Bug #2808
SOGo: ACLs deployed using groups does not work
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-sogo | |||
Target version: | v6.6 | |||
Security class: | Resolution: | |||
Affected version: | v6.5-final | NEEDINFO: | No |
Description
If you try to share a Calendar or an Address book in SOGo
using a group defined in NethServer, the ACLs are not effectively deployed to the users that are members of the group
Related issues
Associated revisions
sogo-config template: sogoUserSources elements order matters. Refs #2808
SOGo scans SOGoUserSources in reverse order, searching a matching LDAP
node. By querying the ou=Groups at first, we ensure the posixGroup is
properly found.
Ensure memberUid attribute is set also for user primary group nodes,
otherwise share-by-user does not work!
user-create-unix: set memberUid attribute in primary group. Refs #2808
This makes an user always member of its primary group.
Fixes addressbook and calendar sharing between users, in SOGo.
nethserver-sogo-update: add an action that makes users members of their primary group if they aren't. Useful for users created with nethserver-directory < 2.0.4. Refs #2808
History
#1 Updated by Nicola Rauso about 7 years ago
- nethserver-sogo-1.4.0-1.ns6.noarch
#3 Updated by Giacomo Sanchietti almost 7 years ago
- Related to Feature #2748: Upgrade SOGO to 2.2.15 added
#4 Updated by Giacomo Sanchietti almost 7 years ago
- NEEDINFO changed from No to Yes
Please add the steps to reproduce the problem.
#5 Updated by Giacomo Sanchietti almost 7 years ago
- Related to Enhancement #2801: SOGo: hide Groups addressbook added
#6 Updated by Nicola Rauso almost 7 years ago
- log in to SOGo with one user (let's say user1) and select Address Book (or Calendar) menu;
- share user1's personal address book (or personal calendar) with a group (let's say testgroup) giving at least read permission;
- log user1 out;
- log in to SOGo again with a different user whom belongs to testgroup group (let's say user2) ;
- try to subscribe user1's shared address book (or calendar)
- no available resource can be subscribed
#7 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from NEW to TRIAGED
- % Done changed from 0 to 20
Bug is confirmed.
I think the problem is that our groups entries in LDAP don't have an mail field.
From SOGo manual:
Groups must be defined like any other authentication sources (ie., canAuthenticate must be set to YES and a group must have a valid email address). In order for SOGo to determine if a specific LDAP entry is a group, SOGo will look for one of the following objectClass attributes : * group * groupOfNames * groupOfUniqueNames * posixGroup
Maybe we can add a new objectClass to groups? Something like:
dn: cn=mailRelatedObject,cn=schema,cn=config changetype: add objectClass: olcSchemaConfig cn: mailRelatedObject olcObjectClasses: {0}( 1.3.6.1.4.1.5427.1.389.6.9 NAME 'mailboxRelatedObject' DESC 'For pointing to an associated RFC822 (functional) mailbox from any entr y' AUXILIARY MAY ( mail $ displayName ) )
But I'd like to avoid modification to the underlying system and search for some smart LDAP query to correctly configure SOGo.
#8 Updated by Giacomo Sanchietti almost 7 years ago
- NEEDINFO changed from Yes to No
#9 Updated by Davide Principi almost 7 years ago
- File modify.ldif added
Did it ever worked? I can't remember if this stopped to work on a particular release... I'll investigate.
If adding the mail
attribute to posixGroup
nodes will be the only possible solution, we have qmail.schema
already loaded. See the modify.ldif about how to add a mail
attribute to an existing group.
Anyway, the mail
attribute may not be enough: I've found some informations about SOGo/Dovecot/LDAP schema here (quite outdated) http://www.lunch.org.uk/wiki/sogodovecotldapandgroups
#10 Updated by Davide Principi almost 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
#11 Updated by Davide Principi almost 7 years ago
- File 0001-sogo-config-template-sogoUserSources-elements-order-.patch added
- File 0001-user-create-unix-set-memberUid-attribute-in-primary-.patch added
- Status changed from ON_DEV to TRIAGED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 20
This is a solution proposal.
First of all, theSOGoUserSources
elements order matters: when sharing an addressbook or calendar, the datasources are queried two times:
- On the first time, the configured
filter
is applied and a user/group identifier is picked up - On the second time,
filter
is not applied, and a generic query is performed on each datasource. If the first match is aposixGroup
, group members (identified bymemberUid
multi-value attribute) are expanded.
This is the log evidence (see nethserver-sogo to increase sogod
log verbosity):
2014-09-25 15:25:51.568 sogod[...]: search at base 'ou=groups,dc=directory,dc=nh' filter '(|(cn=second.user)(mail=second.user))' for attrs '*' Sep 25 15:25:58 sogod [...]> Using ldap_initialize for LDAP URL: ldapi:// 2014-09-25 15:25:58.816 sogod[...]: search at base 'ou=groups,dc=directory,dc=nh' filter '(|(sn=groupx*)(displayname=groupx*)(telephonenumber=groupx*)(mail=groupx*)(cn=groupx*))' for attrs '*' Sep 25 15:25:58 sogod [...]> Using ldap_initialize for LDAP URL: ldapi:// 2014-09-25 15:25:58.829 sogod[...]: search at base 'ou=people,dc=directory,dc=nh' filter '(&(|(sn=groupx*)(displayname=groupx*)(telephonenumber=groupx*)(mail=groupx*)(cn=groupx*))(accountStatus=active))' for attrs '*' Sep 25 15:26:04 sogod [...]> Using ldap_initialize for LDAP URL: ldapi:// 2014-09-25 15:26:04.933 sogod[23607] -[NGLdapConnection _searchAtBaseDN:qualifier:attributes:scope:]: search at base 'ou=groups,dc=directory,dc=nh' filter '(cn=groupx)' for attrs '*'
- 0001-sogo-config-template-sogoUserSources-elements-order-.patch Inverting the existing SOGoUserSources (groups,users) order fixes the group sharing problem, but prevents user sharing.
- 0001-user-create-unix-set-memberUid-attribute-in-primary-.patch To solve this new problem, we set the
memberUid
attribute user primary group.
The solution does not fix existing accounts: a specific action has to be implemented in nethserver-directory
Current relevant differences with SME/NethService 8.x:- Inverted SOGoUserSources elements order
- Primary groups are not in LDAP
#12 Updated by Giacomo Sanchietti almost 7 years ago
I'd go with the new proposed solution.
#13 Updated by Davide Principi almost 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
In branch b2808 master
#14 Updated by Davide Principi almost 7 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
#15 Updated by Davide Principi almost 7 years ago
- Status changed from MODIFIED to ON_DEV
- % Done changed from 60 to 30
TODO: In nethserver-directory implement an action that fixes LDAP, by adding memberUid
attribute to users primary groups.
#16 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from ON_DEV to TRIAGED
- % Done changed from 30 to 20
#17 Updated by Giacomo Sanchietti over 6 years ago
- Target version changed from v6.5 to v6.6-rc1
#18 Updated by Stefano Fancello over 6 years ago
- Status changed from TRIAGED to ON_DEV
- % Done changed from 20 to 30
#19 Updated by Stefano Fancello over 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
Test case 1:
- you need some users created with nethserver-directory < 2.0.4 or you can delete attribute memberUid for primary groups
- install nethserver-sogo
- check that all primary groups has their user as memberUid
- check thet the bug is no more present
Test case 2:
- you need some users created with nethserver-directory < 2.0.4 or you can delete attribute memberUid for primary groups
- update nethserver-sogo
- check that all primary groups has their user as memberUid
- check that the bug is no more present
#20 Updated by Stefano Fancello over 6 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
repository nethserver-testing nethserver-sogo-1.4.0-9.0git427fcd77.ns6.noarch.rpm
#21 Updated by Giacomo Sanchietti over 6 years ago
- Target version changed from v6.6-rc1 to v6.6
#22 Updated by Alessio Fattorini over 6 years ago
Test case 1: Verified
#23 Updated by Alessio Fattorini over 6 years ago
- Assignee set to Alessio Fattorini
#24 Updated by Stefano Fancello over 6 years ago
- Assignee deleted (
Alessio Fattorini)
#25 Updated by Alessio Fattorini over 6 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
Test case 2 fixed
Verified
#26 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
- nethserver-sogo-1.5.0-1.ns6.noarch.rpm
#27 Updated by Davide Principi over 6 years ago
- Related to Bug #3122: SOGo doesn't show multiple addresses on sender field added