groupname” command. And indeed, the members are correctly shown there.

But my issue still persists:
I’ve always checked in the WebApp, and there the group is empty if I either look at the detail screen, or try to expand it while writing an email.
Because of that, I cannot write an email to any kopano group - it sits permanently in the outbox.

hm… for me the group and its members also show in the gab in webapp and I can expand the group (or send an email to an unexpaned group).

I’ve just looked into the WebApp config.php, but AFAIK the GAB should not be disabled.



        The config file for the webapp.
        All possible web client settings can be set in this file. Some settings
        (language) can also be set per user or logon.

        // Comment next line to disable the config check (or set FALSE to log the config errors)
        define("CONFIG_CHECK", TRUE);

        // Use these options to optionally disable some PHP configuration checks.
        // WARNING: these checks will disable checks regarding the security of the WebApp site configuration,
        // only change them if you know the consequences - improper use will lead to an insecure installation!

        // Depending on your setup, it might be advisable to change the lines below to one defined with your
        // default socket location.
        // Normally "default:" points to the default setting ("file:///var/run/kopano/server.sock")
        // Examples: define("DEFAULT_SERVER", "default:");
        //           define("DEFAULT_SERVER", "http://localhost:236/kopano");
        //           define("DEFAULT_SERVER", "https://localhost:237/kopano");
        //           define("DEFAULT_SERVER", "file:///var/run/kopano/server.sock");
        define("DEFAULT_SERVER", "default:");

        // When using a single-signon system on your webserver, but Kopano Core is on another server
        // you can use https to access the Kopano server, and authenticate using an SSL certificate.
        define("SSLCERT_FILE", NULL);
        define("SSLCERT_PASS", NULL);

        // Set to true to disable login with Single Sign-On (SSO) on SSO environments.
        define('DISABLE_REMOTE_USER_LOGIN', false);

        // set to 'true' to strip domain from login name found from Single Sign-On webservers
        define("LOGINNAME_STRIP_DOMAIN", false);

        // Name of the cookie that is used for the session
        define("COOKIE_NAME", "KOPANO_WEBAPP");

    // Set to 'true' to disable secure session cookies and to allow log-in without HTTPS.
        define("INSECURE_COOKIES", false);

        // The timeout (in seconds) for the session. User will be logged out of WebApp
        // when he has not actively used the WebApp for this time.
        // Set to 0 (or remove) for no timeout during browser session.
        define('CLIENT_TIMEOUT', 0);

        // Defines the domains from which cross domain authentication requests
        // are allowed. E.g. if WebMeetings runs under a different domain than
        // the WebApp then add this domain here. Add http(s):// to the domains
        // and separate domains with spaces.
        // Set to empty string (default) to only allow authentication requests
        // from within the same domain.
        // Set to "*" to allow authentication requests from any domain. (not
        // recommended)

        // Defines the domains to which redirection after login is allowed.
        // Add http(s):// to the domains and separate domains with spaces.
        // Note: The domain under which WebApp runs, is always allowed and does
        // not need to be added here.
        define('REDIRECT_ALLOWED_DOMAINS', '');

        // Defines the base url and end with a slash.
        $base_url = dirname($_SERVER["PHP_SELF"]);
        if(substr($base_url,-1)!="/") $base_url .="/";
        define("BASE_URL", $base_url);

        // Defines the temp path (absolute). Here uploaded attachments will be saved.
        // The web client doesn't work without this directory.
        define("TMP_PATH", "/var/lib/kopano-webapp/tmp");

        // Define the path to the plugin directory (No slash at the end)
        define("PATH_PLUGIN_DIR", "plugins");

        // Enable the plugins
        define("ENABLE_PLUGINS", true);

        // Define list of disabled plugins separated by semicolon
        define("DISABLED_PLUGINS_LIST", 'zdeveloper');

        // Define a list of plugins that cannot be disabled by users.
        // Plugins should be seperated by a semicolon (;). A wildcard (*)
        // can be used to identify multiple plugins.
        define("ALWAYS_ENABLED_PLUGINS_LIST", '');

        // General WebApp theme. This will be loaded by default for every user
        // (if the theme is installed as a plugin)
        // Users can override the 'logged-in' theme in the settings.
        define("THEME", '');

        // The title that will be shown in the title bar of the browser
        define("WEBAPP_TITLE", 'Kopano WebApp');
        // Set addressbook for GAB not to show any users unless searching for a specific user
        define("DISABLE_FULL_GAB", false);

        // Set true to hide public contact folders in address-book folder list,
        // false will show public contact folders in address-book folder list.
        define("DISABLE_PUBLIC_CONTACT_FOLDERS", true);

        // Set true to show public folders in hierarchy, false will disable public folders in hierarchy.
        define('ENABLE_PUBLIC_FOLDERS', true);

        // Set true to hide shared contact folders in address-book folder list,
        // false will show shared contact folders in address-book folder list.
        define("DISABLE_SHARED_CONTACT_FOLDERS", true);

        // Set to true to give users the possiblity to edit, create, and delete mail filters on the store
        // of other users. The user needs owner permissions on the store of the other user.
        define('ENABLE_SHARED_RULES', true);

        // Booking method (true = direct booking, false = send meeting request)
        define('ENABLE_DIRECT_BOOKING', true);

        // Enable GZIP compression for responses
        define('ENABLE_RESPONSE_COMPRESSION', true);

        // When set to true this disables the welcome screen to be shown for first time users.
        define('DISABLE_WELCOME_SCREEN', false);

        // When set to false it will disable showing of advanced settings.
        define('ENABLE_ADVANCED_SETTINGS', false);

        // Freebusy start offset that will be used to load freebusy data in appointments, number is subtracted from current time
        define('FREEBUSY_LOAD_START_OFFSET', 7);

        // Freebusy end offset that will be used to load freebusy data in appointments, number is added to current time
        define('FREEBUSY_LOAD_END_OFFSET', 90);

        // Maximum eml files to be included in a single ZIP archive
        define('MAX_EML_FILES_IN_ZIP', 50);

        // Additional color schemes for the calendars can be added by uncommenting and editing the following define.
        // The format is the same as the format of COLOR_SCHEMES which is defined in default.php
        // To change the default colors, COLOR_SCHEMES can also be defined here.
        // Note: Every color should have a unique name, because it is used to identify the color
        // define('ADDITIONAL_COLOR_SCHEMES', json_encode(array(
        //              array(
        //                      'name' => 'pink',
        //                      'displayName' => _('Pink'),
        //                      'base' => '#ff0099'
        //              )
        // )));

        // Additional categories can be added by uncommenting and editing the following define.
        // The format is the same as the format of DEFAULT_CATEGORIES which is defined in default.php
        // To change the default categories, DEFAULT_CATEGORIES can also be defined here.
        // Note: Every category should have a unique name, because it is used to identify the category
        // define('ADDITIONAL_CATEGORIES', json_encode(array(
        //              array(
        //                      'name' => _('Family'),
        //                      'color' => '#000000',
        //                      'quickAccess' => true,
        //                      'sortIndex' => 10
        //              )
        // )));

        // Additional Prefix for the Contact name can be added by uncommenting and editing the following define.
        // define('CONTACT_PREFIX', json_encode(array(
        //      array(_('Er.')),
        //      array(_('Gr.'))
        // )));

        // Additional Suffix for the Contact name can be added by uncommenting and editing the following define.
        // define('CONTACT_SUFFIX', json_encode(array(
        //      array(_('A')),
        //      array(_('B'))
        // )));

        * Memory usage and timeouts            *

        // This sets the maximum time in seconds that is allowed to run before it is terminated by the parser.
        ini_set('max_execution_time', 300); // 5 minutes

        // BLOCK_SIZE (in bytes) is used for attachments by mapi_stream_read/mapi_stream_write
        define('BLOCK_SIZE', 1048576);

        // Time that static files may exist in the client's cache (13 weeks)
        define('EXPIRES_TIME', 60*60*24*7*13);

        // Time that the state files are allowed to survive (in seconds)
        // For filesystems on which relatime is used, this value should be larger then the relatime_interval
        // for kernels 2.6.30 and above relatime is enabled by default, and the relatime_interval is set to
        // 24 hours.
        define('STATE_FILE_MAX_LIFETIME', 28*60*60);
        // Time that attachments are allowed to survive (in seconds)
        define('UPLOADED_ATTACHMENT_MAX_LIFETIME', 6*60*60);

        * Languages                            *

        // Location to the translations
        define("LANGUAGE_DIR", "server/language/");

        // Defines the default interface language. This can be overriden by the user.
        if (isset($_ENV['LANG']) && $_ENV['LANG']!="C"){
                define('LANG', $_ENV["LANG"]); // This means the server environment language determines the web client language.
                define('LANG', 'de_DE.UTF-8'); // default fallback language

        // List of languages that should be enabled in the logon
        // screen's language drop down.  Languages should be specified
        // using <languagecode>_<regioncode>[.UTF-8], and separated with
        // semicolon.  A list of available languages can be found in
        // the manual or by looking at the list of directories in
        // /usr/share/kopano-webapp/server/language .
        define("ENABLED_LANGUAGES", "cs_CZ;da_DK;de_DE;en_GB;en_US;es_CA;es_ES;fi_FI;fr_FR;hu_HU;it_IT;ja_JP;nb_NO;nl_NL;pl_PL;pt_BR;ru_RU;sl_SI;tr_TR;zh_TW");

        // Defines the default time zone, change e.g. to "Europe/London" when needed
        if(!ini_get('date.timezone')) {

        * Powerpaste                           *

        // Options for TinyMCE's powerpaste plugin, see https://www.tinymce.com/docs/enterprise/paste-from-word/#configurationoptions
        // for more details.
        define('POWERPASTE_WORD_IMPORT', 'merge');
        define('POWERPASTE_HTML_IMPORT', 'merge');
        define('POWERPASTE_ALLOW_LOCAL_IMAGES', true);

        * Debugging                            *

        // Do not log errors into stdout, since this generates faulty JSON responses.
        ini_set("display_errors", false);

        ini_set("log_errors", true);

        if (file_exists('debug.php')){
                // define empty dump function in case we still use it somewhere
                function dump(){}

Anyone got an idea? It’s pretty much stopping the migration to Kopano.

Hi, no sorry based on what you posted it sounds like it should work. I would recommend to get in contact with our support so that someone can have a direct look at your system.