[Kolab-devel] [issue679] Rethink the kolabencryptedPassword, use better design.

Bernhard Reiter kolab-issues at intevation.de
Wed Mar 9 18:13:35 CET 2005 

New submission from Bernhard Reiter <bernhard at intevation.de>:

Kolab 2.0 beta2: 
Rethink the kolabencryptedPassword.

Currently:
        kolabEncryptedPassword contains the password of each
        group or resource account. Encrypted for the resmgr.

        Each time a password is changed by the webinterface,
        kolabEncryptedPassword is updated.

        resmgr gets the calender user password from kolabd, which
        generates it into the config file from the template.

        Drawbacks:

        Resmgr thus has access to the cleartext password
        of those users which is much more rights than it needs to have.

        Other applications enabling the user to change the password
        (E.g. like windows over samba) would need to update
        kolabEncryptedPassword, too. This is hard for them.
Original idea:
        kolabEncryptedPassword shall transport the cleartext
        password of the calendar user to resmgr,
        so that resmgr can run with lower rights and possibly on other
        machines.

        In case of multidomain support, there might be several
        different calender users and resmgr would only gain right of one.

        Drawback: The same data in there a lot of times.


To improve from the current situation:
        Remove kolabEncryptedPassword and have kolabd create the
        one Calender folder with the correct annotations and
        the setting the ACL for calendar user access on account creation.
        This can be done only once,
        so the user can withdraw the permissions again.
 
      In case of future multidomain support, kolabd will know
        in which domain the account in question is in and can use
        a different calendar user as default.

----------
messages: 4070
nosy: bernhard
priority: feature
status: unread
title: Rethink the kolabencryptedPassword, use better design.
topic: server
________________________________________________
Kolab issue tracker <kolab-issues at intevation.de>
<https://intevation.de/roundup/kolab/issue679>
________________________________________________

More information about the devel mailing list