[Kolab-devel] Cross-domain ACL limitation: how to customize openpkg imapd package to attempt to solve this problem?

Fabio Pietrosanti lists at pietrosanti.it
Fri May 5 19:47:48 CEST 2006 

We noticed that cyrus imapd still doesn't implement "cross-domain ACL".

If you attempt to setup a cross-domain ACL for shared at domain1.com with
user user1 at domain2.com you will get the following error:
setaclmailbox: shared at domain1.com: lrswipcda: Invalid identifier

This limitation is still not removed because the Cyrus Project is
evaluating "how to manage" the "anonymous/anyone" ACL:
http://www.mail-archive.com/info-cyrus@lists.andrew.cmu.edu/msg09740.html
http://www.irbs.net/internet/info-cyrus/0304/0535.html
http://www.luga.at/mailing-lists/luga/2005/08/msg00039.html

For Kolab 2.1, which is multi-domain but not multi-company, i think that
we should avoid this limitation and doesn't consider the problem of
anonymous/anyone ACL which should be transformed in a feature that Cyrus
miss.

Basically my proposal is to allow cross-domain ACL to be setup so that
if a create a shared folder caller "shared at domain1.com" this will be
accessible not only from "user1 at domain1.com" but also from
"user1 at domain2.com" and all other users that i explicitly allowed trough
the web admin interface without the Cyrus artificial limitation..

The web-interface already allow it, the ldap schema is ready for it but
Cyrus is still not prepared because they still doesn't managed how to
fix this problem in a scalable and acceptable for EVERY situation way.

If we doesn't implement cross-domain ACL (removing the cyrus limitation)
we will not be able to share any groupware information across accounts
on different domains.

I evaluated how to modify the Cyrus source for creating a patches and it
seems that in the file imap/mboxlist.c in the function mboxlist_setacl
we should simply doesn't return the IMAP_INVALID_IDENTIFIER error from
this check.

        if ((cp = strchr(identifier, '@'))) {
            if (rights &&
                ((domain && strncasecmp(cp+1, domain, strlen(cp+1))) ||
                 (!domain && (!config_defdomain ||
                              strcasecmp(config_defdomain, cp+1))))) {
                /* can't set cross-domain ACLs */
                return IMAP_INVALID_IDENTIFIER;
            }

I would like to create and test a patch and do intensive testing on it
but i cannot find a procedure for customizing the imapd source rpm of kolab:

wget
http://max.kde.org:8080/mirrors/ftp.kolab.org/server/development-2.1/current/sources/imapd-2.2.12-2.5.0_kolab.src.rpm

Which is the right procedure to test custom patches for Kolab imapd
OpenPKG package?

We created a ticket for that on
https://intevation.de/roundup/kolab/issue1233

Fabio

More information about the devel mailing list