Installing SOGo

Web links for SOGo:

• SOGo project home page
• SOGo bug tracker

SOGo turns out to mean Scalable Open Groupware .org.

One possibility for testing SOGo is the ZEG Virtual Appliance. This is a pre-stuffed image, available for Virtualbox or VMWare. It includes SOGo, Funambol, and all required infrastructure: PostgreSQL, OpenLDAP, Cyrus (IMAP), Postfix and Apache. Since I'm a masochist, I'm going to compile it natively.

The SOGo download page has a source tarball, RPMs for RHEL5 and CentOS-5 (32 and 64 bit), deb packages for Debian (Lenny/5.0 and Squeeze/6.0) and Ubuntu (Intrepid/8.10, Karmic/9.10, Lucid/10.04), and the Funambol SOGo Connector. The SuSE Build Service does not have it. Nor does Packman. I will be installing the tarball, and perhaps later I will hack the spec file for use on SuSE. This will be SOGo-1.3.5a.tar.gz dated 2011-01-27. Dependency on SOPE (same version, same source). Download size is 3.4Mb and 2.2Mb (compressed).

Prerequisites.

Hardware

They always inflate the requirements. Quantities separated by slashes are for testing or for production.

• CPU: Intel, AMD or PowerPC, 1/1.5 GHz. Well, um, on a Koolu . . . There is probably no reason it can't run on other CPUs, and someone reports compiling it on ARM to run on a NSLU2.
• RAM: 0.5/2.0 Gb. OK.
• Disc: 1/10 Gb (mail storage in addition). OK.

Infrastructure

These are described in the installation guide.

• Database: MySQL, PostgreSQL, Oracle. Need to install. Need to find out if SQLite is acceptable. Per the Installation Guide, you specify a URL such as ${proto}://sogo:${passwd}@localhost:${port}/sogo/${table} where ${proto} can be postgresql, mysql or oracle. However, Fabrice Durand <oeufdure@free.fr> may or may not have a patch to add SQLite, and the source code includes a SQLite adaptor which is work in progress. The developers are also interested in adding unixODBC support.
• LDAP: OpenLDAP, Active Directory, etc. Installed and working.
• SMTP: Postfix, etc. Installed and working.
• IMAP: Courier, Cyrus, Dovecot, etc. Need to install (dovecot12-backend-sqlite).
• Sieve: This mail filter appears to be optional. Installed with Citadel.
• GNUstep Environment. Not in the main distro. Available from Build Service. Available: gnustep-make gnustep-base gnustep-base-devel gnustep-gui gnustep-gui-devel gnustep-back. (The latter is the backend for putting the GUI on X-Windows.) A forum post implies that we don't need the GUI portions. As of version 1.3.0, SOGo was developed with gnustep-base 1.19.3 and gcc 4.4.
• Memcached: I'm not sure who uses it, but it's listed adjacent to Apache. Not in main distro but is in v11.2 updates. Installed.
• You will need to create a special user called sogo. The global configuration file, among other things, is in its home directory, which was set to /var/lib/sogo. It needs a password, which can be used when it authenticates for LDAP queries. We're going to use the LDAP bind password for sogo's PW. [Done]

Setting Up Infrastructure

Showing only the ones installed in the previous step.

PostgreSQL

• It has a special user, postgres.
• Its home directory is /var/lib/pgsql.
• No need to monkey with /etc/sysconfig/postgresql, use defaults.
• To install the configuration files, start the server. Stop it, hack the conf, then restart. In the ./data subdir, the non-default items are pg_hba.conf and postgresql.conf.
• Copying pg_hba.conf from Malibu. Edit to allow sogo by ident authentication, and for network connections, restrict to the correct subnet.
• Link /etc/pam.d/postgres to com-aaonly.
• In postgresql.conf we have these hacks:
  • log_destination = 'syslog'
  • log_hostname = on
  • autovacuum = on
  • autovacuum_naptime = 10min

Dovecot

• It has a special user, dovecot.
• Its home directory is /var/run/dovecot. Its various sockets go here as well as the PID file.
• It has its own sieve implementation, apparently statically linked.
• Copying /etc/dovecot/dovecot.conf from Nasturtium.
• We have these non-default hacks:
  • ssl = yes, and specify host cert for otter.mine.nu.
  • mail_location = mbox:~/Mail:INBOX=/var/mail/%u
  • postmaster_address = postmaster@cft.ca.us
  • auth_verbose = yes
  • mechanisms = plain login gssapi
  • userdb passwd { args = blocking=yes }

GNUstep

Apparently does not need configuration. But the gdomap daemon has to be started at boot time.

memcached

Apparently does not need configuration. But the memcached daemon has to be started at boot time.

Devel Packages

On the SOGo website look under Support - FAQ - Compilation. These dependencies are listed:

• GNUstep (already installed as infrastructure) including gnustep-base-devel.
• gcc-objc (Objective-C compiler) package (need, main distro)
• libxml2-devel (have)
• openldap2-devel (have)
• postgresql-devel (need, main distro)
• libmysqlclient-devel (the spec file wants mysql-devel but on SuSE the package has the other name, which provides mysql-devel also.)
• libmemcached-devel (need, build service). It depends on libmemcached2 which depends on libmemcached (from build service). memcached was installed previously (not a dependency of these).

Compilation -- SOPE

The standard procedure:

• ./configure --prefix=/usr/local/SOPE --enable-debug --disable-strip
  The FAQ page recommends turning on debugging. There are no other optional features for this package.

• It says that SOPE does not automatically look beyond /usr and /usr/local for resources; if you install in an arbitrary path, source GNUstep.sh before executing the program. Presumably they mean /usr/share/GNUstep/Makefiles/GNUstep.sh .

• The other odd message from .configure was failed to link optional library: mysqlclient and it didn't say anything about pgsql.

• Make and make install seemed to go OK.

• It was willing to install in prefix /usr/local; this was the default prefix. SOPE ended up in these directories:

  • /usr/local/share/sope-4.9
  • /usr/local/sbin/sope-4.9
  • /usr/local/bin/connect-EOAdaptor
  • /usr/local/bin/load-EOAdaptor
  • /usr/local/bin/wod
  • A whole bunch of shared libraries in /usr/local/lib such as /usr/local/lib/libSBJson.so.2
  • /usr/local/lib/sope-4.9
  • A lot of subdirectories of /usr/local/include

• Re-done with --prefix=/usr/local/SOPE: it installed most stuff in the prefix except for these header files:

  • /usr/local/include//NGObjWeb
  • /usr/local/include/SBJson

Compilation -- SOGo

Same procedure:

• ./configure --enable-debug --disable-strip
  The FAQ page recommends turning on debugging. In fact, ./configure has it on by default. There are no other optional features for this package. It did not want to have --prefix=/usr/local (says not a GNUstep root) even though this is indicated as the default prefix. Neither would it swallow /usr/local/SOGo like SOPE would. It actually used /usr/Local as the prefix, so it says. However, the content ended up in /usr/local.

• I hacked ./configure to turn the prefix rejection into a warning. Instead try setting GNUSTEP_INSTALLATION_DIR to the desired prefix.

• Make and make install seemed to go OK with the default prefix. The content (1273 files) ended up in:

  • /usr/local/sbin/sogod
  • /usr/local/sbin/sogo-ealarms-notify
  • /usr/local/sbin/sogo-tool
  • /usr/local/sbin/sogo-slapd-sockd
  • /usr/local/lib/libSOGo.so.1.3 and several friends
  • /usr/local/lib/GNUstep numerous subdirectories
  • Various subdirectories in /usr/local/include, some of which are symlinks into ../lib/GNUstep .

• Compilation needs -I/usr/local/SOPE/include.

Compilation -- SOGo in own prefix

I tried recompiling it with --prefix=/usr/local/SOGo. It had a great deal of trouble to find its internal libraries, and I never did get it to link everything.

Hacking RPM Spec Files

I have two issues here. First, if I compile with --prefix=/usr/local it installs about 1700 files and it's going to be a pain if I ever want to uninstall it. Second, for configuration management I sync /usr/local from the master site, and that means SOGo/SOPE will end up on every other host, which I don't want. If I can compile RPMs then rpm will handle the uninstall issue, and there is no need to install it on irrelevant hosts.

The TGZ for SOGo has a spec file but SOPE doesn't. However, see this advice:

• http://www.mail-archive.com/users@sogo.nu/msg03779.html from Fabrice Durand (2011-02-07) referring to source RPMs in http://www.sogo.nu/files/downloads/SOGo/RHEL5/SRPMS/.

• http://www.mail-archive.com/users@sogo.nu/msg03781.html, responding to a specific query about SuSE, gives a reference to FC11 SRPMs from a different site: SOPE-4.9 and SOGo-1.3.5a. Plus details for jiggering the spec files.

  Later (2011-02-11 I think) he created SuSE spec files and srpms. I sent my hacked spec files to him for comparison.

• I Downloaded the FC11 SRPMs (5.5Mb compressed).

• rpm -i {sope,sogo]-$VERS.rpm

• Following instructions, in /usr/src/packages/SPECS I edited sope.spec and sogo.spec as follows:

  • Replace /etc/fedora-release with /etc/SuSE-release (sope 23 places, sogo 12 places)
  • %define dist_suffix fc11 changing to suse112 (sope 1 place)
  • Change the dependency on openldap-devel to openldap2-devel (sope 1 place).
  • Add to the initial set of %defines: %define sope_source SOPE.tar.gz (for sope only). Find this file basename in /usr/src/packages/SOURCES . Not needed for SOGo.
  • In sope.spec, find ngobjweb.make woapp.make wobundle.make and change their containing directory from %{_libdir} to %{_datadir} which is where they really end up per SuSE's version of GNUstep. They occur together in one %files section. Ignore the %else section which is for non-distro building.
  • In sogo.spec, look for /etc/httpd/conf.d/SOGo.conf and change to /etc/apache2/conf.d/SOGo.conf .
  • There is an extra devel package: mysql-devel. It builds the gd11-mysql datastore package (and gd11-postgresql) even if you don't plan to use it. Either just go along, or comment out the MySQL stuff. On SuSE this package is actually libmysqlclient-devel and Zypper will find it when told zypper install mysql-devel.

• rpmbuild -ba ./sope.spec (capture the output with |& tee /tmp/sope.log)

• SOPE will go into prefix /usr/Local, so it says. The stuff really has --prefix=/usr, e.g. /usr/lib/libNGStreams.so.4.9.57 and lots of friends. At least it's an RPM so you can find and remove it if you don't like it. These RPMs were built (in /usr/src/packages/RPMS/i586) (total size 4.4Mb compressed):

  • sope49-appserver-4.9-20110127_1664.suse112.1.i586.rpm
  • sope49-appserver-devel-4.9-20110127_1664.suse112.1.i586.rpm
  • sope49-core-4.9-20110127_1664.suse112.1.i586.rpm
  • sope49-core-devel-4.9-20110127_1664.suse112.1.i586.rpm
  • sope49-gdl1-4.9-20110127_1664.suse112.1.i586.rpm
  • sope49-gdl1-devel-4.9-20110127_1664.suse112.1.i586.rpm
  • sope49-gdl1-mysql-4.9-20110127_1664.suse112.1.i586.rpm
  • sope49-gdl1-postgresql-4.9-20110127_1664.suse112.1.i586.rpm
  • sope49-ldap-4.9-20110127_1664.suse112.1.i586.rpm
  • sope49-ldap-devel-4.9-20110127_1664.suse112.1.i586.rpm
  • sope49-mime-4.9-20110127_1664.suse112.1.i586.rpm
  • sope49-mime-devel-4.9-20110127_1664.suse112.1.i586.rpm
  • sope49-sbjson-2.3.1-20110127_1664.suse112.1.i586.rpm
  • sope49-sbjson-devel-2.3.1-20110127_1664.suse112.1.i586.rpm
  • sope49-xml-4.9-20110127_1664.suse112.1.i586.rpm
  • sope49-xml-devel-4.9-20110127_1664.suse112.1.i586.rpm

• Install at least these packages which you just built. If you put the RPMs in your enterprise repository, the devel packages should drag in the underlying functional packages and their dependencies.

  • sope49-appserver-devel
  • sope49-core-devel
  • sope49-gdl1-devel
  • sope49-ldap-devel
  • sope49-mime-devel
  • sope49-sbjson-devel
  • sope49-xml-devel
  • sope49-gdl1-postgresql (not required for build, but jimc will use PostgreSQL in production)

• rpmbuild -ba ./sogo.spec (capture the output with |& tee /tmp/sogo.log).

• SOGo builds. These RPMs are produced (in /usr/src/packages/RPMS/i586 ) (total size 3.2Mb compressed):

  • sogo-1.3.5a-1.i586.rpm -- The main server package.
  • sogo-tool-1.3.5a-1.i586.rpm -- Command line tool(s); the most important function is backing up and restoring user data.
  • sogo-slapd-sockd-1.3.5a-1.i586.rpm -- Backend to put addressbooks in LDAP.
  • sogo-ealarms-notify-1.3.5a-1.i586.rpm -- Execute this once a minute to emit alarms by email.
  • sogo-devel-1.3.5a-1.i586.rpm
  • sope49-gdl1-contentstore-1.3.5a-1.i586.rpm
  • sope49-gdl1-contentstore-devel-1.3.5a-1.i586.rpm
  • sope49-cards-1.3.5a-1.i586.rpm -- Parser for the PIM objects (vCard, vEvent, etc.)
  • sope49-cards-devel-1.3.5a-1.i586.rpm

• Install them (not the devel packages); if you put them in your enterprise repository, the keystone packages are the four SOGo items.

• /etc/init.d/sogod is not LSB compliant; on a LSB distro like openSUSE you'll have to edit the script with Provides, Required-Start, etc. **** provide script here.

Apache Configuration

/etc/apache2/conf.d/SOGo.conf will use mod_proxy to hand off PIM requests to SOGo on localhost port 20000. I needed to make these adjustments to the file:

• It was in /etc/httpd/conf.d/SOGo.conf because I didn't jigger sogo.spec to put it in the right place.

• Look for yourhostname and change to the FQDN of your server (2 places in RequestHeader of the proxy to SOGo on port 20000).

• If you are using Apache authentication, uncomment the relevant sections. We should set up mod_auth_ldap and mod_auth_kerb (Kerberos), and have SOGo cue from the Apache proxy, but I'm going to start with native auth to reduce the number of possible screwups.

• You need to edit /etc/sysconfig/apache2 , the APACHE_MODULES variable. Make sure you are loading mod_alias, mod_headers, mod_proxy and mod_rewrite. Also any modules needed for authentication, if turned on. Normally you omit mod_ in the list.

• You need to reload Apache to get the added modules and SOGo.conf. Do /etc/init.d/apache2 reload.

SOGo Configuration

Returning to the SOGo Installation and Configuration Guide:

• Create the home directory of the sogo user. I put mine in /var/lib/sogo. Probably the group is irrelevant but I put my user in primary group mail, and I'll set that group for the homedir also. It's going to have a file containing the database password, so I'm setting the mode to 700.

• Make sure you know your LDAP parameters. The values shown are the typical values from the Installation Guide. You end up setting them in the LDAP member of the SOGoUserSources list.

  General

  • type = ldap; -- Choices are ldap or sql.
  • id = public; -- The identification name of the LDAP repository. Not sure what this means. Probably it's just an identifier to be used in error messages.

  LDAP Server

  • hostname = "localhost"; -- Hostname where LDAP server is running.
  • port = 389 -- The port that the LDAP server listens on (default is 389).
  • encryption = "STARTTLS"; -- Specify this if (1) the server can do TLS, which it ought to, and (2) you actually authenticate with bindDN and bindPassword, or bindAsCurrentUser is true.

  Binding

  • bindDN = "uid=sogo,ou=People,dc=acme,dc=com"; -- Lacking these two, SOGo will bind anonymously, which is safer and uses less resources than authenticated binding.
  • bindPassword = qwerty;
  • bindAsCurrentUser = YES; (NO is the default) -- Once the user is authenticated, its UID and password will be used to bind. Most LDAP servers are configured to require this for write access; some may require it for read access.

  Searching

  • baseDN = "ou=People,dc=acme,dc=com"; -- The Distinguished Name of the root of your users table. In a POSIX schema it would start with People, as shown.
  • filter -- If appropriate you can restrict SOGo's attention to a subset of users. (Optional)
  • ModulesConstraints -- See the Installation Guide for this one (optional). It might save fruitless searches.

  Attributes

  • IDFieldName = uid; -- Attribute containing the primary key, the first component of the user record's Distinguished Name. uid is normally the name of this attribute.
  • UIDFieldName = uid; -- The value of this attribute is the user ID that the user will specify to log in. Normally same as IDFieldName.
  • CNFieldName = gecos; -- Attribute containing the user's full name. gecos is what it's called in UNIX (POSIX schema); other schemata like Windows Active Directory may call it cn for Common Name.
  • IMAPHostFieldName = mailHost; -- This attribute gives the hostname of the IMAP server holding the user's mail. (Optional.)

  Semantics

  • canAuthenticate = YES; -- True if this source can be used to authenticate users.
  • isAddressBook = YES; -- True to include this data source in the global address book. Only requires read access.
  • displayName = "Shared Addresses"; -- The human-readable name that you want shown in the GUI for the global address book.

• su to the sogo user. You will need to specify the shell explicitly, i.e. su -s /bin/sh sogo. Use the command defaults that comes with gnustep-base to set configuration values. The command line format is

  defaults write sogod $Key "$Value"

  Go through the Installation Guide, the Configuration section, and set the needed parameters. See the previous section on LDAP for a more user-friendly explanation of the LDAP parameters. I made a script to preserve the variable settings in case I have to do it over. **** Show script

• You also need to create the sogo user and the sogo database. The Installation Guide (page 20) has the procedure; however, I don't think it's wise to use such a lameass password. I created a random password but changed the punctuation to just hyphens and dots. I wanted to use ident auth on UNIX domain sockets, but SOGo is set up to potentially use a trans-net database server, which means it's going to do a TCP connection to localhost, on which ident doesn't do anything. So we have to do the password thing, and to put the password in the configuration file. Hiss, boo. I should ask in the forum whether an alternate form of the URL will make it use the UNIX domain socket.

• Turning it on: The Installation Guide tells you to start daemons in this order: SOGo (sogod), Apache, memcached. This seems kind of backward. Anyway, for initial startup I'll do SOGo first, then Apache. Memcached is already running, as is the GNUstep daemon gdomap (not mentioned in the Installation Guide).

  • sogod starts, doesn't die, and attaches to port 20000. Initial errors or suspicious messages are:

    • Warning (WOWatchDog): 'WOHttpAllowHost' is ignored in watchdog mode, use a real firewall instead. (Our firewall allows access only from localhost. This must be a default; it was not set explicitly.)
    • It loaded these SOGo products: Contacts, ContactsUI, SchedulerUI, Appointments, MainUI, MailerUI, Mailer, MailPartViewers, PreferencesUI, AdministrationUI, CommonUI.
    • It seems to be loading (the same) products from both /usr/local/lib/GNUstep/SOGo and /usr/lib/GNUstep/SOGo . Fixed by removing /usr/local/lib/GNUstep; when removing a previous installation I cued on mod dates and there were files that were just un-tarred with their original mod dates.
    • No value specified for SOGoProfileURL. (Also OCSFolderInfoURL, but the program didn't complain yet.) Fixed...
    • Cannot load adaptor bundle 'PostgreSQL' (very bad). Should have been in /usr/lib/sope-4.9/dbadaptors/PostgreSQL.gdladaptor but the whole dbadaptors directory is missing. Evidently I didn't install package sope49-gdl1-postgresql . Warning, when I installed this package, the configuration file disappeared! That's nasty! I re-ran my setup script.
    • Now it can't open a connection to the database. For debugging: psql -h localhost -p 5432 -U sogo -W sogo Guess what, no pg_hba.conf entry for host "::1" (IPv6 address, which I'm using). I added a row in /var/lib/pgsql/data/pg_hba.conf saying: host sogo sogo ::1/128 md5 That did it, now it can start.
    • sogod created table sogo_user_profile and several others, apparently successfully.

  • Apache successfully reloads its configuration including the SOGo hacks. Basically it forwards everything under /SOGo to the daemon.

  • Accessing that directory as https://otter.mine.nu/SOGo/ : Apache complains: No protocol handler was valid for the URL /SOGo/. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. I'd better find out what submodules it wants.

    • We're doing a reverse proxy. ProxyRequests is turned off.

    • Since we're handling HTTP/S requests, we need mod_proxy_http .

    • That done, a request to the above URL elicits a login form. But it's lameass: logo image and Javascript are missing.

    • Complaint: the language is not pre-filled as English; I thought I set that as a default.

    • When you hit Connect, a reply comes back very fast but the page content is not replaced. Similarly for the About link.

    • Log file: could not load bundles: /usr/local/lib/GNUstep/WOxElemBuilders-4.9/SOGoElements.wox /usr/local/lib/sope-4.9/wox-builders/WEExtensions.wox /usr/local/lib/sope-4.9/wox-builders/WOExtensions.wox Deleted /usr/local/lib/GNUstep and /usr/local/lib/sope-4.9, but login form is still inert.

    • Apache complains: client denied by server configuration: /usr/lib/GNUstep/SOGo/WebServerResources/PasswordPolicy.js , referer: https://otter.mine.nu/SOGo/ The cure was, in /etc/apache2/conf.d/SOGo.conf , after the three Alias directives, to add this stanza allowing the webserver to send out the referent files:

      <Directory /usr/lib/GNUstep/SOGo/WebServerResources>
          Order allow,deny
          Allow from all
      </Directory>
      		

    • Now the login form is nicely formatted, with the logo image, but I don't get logged in. After about 2 minutes it shows 502 bad gateway. Log file complaint #1: timeout reading the status line from the remote server (SOGo on 20000). Log file complaint #2: proxy: ap_get_scoreboard_lb(0) failed in child 8399 for worker http://127.0.0.1:20000/SOGo. This can't be good. Community consensus is that when mod_proxy is first added, you need to shut down and restart the server; reload (graceful restart) is not enough. When I did that the scoreboard errors went away. But I still get the timeout.

    • /var/log/sogo/sogo.log doesn't look good. When the login request comes in, WOWatchDogChild kills the child process and starts a new one. Startup looks reasonable. It then does these requests:

      • Retrieving the login form does not involve SOGo. Send form: a bunch of reasonable initialization messages.
      • WARNING(-[NSNull(misc) count]): called NSNull -count (returns 0) !!!
      • GET /SOGo/ code 200 (2 megabytes?)
      • SOGoRootPage successful login for user 'jimc'.
      • POST /SOGo/connect code 200 (2 megabytes?)
      • GET /SOGo/jimc code 302 (20K)
      • GET /SOGo/jimc/view code 302 (8K)
      • GET /SOGo/so/jimc/Mail code 302 (size 0) (not surprising)
      • Then it hangs for ${ProxyTimeout} secs, then kills the child.

  • Posted on users@sogo.nu. The cure: in .GNUstepDefault set SOGoIMAPServer to imaps://localhost:993 not just localhost:993.

  • Tidbit: client CalDAV setting is https://sogoserver.domainname.com:443/dav/UserID/ ; CardDAV would be just https://sogoserver.domainname.com:443 . The first one works on an iPhone-3 but not iPhone-4. I can't tell if the guy is saying that the CardDAV one does or doesn't work. Someone else says, you need to offer CardDAV on port 8843. On iPhone you can override the port for CalDAV but not CardDAV. Also a more correct CalDAV URL is https://sogoserver.domainname.com/SOGo/dav/UserID .

  • The next problem: works fine on Jacinth, but Simba has autofs and the hosts directory is /net. It looks for /*/bundle-info.plist and silently doesn't find it in all of the normal toplevel directories. But autofs could potentially mount a filesystem on the host bundle-info.plist, so it creates a directory where the mount points could be put. Sogod opens this directory and maps it, but seeking in this file returns EINVAL (duh), killing sogod.

    This was reported as a bug in SOGo. As an extremely kludgey workaround, I changed the permissions of /net to sogo:root 0075. Thus root (being in group root) still has permission to write on the directory, but sogo is locked out and can't open the bogus plist file.

  • Twice so far I've forgotten to edit one or another of the LDAP parameters. Most recently, I copied the configuration from home to work, but used home's baseDN, and of course the work LDAP server returned nothing, and the user was considered to have an incorrect loginID or password.