kopanoSendAsPrivilege bug

Hi,

after switching from Zarafa to Kopano, we got a problem with SendAs. You can reproduce it
as follow’s:

  • create a kopano group
  • add an kopano user to that group
  • chose another user and set the sendasprivilage attribute of the user to the group

–> the members of that group could NOT send as the chosen user

in zarafa this was functional

We are using Kopano V8.3.2.

best regards
Michael

Hi @Michael-Niehren ,

at first i thought you were talking about https://jira.kopano.io/browse/KC-763, but this actually should only exist in 8.4.x.

I just did a test of this with Kopano 8.3.3 on Ubuntu 16.04 and was able to sendas the specified user, when I was the member of the allowed group.

Which user backend do you use?
can your groups be properly resolved from kopano-admin?
does kopano-admin show the sendas permissions?

Hi Felix,

Which user backend do you use?
as backend we are using LDAP

can your groups be properly resolved from kopano-admin?
no, kopano-admin only shows everybody

does kopano-admin show the sendas permissions?
it only show’s the users in sendas not any group

It seem’s to be something in LDAP, i will check that and give feedback back.

thanks,
Michael

Hi Felix,

i find a solution. In the old zarafa schema the zarafa-group is defined as follows

objectclass     ( 1.3.6.1.4.1.26278.1.2.0.0
        NAME 'zarafa-group'
        DESC 'Zarafa: a group of Zarafa'
        SUP top AUXILIARY
        MUST ( cn $ uid )

the kopano-group is definded as

objectclass     ( 1.3.6.1.4.1.47732.1.2.0.0
        NAME 'kopano-group'
        DESC 'KOPANO: a group of Kopano'
        SUP top AUXILIARY
        MUST ( cn )

In our config we don’t set ldap_sendas_relation_attribute, so ldap_user_unique_attribute,
which is uid , should be used. After changing the kopano-group definition to the old
zarafa-group definition and also setting the uid in the LDAP group entry , everything work’s
as expeced.

Why was the uid field in the kopano-group definition gone ?
Or what is the right way to configure that ?
I only have 1 ldap_sendas_relation_attribute for user and group, right. So in my understanding,
it has to be the same. It would be nice if you can explain …

best regards and thanks for your help
Michael

@Michael-Niehren said in kopanoSendAsPrivilege bug:

Why was the uid field in the kopano-group definition gone ?

When looking at zarafa.schema as included in the source then it looks like this:

objectclass	( 1.3.6.1.4.1.26278.1.2.0.0
	NAME 'zarafa-group'
	DESC 'Zarafa: a group of Zarafa'
	SUP top	AUXILIARY
	MUST ( cn )
	MAY (
		zarafaAccount $ zarafaHidden $ mail $ zarafaAliases $ zarafaSecurityGroup $ zarafaSendAsPrivilege $
		gidNumber
		)
	)

So my guess is you modified it yourself and forgot about it. Setting a userid for a group (which normally has a g(roup)id sounds weird. In my test I have set it like the following (at least as far as i remember, already disposed the system) this works, but there may be other solutions to this:

# Optional, default = text
# Active directory: dn
# LDAP: text
ldap_sendas_attribute_type = dn

# The attribute of the user and group which is listed in
# the ldap_sendas_attribute
# Empty default, using ldap_user_unique_attribute
ldap_sendas_relation_attribute = mail

Hi Felix,

you are absolutly right. I’ve checked that back and it was me, who insert the uid field.
I am very sorry for that.

thanks again for your help
Michael