Bug #2808

SOGo: ACLs deployed using groups does not work

Added by Nicola Rauso about 7 years ago. Updated over 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-sogo
Target version:v6.6
Security class: Resolution:
Affected version:v6.5-final NEEDINFO:No

Description

If you try to share a Calendar or an Address book in SOGo using a group defined in NethServer, the ACLs are not effectively deployed to the users that are members of the group

modify.ldif (237 Bytes) Davide Principi, 09/24/2014 04:02 AM

0001-sogo-config-template-sogoUserSources-elements-order-.patch Magnifier - nethserver-sogo fix (1.86 KB) Davide Principi, 09/26/2014 08:57 AM

0001-user-create-unix-set-memberUid-attribute-in-primary-.patch Magnifier - nethserver-directory-fix (3.31 KB) Davide Principi, 09/26/2014 08:57 AM


Related issues

Related to NethServer 6 - Feature #2748: Upgrade SOGO to 2.2.15 CLOSED
Related to NethServer 6 - Enhancement #2801: SOGo: hide Groups addressbook CLOSED
Related to NethServer 6 - Bug #3122: SOGo doesn't show multiple addresses on sender field CLOSED

Associated revisions

Revision 6443e0a9
Added by Davide Principi almost 7 years ago

sogo-config template: sogoUserSources elements order matters. Refs #2808

SOGo scans SOGoUserSources in reverse order, searching a matching LDAP
node. By querying the ou=Groups at first, we ensure the posixGroup is
properly found.

Ensure memberUid attribute is set also for user primary group nodes,
otherwise share-by-user does not work!

Revision 6fda4cee
Added by Davide Principi almost 7 years ago

user-create-unix: set memberUid attribute in primary group. Refs #2808

This makes an user always member of its primary group.

Fixes addressbook and calendar sharing between users, in SOGo.

Revision 427fcd77
Added by Stefano Fancello over 6 years ago

nethserver-sogo-update: add an action that makes users members of their primary group if they aren't. Useful for users created with nethserver-directory < 2.0.4. Refs #2808

Revision 27ab5626
Added by Davide Principi over 6 years ago

Revert sogoUserSources order. Refs #3116 #3122

Revert "sogo-config template: sogoUserSources elements order matters. Refs #2808"

This reverts commit 6443e0a

History

#1 Updated by Nicola Rauso about 7 years ago

package installed:
  • nethserver-sogo-1.4.0-1.ns6.noarch

#3 Updated by Giacomo Sanchietti almost 7 years ago

#4 Updated by Giacomo Sanchietti almost 7 years ago

  • NEEDINFO changed from No to Yes

Please add the steps to reproduce the problem.

#5 Updated by Giacomo Sanchietti almost 7 years ago

#6 Updated by Nicola Rauso almost 7 years ago

To reproduce:
  • log in to SOGo with one user (let's say user1) and select Address Book (or Calendar) menu;
  • share user1's personal address book (or personal calendar) with a group (let's say testgroup) giving at least read permission;
  • log user1 out;
  • log in to SOGo again with a different user whom belongs to testgroup group (let's say user2) ;
  • try to subscribe user1's shared address book (or calendar)
  • no available resource can be subscribed

#7 Updated by Giacomo Sanchietti almost 7 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

Bug is confirmed.

I think the problem is that our groups entries in LDAP don't have an mail field.
From SOGo manual:

Groups must be defined like any other 
authentication sources (ie., canAuthenticate must be set to YES and a group must have a valid
email address). In order for SOGo to determine if a specific LDAP entry is a group, SOGo will 
look for one of the following objectClass attributes :
* group
* groupOfNames
* groupOfUniqueNames
* posixGroup

Maybe we can add a new objectClass to groups? Something like:

dn: cn=mailRelatedObject,cn=schema,cn=config
changetype: add
objectClass: olcSchemaConfig
cn: mailRelatedObject
olcObjectClasses: {0}( 1.3.6.1.4.1.5427.1.389.6.9 NAME 'mailboxRelatedObject' 
 DESC 'For pointing to an associated RFC822 (functional) mailbox from any entr
 y' AUXILIARY MAY ( mail $ displayName ) )

But I'd like to avoid modification to the underlying system and search for some smart LDAP query to correctly configure SOGo.

#8 Updated by Giacomo Sanchietti almost 7 years ago

  • NEEDINFO changed from Yes to No

#9 Updated by Davide Principi almost 7 years ago

Did it ever worked? I can't remember if this stopped to work on a particular release... I'll investigate.

If adding the mail attribute to posixGroup nodes will be the only possible solution, we have qmail.schema already loaded. See the modify.ldif about how to add a mail attribute to an existing group.

Anyway, the mail attribute may not be enough: I've found some informations about SOGo/Dovecot/LDAP schema here (quite outdated) http://www.lunch.org.uk/wiki/sogodovecotldapandgroups

#10 Updated by Davide Principi almost 7 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#11 Updated by Davide Principi almost 7 years ago

This is a solution proposal.

First of all, the SOGoUserSources elements order matters: when sharing an addressbook or calendar, the datasources are queried two times:
  • On the first time, the configured filter is applied and a user/group identifier is picked up
  • On the second time, filter is not applied, and a generic query is performed on each datasource. If the first match is a posixGroup, group members (identified by memberUid multi-value attribute) are expanded.

This is the log evidence (see nethserver-sogo to increase sogod log verbosity):

2014-09-25 15:25:51.568 sogod[...]: search at base 'ou=groups,dc=directory,dc=nh' filter '(|(cn=second.user)(mail=second.user))' for attrs '*'
Sep 25 15:25:58 sogod [...]> Using ldap_initialize for LDAP URL: ldapi://
2014-09-25 15:25:58.816 sogod[...]: search at base 'ou=groups,dc=directory,dc=nh' filter '(|(sn=groupx*)(displayname=groupx*)(telephonenumber=groupx*)(mail=groupx*)(cn=groupx*))' for attrs '*'
Sep 25 15:25:58 sogod [...]> Using ldap_initialize for LDAP URL: ldapi://
2014-09-25 15:25:58.829 sogod[...]: search at base 'ou=people,dc=directory,dc=nh' filter '(&(|(sn=groupx*)(displayname=groupx*)(telephonenumber=groupx*)(mail=groupx*)(cn=groupx*))(accountStatus=active))' for attrs '*'
Sep 25 15:26:04 sogod [...]> Using ldap_initialize for LDAP URL: ldapi://
2014-09-25 15:26:04.933 sogod[23607] -[NGLdapConnection _searchAtBaseDN:qualifier:attributes:scope:]: search at base 'ou=groups,dc=directory,dc=nh' filter '(cn=groupx)' for attrs '*'

The solution does not fix existing accounts: a specific action has to be implemented in nethserver-directory

Current relevant differences with SME/NethService 8.x:
  • Inverted SOGoUserSources elements order
  • Primary groups are not in LDAP

#12 Updated by Giacomo Sanchietti almost 7 years ago

I'd go with the new proposed solution.

#13 Updated by Davide Principi almost 7 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

In branch b2808 master

#14 Updated by Davide Principi almost 7 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

#15 Updated by Davide Principi almost 7 years ago

  • Status changed from MODIFIED to ON_DEV
  • % Done changed from 60 to 30

TODO: In nethserver-directory implement an action that fixes LDAP, by adding memberUid attribute to users primary groups.

#16 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from ON_DEV to TRIAGED
  • % Done changed from 30 to 20

#17 Updated by Giacomo Sanchietti over 6 years ago

  • Target version changed from v6.5 to v6.6-rc1

#18 Updated by Stefano Fancello over 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • % Done changed from 20 to 30

#19 Updated by Stefano Fancello over 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

Test case 1:
- you need some users created with nethserver-directory < 2.0.4 or you can delete attribute memberUid for primary groups
- install nethserver-sogo
- check that all primary groups has their user as memberUid
- check thet the bug is no more present

Test case 2:
- you need some users created with nethserver-directory < 2.0.4 or you can delete attribute memberUid for primary groups
- update nethserver-sogo
- check that all primary groups has their user as memberUid
- check that the bug is no more present

#20 Updated by Stefano Fancello over 6 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

repository nethserver-testing nethserver-sogo-1.4.0-9.0git427fcd77.ns6.noarch.rpm

#21 Updated by Giacomo Sanchietti over 6 years ago

  • Target version changed from v6.6-rc1 to v6.6

#22 Updated by Alessio Fattorini over 6 years ago

Test case 1: Verified

#23 Updated by Alessio Fattorini over 6 years ago

  • Assignee set to Alessio Fattorini

#24 Updated by Stefano Fancello over 6 years ago

  • Assignee deleted (Alessio Fattorini)

#25 Updated by Alessio Fattorini over 6 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

Test case 2 fixed

Verified

#26 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-base:
  • nethserver-sogo-1.5.0-1.ns6.noarch.rpm

#27 Updated by Davide Principi over 6 years ago

  • Related to Bug #3122: SOGo doesn't show multiple addresses on sender field added

Also available in: Atom PDF