Web User management - Function removed from PHP Mapi

worms

Hello,

I built few years ago a web based UI so the users can change their password and admin can manage users (add/edit/delete/right)

For doing that I was using the PHP Mapi library, but unfortunately, I just updated my kopano install and the function I needed got removed which is kind of a disaster: https://github.com/Kopano-dev/kopano-core/commit/9a003acd34857cf2c27d0d9c581af0e233b48510#diff-4d4539e6dcf717bc5ac213a6768baeca

So I can no longer create, edit, delete users and change passwords…

I’m using the DB as the backend so I cannot use a LDAP library.

I checked what was available and the options are not so great…

• kopano-admin => need to be root to use it and I don’t really want to run root cmd from a web app or to allow sudo kopano-admin
• kopano-cli => has parameters -U and -P to “log as” but it means executing command with PHP and giving password in clear as no prompt is available. I don’t like having users passwords in the web logs.

Is there any other solution ? can I directly modify the values in the DB then force somehow a re-sync ? or would it be possible to add back those very useful functions to PHP Mapi ?

• mapi_zarafa_createuser()
• mapi_zarafa_setuser()
• mapi_zarafa_deleteuser()

Thanks a lot !

jengelh

kopano-admin => need to be root to use it and I don’t really want to run root cmd from a web app or to allow sudo kopano-admin

No; you can either use a SSL certificate to authenticate, or the Unix socket credential passing mechanism (e.g. server.cfg local_admin_users=root apache).

worms

F***
It’s like kopano is making choice just to piss me off…
Last year I had to redevelop my app to adapt the usage of kopano-cli instead of php-mapi and today after the update…
and spending hours to make that stupid php-mapi works in cli for z-push…
kopano-cli got removed as well…

The only tool remaining is kopano-admin which mean I have to allow apache to edit any users without the need to be authenticated… THAT SUCKS !

My use case is simple,

• basic users can connect and change their passwords,
• admin users can create and edit and remove other users
• I don’t want to give admin right to the whole apache process (if another webapp is abused I don’t want someone use it to edit/create/delete users)

With kopano-cli I was able at least to reuse connected user credentials and rights…

Is there any other way to edit/creat users with a non-root account ?
if not… do you recommend any other exchange-like self hosted open-source software ?
I’ve heard about BlueMind, Citadel, Tine 2.0, Zimbra Collaboration, and maybe SOGo

Thanks for your help

externa1

@worms
Why not using Univention https://www.univention.com/ with kopano
there you have your webconfiguration already onboard with kopano
and you are able to set more then only password, eg enable/disable IMAP,POP, Mobile Access (activesync devices), Outlook access) and set quotas delegates and more

rg
Christian

worms

@externa1 Well, this looks indeed interesting, but if I understood well, I cannot just install Univention on top of my existing setup, I’ll have to redeploy everything and migrate the current users, aliases, mails, contacts, etc… I guess as well in order to work Univention uses LDAP.
For my current installation, I would like to keep the DB backend as it’s used by other apps as well.

But definitely I’ll keep it under my hand as I would like to have SSO between kopano, Nextcloud, mattermost KVM and so in near future.

I was thinking, for my issue, would it be possible do directly connect to the kopano server socket with user/password ? Is this documented somewhere ?

worms

@worms By looking around, kopano-cli is actually a python file… just had to install an older version of kopano-core somewhere to get the file on my current install…
For now it works… until the next update where Kopano dev will remove the ability to loggin as a user with the python lib :)
I hope this will not happens… otherwise, see you next year for probably my last good bye :’(