If you assign a user the kolab-admin role, they get permission in kolab-webadmin to edit email addresses. However, kolab-admin does not have access to cn=kolab,cn=config and hence cannot see domain aliases.
Hence, if a user has at least one email address with a domain other than their primary domain, kolab-webadmin will report "Email address x not in local domain" on every attempted edit.
Suggested solution: give the kolab-admin role access by default to cn=kolab,cn=config.
I think the fix is trivial, but not obviously, specially when not familiar with LDIF. Manually solved the problem on my system (multidomain setup).
Create an LDIF file in bash (adjust domain= accordingly):
domain=foo.tld
cat > ./fix-domain-aci.ldif <<END
dn: associateddomain=${domain},cn=kolab,cn=config
changetype: modify
add: aci
aci: (targetattr = "*") (version 3.0;acl "Read Access for ${domain}";allow (read,compare,search)(userdn = "ldap:///dc=$(echo $domain | sed "s/\./,dc=/g")??sub?(objectclass=*)");)
ENDImport into DirSRV:
ldapmodify -x -h localhost -D "cn=Directory Manager" -W -f ./fix-domain-aci.ldif
Can be checked with:
ldapsearch -L -D "cn=Directory Manager" -W -b "cn=kolab,cn=config" aci
Looks like the code in /usr/share/kolab-webadmin/lib/Auth/LDAP.php has to be extended/fixed to resolve this issue entirely