General discussion on installation and configuration of SOGo

Text archives Help


Re: [SOGo] Any way to backup and restore shared calendars?


Chronological Thread 
  • From: "Christian Mack" ( ) < >
  • To:
  • Subject: Re: [SOGo] Any way to backup and restore shared calendars?
  • Date: Tue, 22 Aug 2017 17:28:09 +0200
  • Dmarc-filter: OpenDMARC Filter v1.2.0 mail.inverse.ca DB306BA8FE8

Am 22.08.2017 um 14:11 schrieb Zhang Huangbin
( ):
>
>> On Aug 22, 2017, at 7:18 PM, Christian Mack
>> ( )
>>
>> < >
>> wrote:
>>
>> You can change that.
>> Just do _not_ give the administrative account (used to query the
>> Lprovided DAP) read privileges on attribute userPassword.
>> It is not necessary anyway, as SOGo does a bind with the password
>> provided by the user.
>
> I don’t think this is a good idea, a LDAP dn has read/write privilege to
> all its own attributes are quite normal, for example, change password
> in self-service applications (we do this in Roundcube webmail too).
>

Yes, a user has write privilege on his attributes including
userPassword, but other users and Admin users don't.
Backup is done with the admin user only, there is no bind for the user,
as there is no user to type in the password.

> Besides, setting ACL in LDAP server is a good idea. If we go this way,
> we have to create a new bind dn for just SOGO itself, and add one more
> ACL in LDAP server to control which LDAP objectClass/attribute it can
> read. This is making software deployment more complex.
>

I disagree here, and the data security laws in Germany alike.
We have over 60 services on this LDAP.
Every one has its own admin user and he can only access those attributes
necessary for his service.
With that a security breach on one service can be handled without
changing all other services too.
And a security breach on one service does never reveal all data of the user.

> So, why not simply don’t store unnecessary data in backup file? This should
> be the best solution.
>

You misunderstood me here.
I also think this would be a good thing.
But till this gets implemented, LDAP ACLs are a doable thing.
And I will always use both.


Kind regards,
Christian Mack

--
Christian Mack
Universität Konstanz
Kommunikations-, Informations-, Medienzentrum (KIM)
Abteilung Basisdienste
78457 Konstanz
+49 7531 88-4416

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archive powered by MHonArc 2.6.18.

Top of page