Page MenuHomePhorge

kolab-webadmin broken for users with kolab-admin role
Open, NormalPublic


If you assign a user the kolab-admin role, they get permission in kolab-webadmin to edit email addresses. However, kolab-admin does not have access to cn=kolab,cn=config and hence cannot see domain aliases.

Hence, if a user has at least one email address with a domain other than their primary domain, kolab-webadmin will report "Email address x not in local domain" on every attempted edit.

Suggested solution: give the kolab-admin role access by default to cn=kolab,cn=config.


Ticket Type

Event Timeline

I think the fix is trivial, but not obviously, specially when not familiar with LDIF. Manually solved the problem on my system (multidomain setup).

Create an LDIF file in bash (adjust domain= accordingly):

cat > ./fix-domain-aci.ldif <<END
dn: associateddomain=${domain},cn=kolab,cn=config
changetype: modify
add: aci
aci: (targetattr = "*") (version 3.0;acl "Read Access for ${domain}";allow (read,compare,search)(userdn = "ldap:///dc=$(echo $domain | sed "s/\./,dc=/g")??sub?(objectclass=*)");)

Import into DirSRV:

ldapmodify -x -h localhost -D "cn=Directory Manager" -W -f ./fix-domain-aci.ldif

Can be checked with:

ldapsearch -L -D "cn=Directory Manager" -W -b "cn=kolab,cn=config" aci

Looks like the code in /usr/share/kolab-webadmin/lib/Auth/LDAP.php has to be extended/fixed to resolve this issue entirely

machniak lowered the priority of this task from Needs Triage to Normal.Sep 27 2023, 11:12 AM