LDAP Group Membership not working

  • Greetings,

    I have a problem with configuring Kopano with LDAP. It seems to ignore certain config parameters (or i’ve missed something…).

    All my groups appear empty, Kopano doesn’t seem to find the group members.
    They are all listed under the attribute “member” as full DN.

    LDAP Structure of a example group:

    # example@domain1.de, groups, domain1.de, domains, domain2.net
    dn: mail=example@domain1.de,ou=groups,ou=domain1.de,o=domains,dc=domain2,dc=net
    member: mail=user1@domain1.de,ou=people,ou=domain1.de,o=domains,dc=domain2,dc=
    member: mail=user2@domain1.de,ou=people,ou=domain1.de,o=domains,dc=domain2,dc
    objectClass: groupOfNames
    objectClass: kopano-group
    mail: example@domain1.de
    kopanoSendAsPrivilege: user2@domain1.de
    kopanoSendAsPrivilege: user1@domain1.de
    cn:: SW1tbyBBw59lbG1hbm4=
    kopanoAccount: 1

    (Yes, the DN Syntax is not the usual one, sadly I cannot change it easily)


    # Select implementation.
    # If you have any reason to override settings from /usr/share/kopano/*.cfg,
    # do so at the end of this (/etc-resident) config file.
    !include /usr/share/kopano/ldap.openldap.cfg
    #!include /usr/share/kopano/ldap.active-directory.cfg
    # LDAP host name/IP address
    ldap_host = localhost
    # LDAP port
    # Optional, default = 389
    # Use 636 for ldaps
    ldap_port = 636
    # LDAP protocol
    # Optional, default = ldap
    # use 'ldaps' for Implicit SSL encryption. Make sure /etc/ldap/ldap.conf is
    # configured correctly with TLS_CACERT
    ldap_protocol = ldaps
    # LDAP URI
    # Optional, override ldap_host, ldap_port and ldap_protocol if set
    # e.g. ldaps://servername:port. You may also specify multiple space-separated
    # URIs
    ldap_uri = ldaps:///
    # The charset that strings are stored in on the LDAP server. Normally this
    # is utf-8, but this can differ according to your setup. The charset specified
    # here must be supported by your iconv(1) setup. See iconv -l for all charset
    #ldap_server_charset = utf-8
    # The DN of the user to bind as for normal operations (not used for
    # authentication if ldap_authentication_method is set to "bind".
    # When empty, uses anonymous binding.
    # The userPassword attribute must be readable for this user if the
    # ldap_authentication_method option is set to password.
    ldap_bind_user = cn=kopano,ou=security,dc=domain2,dc=net
    # LDAP bind password
    ldap_bind_passwd = <snip>
    # The timeout for network operations in seconds
    #ldap_network_timeout = 30
    # ldap_page_size limits the number of results from a query that will be downloaded at a time.
    # Default ADS MaxPageSize is 1000.
    #ldap_page_size = 1000
    # Object settings
    # Top level search base, every object should be available under this tree
    ldap_search_base = o=domains,dc=domain2,dc=net
    # Use custom defined LDAP property mappings
    # This is not a requirement for most environments but allows custom mappings of
    # special LDAP properties to custom MAPI attributes
    #!propmap /etc/kopano/ldap.propmap.cfg
    # Custom LDAP Settings
    # Mappings
    ldap_user_type_attribute_value = inetOrgPerson
    ldap_group_type_attribute_value = groupOfNames
    ldap_contact_type_attribute_value = kopano-contact
    ldap_company_type_attribute_value = kopano-company
    # Filter
    ldap_user_search_filter = (&(objectClass=kopano-user)(kopanoAccount=1))
    ldap_group_search_filter = (&(objectClass=kopano-group)(kopanoAccount=1))
    # UIDs
    ldap_user_unique_attribute = mail
    ldap_loginname_attribute = mail
    ldap_sendas_relation_attribute = mail
    ldap_group_unique_attribute = mail
    # Group membership
    ldap_groupmembers_attribute = member
    ldap_groupmembers_relation_attribute = 
    ldap_groupmembers_attribute_type = dn
    ldap_company_search_filter = (&(objectClass=kopano-company)(kopanoAccount=1))
    ldap_addresslist_search_filter = (&(objectClass=kopano-addresslist)(kopanoAccount=1))
    ldap_dynamicgroup_search_filter = (&(objectClass=kopano-dynamicgroup)(kopanoAccount=1))

    What am I missing? AFAIK I’ve correctly configured the Parameters:
    ldap_groupmembers_attribute, ldap_groupmembers_relation_attribute and ldap_groupmembers_attribute_type

    Thanks for your Help :-)

  • Kopano

    Hi @olia ,

    you are not specifying which version of Kopano you are using. I did a small test with a system running 8.6.2 and for me it works as expected:

    $ grep ldap_groupmembers /etc/kopano/ldap.cfg
    # Warning: the value "ldap_groupmembers_attribute_type" has been set via UCR variable "kopano/cfg/ldap/ldap_groupmembers_attribute_type"
    ldap_groupmembers_attribute_type = dn
    # Warning: the value "ldap_groupmembers_attribute" has been set via UCR variable "kopano/cfg/ldap/ldap_groupmembers_attribute"
    ldap_groupmembers_attribute = uniqueMember
    # Warning: the value "ldap_groupmembers_relation_attribute" has been set via UCR variable "kopano/cfg/ldap/ldap_groupmembers_relation_attribute"
    ldap_groupmembers_relation_attribute =
    $ kopano-cli --group "users office berlin"
    Name:           users office berlin
    Email address:
    Address Book:   visible
    Users (17):
                User           Full Name          Homeserver                                   Store
                anna         Anna Alster            ucs-4639        F316DDEB96AE423E831AB7CDBEED623D
               bernd        Bernd Brotox            ucs-4639        3D2ED01D943640439315052BD6D4E91C
              claudi      Claudia Conrad            ucs-4639        7262F0763A57448896BF3426E683CAA2
                dagi       Dagmar Dackel            ucs-4639        5E2CDFE357AC4A18B36BECEA047672B7
               fritz         Fritz Funke            ucs-4639        C33723FB35A44E3DA16CD86A522485CE
               heinzHeinz-Rüdiger Hochstettenhauser            ucs-4639        4273D464C7CA4269AF09F4496BB49475
                 ina            Ina Igel            ucs-4639        384456CEB0F145D2AB0D599F442C5B64
              justus     Justus Jonathan            ucs-4639        34BC71B8236E4B1FA592D67B084B375C
                karl       Karl Klampfer            ucs-4639        23F7C94737724DDCBB15CE05DBC68AE2
                nora        Nora Nockerl            ucs-4639        7D812F894E0441D9A5D9DB6189D92001
                olli        Oliver Ohlig            ucs-4639        1E78A14FF6434968BC0A10EC4751498A
               peter         Peter Panik            ucs-4639        DE857CAD13214F2780210F6C2D4BFB77
               sarah         Sarah Sahne            ucs-4639        829C2DC7695D442F86129FBE712963F2
                 ute        Ute Untertan            ucs-4639        0A790A9DB3F34E0DAFECE00A4F3B0EE0
                wineWilhelmine Winkelmann-Wüstig            ucs-4639        949EB767CF56475DAE1C07C835DFD4F6
                xena        Xena Xanadoo            ucs-4639        BF1B756CDA8F434684D9ECAA45B15B17
              zoltan         Zoltan Zorn            ucs-4639        424ED0E45E414EF9A01D810CA9413877
    $ univention-ldapsearch "cn=users office berlin"
    # extended LDIF
    # LDAPv3
    # base <dc=kopano,dc=intranet> (default) with scope subtree
    # filter: cn=users office berlin
    # requesting: ALL
    # users office Berlin, People, univention-demo-data, kopano.intranet
    dn: cn=users office Berlin,ou=People,ou=univention-demo-data,dc=kopano,dc=intr
    sambaGroupType: 2
    cn: users office Berlin
    univentionObjectType: groups/group
    sambaSID: S-1-5-21-3863128490-1868122676-1605069003-11021
    gidNumber: 5010
    univentionGroupType: -2147483646
    uniqueMember: uid=karl,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,d
    uniqueMember: uid=peter,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,
    uniqueMember: uid=claudi,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano
    uniqueMember: uid=bernd,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,
    uniqueMember: uid=olli,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,d
    uniqueMember: uid=sarah,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,
    uniqueMember: uid=wine,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,d
    uniqueMember: uid=zoltan,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano
    uniqueMember: uid=fritz,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,
    uniqueMember: uid=heinz,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,
    uniqueMember: uid=ute,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,dc
    uniqueMember: uid=nora,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,d
    uniqueMember: uid=dagi,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,d
    uniqueMember: uid=justus,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano
    uniqueMember: uid=anna,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,d
    uniqueMember: uid=ina,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,dc
    uniqueMember: uid=xena,ou=Berlin,ou=People,ou=univention-demo-data,dc=kopano,d
    memberUid: karl
    memberUid: peter
    memberUid: claudi
    memberUid: bernd
    memberUid: olli
    memberUid: sarah
    memberUid: wine
    memberUid: zoltan
    memberUid: fritz
    memberUid: heinz
    memberUid: ute
    memberUid: nora
    memberUid: dagi
    memberUid: justus
    memberUid: anna
    memberUid: ina
    memberUid: xena
    kopanoAccount: 1
    objectClass: sambaGroupMapping
    objectClass: top
    objectClass: univentionGroup
    objectClass: univentionObject
    objectClass: kopano-group
    objectClass: posixGroup
    # search result
    search: 3
    result: 0 Success
    # numResponses: 2
    # numEntries: 1

  • Thanks for answering.

    Forgot to include the version, it’s also 8.6.2.

    I didn’t know the "kopano-cli --group “groupname” command. And indeed, the members are correctly shown there.

    But my issue still persists:
    I’ve always checked in the WebApp, and there the group is empty if I either look at the detail screen, or try to expand it while writing an email.
    Because of that, I cannot write an email to any kopano group - it sits permanently in the outbox.

  • Kopano

    hm… for me the group and its members also show in the gab in webapp and I can expand the group (or send an email to an unexpaned group).

  • I’ve just looked into the WebApp config.php, but AFAIK the GAB should not be disabled.


            The config file for the webapp.
            All possible web client settings can be set in this file. Some settings
            (language) can also be set per user or logon.
            // Comment next line to disable the config check (or set FALSE to log the config errors)
            define("CONFIG_CHECK", TRUE);
            // Use these options to optionally disable some PHP configuration checks.
            // WARNING: these checks will disable checks regarding the security of the WebApp site configuration,
            // only change them if you know the consequences - improper use will lead to an insecure installation!
            define("CONFIG_CHECK_COOKIES_HTTP", FALSE);
            define("CONFIG_CHECK_COOKIES_SSL", FALSE);
            // Depending on your setup, it might be advisable to change the lines below to one defined with your
            // default socket location.
            // Normally "default:" points to the default setting ("file:///var/run/kopano/server.sock")
            // Examples: define("DEFAULT_SERVER", "default:");
            //           define("DEFAULT_SERVER", "http://localhost:236/kopano");
            //           define("DEFAULT_SERVER", "https://localhost:237/kopano");
            //           define("DEFAULT_SERVER", "file:///var/run/kopano/server.sock");
            define("DEFAULT_SERVER", "default:");
            // When using a single-signon system on your webserver, but Kopano Core is on another server
            // you can use https to access the Kopano server, and authenticate using an SSL certificate.
            define("SSLCERT_FILE", NULL);
            define("SSLCERT_PASS", NULL);
            // Set to true to disable login with Single Sign-On (SSO) on SSO environments.
            define('DISABLE_REMOTE_USER_LOGIN', false);
            // set to 'true' to strip domain from login name found from Single Sign-On webservers
            define("LOGINNAME_STRIP_DOMAIN", false);
            // Name of the cookie that is used for the session
            define("COOKIE_NAME", "KOPANO_WEBAPP");
        // Set to 'true' to disable secure session cookies and to allow log-in without HTTPS.
            define("INSECURE_COOKIES", false);
            // The timeout (in seconds) for the session. User will be logged out of WebApp
            // when he has not actively used the WebApp for this time.
            // Set to 0 (or remove) for no timeout during browser session.
            define('CLIENT_TIMEOUT', 0);
            // Defines the domains from which cross domain authentication requests
            // are allowed. E.g. if WebMeetings runs under a different domain than
            // the WebApp then add this domain here. Add http(s):// to the domains
            // and separate domains with spaces.
            // Set to empty string (default) to only allow authentication requests
            // from within the same domain.
            // Set to "*" to allow authentication requests from any domain. (not
            // recommended)
            // Defines the domains to which redirection after login is allowed.
            // Add http(s):// to the domains and separate domains with spaces.
            // Note: The domain under which WebApp runs, is always allowed and does
            // not need to be added here.
            define('REDIRECT_ALLOWED_DOMAINS', '');
            // Defines the base url and end with a slash.
            $base_url = dirname($_SERVER["PHP_SELF"]);
            if(substr($base_url,-1)!="/") $base_url .="/";
            define("BASE_URL", $base_url);
            // Defines the temp path (absolute). Here uploaded attachments will be saved.
            // The web client doesn't work without this directory.
            define("TMP_PATH", "/var/lib/kopano-webapp/tmp");
            // Define the path to the plugin directory (No slash at the end)
            define("PATH_PLUGIN_DIR", "plugins");
            // Enable the plugins
            define("ENABLE_PLUGINS", true);
            // Define list of disabled plugins separated by semicolon
            define("DISABLED_PLUGINS_LIST", 'zdeveloper');
            // Define a list of plugins that cannot be disabled by users.
            // Plugins should be seperated by a semicolon (;). A wildcard (*)
            // can be used to identify multiple plugins.
            define("ALWAYS_ENABLED_PLUGINS_LIST", '');
            // General WebApp theme. This will be loaded by default for every user
            // (if the theme is installed as a plugin)
            // Users can override the 'logged-in' theme in the settings.
            define("THEME", '');
            // The title that will be shown in the title bar of the browser
            define("WEBAPP_TITLE", 'Kopano WebApp');
            // Set addressbook for GAB not to show any users unless searching for a specific user
            define("DISABLE_FULL_GAB", false);
            // Set true to hide public contact folders in address-book folder list,
            // false will show public contact folders in address-book folder list.
            define("DISABLE_PUBLIC_CONTACT_FOLDERS", true);
            // Set true to show public folders in hierarchy, false will disable public folders in hierarchy.
            define('ENABLE_PUBLIC_FOLDERS', true);
            // Set true to hide shared contact folders in address-book folder list,
            // false will show shared contact folders in address-book folder list.
            define("DISABLE_SHARED_CONTACT_FOLDERS", true);
            // Set to true to give users the possiblity to edit, create, and delete mail filters on the store
            // of other users. The user needs owner permissions on the store of the other user.
            define('ENABLE_SHARED_RULES', true);
            // Booking method (true = direct booking, false = send meeting request)
            define('ENABLE_DIRECT_BOOKING', true);
            // Enable GZIP compression for responses
            define('ENABLE_RESPONSE_COMPRESSION', true);
            // When set to true this disables the welcome screen to be shown for first time users.
            define('DISABLE_WELCOME_SCREEN', false);
            // When set to false it will disable showing of advanced settings.
            define('ENABLE_ADVANCED_SETTINGS', false);
            // Freebusy start offset that will be used to load freebusy data in appointments, number is subtracted from current time
            define('FREEBUSY_LOAD_START_OFFSET', 7);
            // Freebusy end offset that will be used to load freebusy data in appointments, number is added to current time
            define('FREEBUSY_LOAD_END_OFFSET', 90);
            // Maximum eml files to be included in a single ZIP archive
            define('MAX_EML_FILES_IN_ZIP', 50);
            // Additional color schemes for the calendars can be added by uncommenting and editing the following define.
            // The format is the same as the format of COLOR_SCHEMES which is defined in default.php
            // To change the default colors, COLOR_SCHEMES can also be defined here.
            // Note: Every color should have a unique name, because it is used to identify the color
            // define('ADDITIONAL_COLOR_SCHEMES', json_encode(array(
            //              array(
            //                      'name' => 'pink',
            //                      'displayName' => _('Pink'),
            //                      'base' => '#ff0099'
            //              )
            // )));
            // Additional categories can be added by uncommenting and editing the following define.
            // The format is the same as the format of DEFAULT_CATEGORIES which is defined in default.php
            // To change the default categories, DEFAULT_CATEGORIES can also be defined here.
            // Note: Every category should have a unique name, because it is used to identify the category
            // define('ADDITIONAL_CATEGORIES', json_encode(array(
            //              array(
            //                      'name' => _('Family'),
            //                      'color' => '#000000',
            //                      'quickAccess' => true,
            //                      'sortIndex' => 10
            //              )
            // )));
            // Additional Prefix for the Contact name can be added by uncommenting and editing the following define.
            // define('CONTACT_PREFIX', json_encode(array(
            //      array(_('Er.')),
            //      array(_('Gr.'))
            // )));
            // Additional Suffix for the Contact name can be added by uncommenting and editing the following define.
            // define('CONTACT_SUFFIX', json_encode(array(
            //      array(_('A')),
            //      array(_('B'))
            // )));
            * Memory usage and timeouts            *
            // This sets the maximum time in seconds that is allowed to run before it is terminated by the parser.
            ini_set('max_execution_time', 300); // 5 minutes
            // BLOCK_SIZE (in bytes) is used for attachments by mapi_stream_read/mapi_stream_write
            define('BLOCK_SIZE', 1048576);
            // Time that static files may exist in the client's cache (13 weeks)
            define('EXPIRES_TIME', 60*60*24*7*13);
            // Time that the state files are allowed to survive (in seconds)
            // For filesystems on which relatime is used, this value should be larger then the relatime_interval
            // for kernels 2.6.30 and above relatime is enabled by default, and the relatime_interval is set to
            // 24 hours.
            define('STATE_FILE_MAX_LIFETIME', 28*60*60);
            // Time that attachments are allowed to survive (in seconds)
            define('UPLOADED_ATTACHMENT_MAX_LIFETIME', 6*60*60);
            * Languages                            *
            // Location to the translations
            define("LANGUAGE_DIR", "server/language/");
            // Defines the default interface language. This can be overriden by the user.
            if (isset($_ENV['LANG']) && $_ENV['LANG']!="C"){
                    define('LANG', $_ENV["LANG"]); // This means the server environment language determines the web client language.
                    define('LANG', 'de_DE.UTF-8'); // default fallback language
            // List of languages that should be enabled in the logon
            // screen's language drop down.  Languages should be specified
            // using <languagecode>_<regioncode>[.UTF-8], and separated with
            // semicolon.  A list of available languages can be found in
            // the manual or by looking at the list of directories in
            // /usr/share/kopano-webapp/server/language .
            define("ENABLED_LANGUAGES", "cs_CZ;da_DK;de_DE;en_GB;en_US;es_CA;es_ES;fi_FI;fr_FR;hu_HU;it_IT;ja_JP;nb_NO;nl_NL;pl_PL;pt_BR;ru_RU;sl_SI;tr_TR;zh_TW");
            // Defines the default time zone, change e.g. to "Europe/London" when needed
            if(!ini_get('date.timezone')) {
            * Powerpaste                           *
            // Options for TinyMCE's powerpaste plugin, see https://www.tinymce.com/docs/enterprise/paste-from-word/#configurationoptions
            // for more details.
            define('POWERPASTE_WORD_IMPORT', 'merge');
            define('POWERPASTE_HTML_IMPORT', 'merge');
            define('POWERPASTE_ALLOW_LOCAL_IMAGES', true);
            * Debugging                            *
            // Do not log errors into stdout, since this generates faulty JSON responses.
            ini_set("display_errors", false);
            ini_set("log_errors", true);
            if (file_exists('debug.php')){
                    // define empty dump function in case we still use it somewhere
                    function dump(){}

  • Anyone got an idea? It’s pretty much stopping the migration to Kopano.

  • Kopano

    Hi, no sorry based on what you posted it sounds like it should work. I would recommend to get in contact with our support so that someone can have a direct look at your system.

Log in to reply