Page MenuHomekolab.org

kolab-webadmin broken for users with kolab-admin role
Open, Needs TriagePublic

Description

If you assign a user the kolab-admin role, they get permission in kolab-webadmin to edit email addresses. However, kolab-admin does not have access to cn=kolab,cn=config and hence cannot see domain aliases.

Hence, if a user has at least one email address with a domain other than their primary domain, kolab-webadmin will report "Email address x not in local domain" on every attempted edit.

Suggested solution: give the kolab-admin role access by default to cn=kolab,cn=config.

Details

Ticket Type
Task

Event Timeline

This comment was removed by sicherha-admin.
This comment was removed by sicherha-admin.
fluser added a subscriber: fluser.Mar 10 2022, 5:05 PM

I think the fix is trivial, but not obviously, specially when not familiar with LDIF. Manually solved the problem on my system (multidomain setup).

Create an LDIF file in bash (adjust domain= accordingly):

domain=foo.tld
cat > ./fix-domain-aci.ldif <<END
dn: associateddomain=${domain},cn=kolab,cn=config
changetype: modify
add: aci
aci: (targetattr = "*") (version 3.0;acl "Read Access for ${domain}";allow (read,compare,search)(userdn = "ldap:///dc=$(echo $domain | sed "s/\./,dc=/g")??sub?(objectclass=*)");)
END

Import into DirSRV:

ldapmodify -x -h localhost -D "cn=Directory Manager" -W -f ./fix-domain-aci.ldif

Can be checked with:

ldapsearch -L -D "cn=Directory Manager" -W -b "cn=kolab,cn=config" aci

Looks like the code in /usr/share/kolab-webadmin/lib/Auth/LDAP.php has to be extended/fixed to resolve this issue entirely