kopanoSendAsPrivilege bug



  • Hi,

    after switching from Zarafa to Kopano, we got a problem with SendAs. You can reproduce it
    as follow’s:

    • create a kopano group
    • add an kopano user to that group
    • chose another user and set the sendasprivilage attribute of the user to the group

    –> the members of that group could NOT send as the chosen user

    in zarafa this was functional

    We are using Kopano V8.3.2.

    best regards
    Michael


  • Kopano

    Hi @Michael-Niehren ,

    at first i thought you were talking about https://jira.kopano.io/browse/KC-763, but this actually should only exist in 8.4.x.

    I just did a test of this with Kopano 8.3.3 on Ubuntu 16.04 and was able to sendas the specified user, when I was the member of the allowed group.

    Which user backend do you use?
    can your groups be properly resolved from kopano-admin?
    does kopano-admin show the sendas permissions?



  • Hi Felix,

    Which user backend do you use?
    as backend we are using LDAP

    can your groups be properly resolved from kopano-admin?
    no, kopano-admin only shows everybody

    does kopano-admin show the sendas permissions?
    it only show’s the users in sendas not any group

    It seem’s to be something in LDAP, i will check that and give feedback back.

    thanks,
    Michael



  • Hi Felix,

    i find a solution. In the old zarafa schema the zarafa-group is defined as follows

    objectclass     ( 1.3.6.1.4.1.26278.1.2.0.0
            NAME 'zarafa-group'
            DESC 'Zarafa: a group of Zarafa'
            SUP top AUXILIARY
            MUST ( cn $ uid )
    

    the kopano-group is definded as

    objectclass     ( 1.3.6.1.4.1.47732.1.2.0.0
            NAME 'kopano-group'
            DESC 'KOPANO: a group of Kopano'
            SUP top AUXILIARY
            MUST ( cn )
    

    In our config we don’t set ldap_sendas_relation_attribute, so ldap_user_unique_attribute,
    which is uid , should be used. After changing the kopano-group definition to the old
    zarafa-group definition and also setting the uid in the LDAP group entry , everything work’s
    as expeced.

    Why was the uid field in the kopano-group definition gone ?
    Or what is the right way to configure that ?
    I only have 1 ldap_sendas_relation_attribute for user and group, right. So in my understanding,
    it has to be the same. It would be nice if you can explain …

    best regards and thanks for your help
    Michael


  • Kopano

    @Michael-Niehren said in kopanoSendAsPrivilege bug:

    Why was the uid field in the kopano-group definition gone ?

    When looking at zarafa.schema as included in the source then it looks like this:

    objectclass	( 1.3.6.1.4.1.26278.1.2.0.0
    	NAME 'zarafa-group'
    	DESC 'Zarafa: a group of Zarafa'
    	SUP top	AUXILIARY
    	MUST ( cn )
    	MAY (
    		zarafaAccount $ zarafaHidden $ mail $ zarafaAliases $ zarafaSecurityGroup $ zarafaSendAsPrivilege $
    		gidNumber
    		)
    	)
    

    So my guess is you modified it yourself and forgot about it. Setting a userid for a group (which normally has a g(roup)id sounds weird. In my test I have set it like the following (at least as far as i remember, already disposed the system) this works, but there may be other solutions to this:

    # Optional, default = text
    # Active directory: dn
    # LDAP: text
    ldap_sendas_attribute_type = dn
    
    # The attribute of the user and group which is listed in
    # the ldap_sendas_attribute
    # Empty default, using ldap_user_unique_attribute
    ldap_sendas_relation_attribute = mail
    


  • Hi Felix,

    you are absolutly right. I’ve checked that back and it was me, who insert the uid field.
    I am very sorry for that.

    thanks again for your help
    Michael