Kolab Intermediate 2.4 Release

Jeroen van Meeuwen (Kolab Systems) vanmeeuwen at kolabsys.com
Wed May 9 22:41:39 CEST 2012 

On 2012-05-09 18:21, Heiner Markert wrote:
> Am Wednesday 09 May 2012 17:57:52 schrieb Jeroen van Meeuwen (Kolab 
> Systems):
>> On 2012-05-09 16:46, Heiner Markert wrote:
>> > That worked, thank you!
>> > Maybe I just do not see the option, but when I log into the admin
>> > interface and select "Users", I do not see any possibility to
>> > actually
>> > add a user...
>> > All I can do is search for existing users, configure the search,
>> > reset the search, switch to "Groups" or "About" view, and log out.
>> >
>> > The apache error log states
>> > sh: /usr/lib64/mozldap/ldapsearch: Permission denied
>> > when logging into the web interface or when opening the
>> > "Groups"-panel, but no errors appear when loading the "Users" 
>> panel.
>> >
>>
>> Permission denied - is SELinux set to enforce the targeted policy by
>> any change?
>>
>> The mozldap/ldapsearch tool is used (because PHP LDAP is lacking
>> support for the getEffectiveRights() control) to determine whether 
>> the
>> logged in user is allowed to create/delete entries from the user and
>> group base_dn.
>>
>> Kind regards,
>>
>> Jeroen van Meeuwen
>>
>
> Thank you again for the hint. I set SELinux mode to permissive, and
> it worked.
> I found two additional issues:
>
> 1) When creating a new user, the cyrus mailbox is not created - I hat
> to manually invoke cyradm and create the mailbox for the user.

Can you please verify the kolabd service is running?

> 2) the file /etc/imapd.conf contains the ldap password as plain text
> and is word readable. It would perhaps be better to change the file
> ownership to the cyrus user and restrict access.
>

The setup doesn't touch/change the permissions on this file (read: is 
not supposed to touch/change the permissions on this file).

The LDAP account you refer to for which the password is mentioned is a 
read-only account and should have no privileges other then to search the 
entire tree. Protecting this account is only really important if you 
also close down a part of the directory tree through ACLs.

That said, there's no excuse for the broad permissions ;-) If you could 
create a ticket in Bugzilla, I can make sure this is fixed.

> I have one additional question: Is it possible to access the calendar
> as ics-stream in some way? Horde used to support this, and "plain"
> roundcube calendar seems to support it as well, but I didn't find a
> way to do that in kolab-roundcube...
>

Which is... what exactly? You mean an export of the calendar?

Kind regards,

Jeroen van Meeuwen

-- 
Systems Architect, Kolab Systems AG

e: vanmeeuwen at kolabsys.com
m: +44 74 2516 3817
w: http://www.kolabsys.com

pgp: 9342 BF08

More information about the users mailing list