ACL and LDAP (Ralph could you take a look at this?)

CLorenzo-2 2007-06-01 09:23:10 UTC #1

Hi to all.

I’m writing this post, because we have found a severe conflict between the ACL system and the standard way of handling group permissions in a unix box.

The standard way of handling file permissions in unix is to create groups of user, each group represents a role, the roles are jerarquized (i don’t know if this is right in english), ie:

General Manager

Sales Manager
- Salesman
Financial Manager
- Accounting
- Credits
IT Manager
- IT Technicians

Also a general group called users is used to simplify some permissions handling

Each user is assigned to a group in order to his main role in the organization

Each user is also assigned to the groups under his responsability ie:

The General Manager:
Primary Group = General Manager
Secondary Groups: IT Manager, Sales Manager, Financial Manager, IT Technicians, Salesman, Accounting, Credits, users

The IT Manager:
Primary Group = IT Manager
Secondary Groups = IT Technicians, users

The IT Technician
Primary Group = IT Technician
Secondary Groups = users

Thus when creating files, if a Technician creates a file, it belong to group IT Technicians. All the structure above him could read this file, because all has this group as a secondary group

But, if the IT Manager Creates a file (ie: an employee report), the IT Technician could not read it because this file belongs to group IT Managers, but the General Manager could read it, because it also belongs to this group.

This is how ACL should work.

ACL should grant the permissions looking only ant the primary group of the owner of the record.

ACL should check permissions against all groups (primary and secondary), from the user who are looking the record.

Thus you can set an ACL for the group IT Managers like this:

Group IT Managers (all, but private)
Group General Manager = Read

ACL for the Group IT Technicians:

Group IT Technicians (all, but private)
Group IT Managers = Read, Edit
Group General Manager = Read

With this setup you get a full control without conflict with the unix standards

In the actual setup you get that when a General Manager adds an entry it is automatically granted to all users because all users belongs to the users group!!!

And you cannot separate groups from eGroupware from system Groups because you use LDAP to unify the users and groups admimistration!!!

Ralf_Becker_6 2007-06-03 17:01:50 UTC #2

Hi,

that’s a well know problem of the owner based ACL used in parts of eGW.
It was one of the reasons to introduce group addressbooks and group
ownership of certain infolog types in the 1.4 release.

For files you can use the group-directories of filemanager, as they are
only viewable by the group-members: like the group-addressbooks.

Ralf

clorenzo schrieb:

Hi to all.

I’m writing this post, because we have found a severe conflict between the
ACL system and the standard way of handling group permissions in a unix box.

The standard way of handling file permissions in unix is to create groups of
user, each group represents a role, the roles are jerarquized (i don’t know
if this is right in english), ie:

General Manager

Sales Manager

Salesman

Financial Manager

Accounting

Credits

IT Manager

IT Technicians

Also a general group called users is used to simplify some permissions
handling

Each user is assigned to a group in order to his main role in the
organization

Each user is also assigned to the groups under his responsability ie:

The General Manager:
Primary Group = General Manager
Secondary Groups: IT Manager, Sales Manager, Financial Manager, IT
Technicians, Salesman, Accounting, Credits, users

The IT Manager:
Primary Group = IT Manager
Secondary Groups = IT Technicians, users

The IT Technician
Primary Group = IT Technician
Secondary Groups = users

Thus when creating files, if a Technician creates a file, it belong to group
IT Technicians. All the structure above him could read this file, because
all has this group as a secondary group

But, if the IT Manager Creates a file (ie: an employee report), the IT
Technician could not read it because this file belongs to group IT Managers,
but the General Manager could read it, because it also belongs to this
group.

This is how ACL should work.

ACL should grant the permissions looking only ant the primary group of the
owner of the record.

ACL should check permissions against all groups (primary and secondary),
from the user who are looking the record.

Thus you can set an ACL for the group IT Managers like this:

Group IT Managers (all, but private)
Group General Manager = Read

ACL for the Group IT Technicians:

Group IT Technicians (all, but private)
Group IT Managers = Read, Edit
Group General Manager = Read

With this setup you get a full control without conflict with the unix
standards

In the actual setup you get that when a General Manager adds an entry it is
automatically granted to all users because all users belongs to the users
group!!!

And you cannot separate groups from eGroupware from system Groups because
you use LDAP to unify the users and groups admimistration!!!

–
Ralf Becker
eGroupWare Training & Support ==> http://www.egroupware-support.de
Outdoor Unlimited Training GmbH [www.outdoor-training.de]
Handelsregister HRB Kaiserslautern 3587
Geschäftsführer Birgit und Ralf Becker
Leibnizstr. 17, 67663 Kaiserslautern, Germany
Telefon +49 (0)631 31657-0

This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

CLorenzo-2 2007-06-03 23:12:44 UTC #3

Hi Ralph.

Hi,

that’s a well know problem of the owner based ACL used in parts of eGW.
It was one of the reasons to introduce group addressbooks and group
ownership of certain infolog types in the 1.4 release.

For files you can use the group-directories of filemanager, as they are
only viewable by the group-members: like the group-addressbooks.

We don’t use filemanager, we are having this problem with the infologs

What types of infolog have group ownership?

Is not possible to change the acl behaviour to what i described? (using only
primary group for granting and all groups for checking grants, this should
work fine for all)

The main problem is that we cannot change the groups of each user because our
file servers use this groups for files in the filesystem.

Many Thanks

Greetings

–
Un Saludo.

Carlos Lorenzo Matés

Ralf_Becker_6 2007-06-05 08:10:33 UTC #4

Hi Carlos,

in some installs the primary group has no meaning (eg. it’s used for
something else).

We can NOT do such a huge change, as it would break all existing
installations. The only thing I can imagine is to add a configuration
option, which is by default off, to archive that.

Ralf

Carlos Lorenzo Matés schrieb:

Hi Ralph.

Hi,

that’s a well know problem of the owner based ACL used in parts of eGW.
It was one of the reasons to introduce group addressbooks and group
ownership of certain infolog types in the 1.4 release.

For files you can use the group-directories of filemanager, as they are
only viewable by the group-members: like the group-addressbooks.

We don’t use filemanager, we are having this problem with the infologs

What types of infolog have group ownership?

Is not possible to change the acl behaviour to what i described? (using only
primary group for granting and all groups for checking grants, this should
work fine for all)

The main problem is that we cannot change the groups of each user because our
file servers use this groups for files in the filesystem.

Many Thanks

Greetings

This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

CLorenzo-2 2007-06-05 10:02:00 UTC #5

Hi Ralph.

This option seems good enough

This will fix the ACL compatibility with unix groups behaviour

Do you think this option will see the light as a patch for the 1.4 version?

Many Thanks

Greetings

Ralf_Becker_6 2007-06-05 14:51:13 UTC #6

Hi Carlos,

clorenzo schrieb:

Hi Ralph.

Ralf Becker-3 wrote:

Hi Carlos,

in some installs the primary group has no meaning (eg. it’s used for
something else).

We can NOT do such a huge change, as it would break all existing
installations. The only thing I can imagine is to add a configuration
option, which is by default off, to archive that.

This option seems good enough

This will fix the ACL compatibility with unix groups behaviour

Do you think this option will see the light as a patch for the 1.4 version?

Make a feature request.

I dont want to promises something, I need to start working again on
payed development, the whole release thing to far to long …

Ralf

Ralf Becker
eGroupWare Training & Support ==> http://www.egroupware-support.de
Outdoor Unlimited Training GmbH [www.outdoor-training.de]
Handelsregister HRB Kaiserslautern 3587
Geschäftsführer Birgit und Ralf Becker
Leibnizstr. 17, 67663 Kaiserslautern, Germany
Telefon +49 (0)631 31657-0

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

CLorenzo-2 2007-06-05 15:32:10 UTC #7

Hi Ralph.

Feature request 871

Please take in consideration this feature as seems that is wanted by several people (at least this kind of ACL discussion has been over the list for several times)

Many Thanks

Greetings

Ralf_Becker_6 2007-06-05 15:40:31 UTC #8

Get the interested people to vote for it …

Ralf

clorenzo schrieb:

Hi Ralph.

Ralf Becker-3 wrote:

Hi Carlos,

We can NOT do such a huge change, as it would break all existing
installations. The only thing I can imagine is to add a configuration
option, which is by default off, to archive that.

This option seems good enough

This will fix the ACL compatibility with unix groups behaviour

Do you think this option will see the light as a patch for the 1.4
version?
Make a feature request.

I dont want to promises something, I need to start working again on
payed development, the whole release thing to far to long …

Feature request 871

Please take in consideration this feature as seems that is wanted by several
people (at least this kind of ACL discussion has been over the list for
several times)

Many Thanks

Greetings

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

notwo 2007-07-23 16:11:48 UTC #9

Hello,

I have upgraded from eGW 1.2 to eGW 1.4. The TTS application has been upgraded to Tracker. However, a problem described in

http://www.nabble.com/LDAP%2C-priamry-group%2C-and-TTS-tf3527776s3741.html#a9843854
and
http://www.nabble.com/TTS-LDAP-prmary-group-tf3847109s3741.html#a10895936

still remains.

It appears that eGW has no way of inheriting group membership from LDAP, unless that group is the eGW primary group. Unfortunately this creates a security problem because it means that everybody who uses eGW Tracker and wants to assign tickets to other people has to belong to the same primary group on LDAP, which in turn means all company users have access to all other company users’ network files via group membership.

Before we make a determining decision about our usage of eGW I would like to ask, will this ever change? Is there anyone working on feature 871?

Thank you.

Krassimir S.

Ralf_Becker_6 2007-07-23 16:59:03 UTC #10

Hi,

notwo schrieb:

Hello,

I have upgraded from eGW 1.2 to eGW 1.4. The TTS application has been
upgraded to Tracker. However, a problem described in

http://www.nabble.com/LDAP%2C-priamry-group%2C-and-TTS-tf3527776s3741.html#a9843854
and
http://www.nabble.com/TTS-LDAP-prmary-group-tf3847109s3741.html#a10895936

still remains.

It appears that eGW has no way of inheriting group membership from LDAP,
unless that group is the eGW primary group. Unfortunately this creates a
security problem because it means that everybody who uses eGW Tracker and
wants to assign tickets to other people has to belong to the same primary
group on LDAP, which in turn means all company users have access to all
other company users’ network files via group membership.

eGW does NOT use the primary group, it uses only the membership
attributes of the group. The group membership is read directly from
LDAP, eGW only caches them during the session.

I plan to change it to the “standard” way, that the primary group is
counted as membership too, which is not the case at the moment. I also
want to implement an option to use only groupOfNames instead of
posixGroup, as newer SuSE distros does it (without the need of the
rfc2306bis schema).

As far as I understand you suggested to change the ACL to use only the
primary group and not the other memberships. This can only a
configuration option, you can switch on for new installs, as it will
break the ACL in an existing installation. I dont have any planns to
implement that, as you are the first to ask for this. If you want a
quick solution with it, you probably have to sponsor the feature.

Ralf

Before we make a determining decision about our usage of eGW I would like to
ask, will this ever change? Is there anyone working on feature 871?

Thank you.

Krassimir S.

This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

notwo 2007-07-23 19:32:38 UTC #11

[quote=“Ralf Becker-3”]
Hi,

notwo schrieb:

Hello,

I have upgraded from eGW 1.2 to eGW 1.4. The TTS application has been
upgraded to Tracker. However, a problem described in

http://www.nabble.com/LDAP%2C-priamry-group%2C-and-TTS-tf3527776s3741.html#a9843854
and
http://www.nabble.com/TTS-LDAP-prmary-group-tf3847109s3741.html#a10895936

still remains.

It appears that eGW has no way of inheriting group membership from LDAP,
unless that group is the eGW primary group. Unfortunately this creates a
security problem because it means that everybody who uses eGW Tracker and
wants to assign tickets to other people has to belong to the same primary
group on LDAP, which in turn means all company users have access to all
other company users’ network files via group membership.

eGW does NOT use the primary group, it uses only the membership
attributes of the group. The group membership is read directly from
LDAP, eGW only caches them during the session.

Ralf

Ralf,

It seems like we have quite a bit of misunderstanding. I do not wish that the primary group be used for all membership. I prefer quite the opposite, i.e that other group memberships defined in LDAP be used. You say that that is the way it works, but with Tracker only a user’s LDAP primary group is read for group memebership when assigning tickets. So if userA’s primary LDAP group is groupA, he/she can assign tickets to only users in groupA, which has only userA. Likewise for security reasons userB’s primary LDAP group is groupB. It would be nice if userA and userB are defined as members of a third LDAP group, groupC, which eGW Tracker takes into consideration when determining to whom userA and userB can assign tickets. Then we could set ACL to groupC and tell Tracker to use groupC membership to determine who can assign a ticket to whom. At the same time, when userA creates a file on the network it will belong to userA,groupA, not userAgroupC.

Thank you.

Regards,

Krassimir S.

Ralf_Becker_6 2007-07-24 12:51:45 UTC #12

Hi,

I think your “I can only assign people of my primary group” problem has
nothing to do with LDAP, but with the commen preference “How do you want
to select users”. There’s a setting to show you only your primary group …

Ralf

notwo schrieb:

Hi,

notwo schrieb:

Hello,

I have upgraded from eGW 1.2 to eGW 1.4. The TTS application has been
upgraded to Tracker. However, a problem described in

http://www.nabble.com/LDAP%2C-priamry-group%2C-and-TTS-tf3527776s3741.html#a9843854
and
http://www.nabble.com/TTS-LDAP-prmary-group-tf3847109s3741.html#a10895936

still remains.

It appears that eGW has no way of inheriting group membership from LDAP,
unless that group is the eGW primary group. Unfortunately this creates a
security problem because it means that everybody who uses eGW Tracker and
wants to assign tickets to other people has to belong to the same primary
group on LDAP, which in turn means all company users have access to all
other company users’ network files via group membership.

eGW does NOT use the primary group, it uses only the membership
attributes of the group. The group membership is read directly from
LDAP, eGW only caches them during the session.

I plan to change it to the “standard” way, that the primary group is
counted as membership too, which is not the case at the moment. I also
want to implement an option to use only groupOfNames instead of
posixGroup, as newer SuSE distros does it (without the need of the
rfc2306bis schema).

As far as I understand you suggested to change the ACL to use only the
primary group and not the other memberships. This can only a
configuration option, you can switch on for new installs, as it will
break the ACL in an existing installation. I dont have any planns to
implement that, as you are the first to ask for this. If you want a
quick solution with it, you probably have to sponsor the feature.

Ralf

Ralf,

It seems like we have quite a bit of misunderstanding. I do not wish that
the primary group be used for all membership. I prefer quite the opposite,
i.e that other group memberships defined in LDAP be used. You say that that
is the way it works, but with Tracker only a user’s LDAP primary group is
read for group memebership when assigning tickets. So if userA’s primary
LDAP group is groupA, he/she can assign tickets to only users in groupA,
which has only userA. Likewise for security reasons userB’s primary LDAP
group is groupB. It would be nice if userA and userB are defined as members
of a third LDAP group, groupC, which eGW Tracker takes into consideration
when determining to whom userA and userB can assign tickets. Then we could
set ACL to groupC and tell Tracker to use groupC membership to determine
who can assign a ticket to whom. At the same time, when userA creates a file
on the network it will belong to userA,groupA, not userAgroupC.

Thank you.

Regards,

Krassimir S.

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

notwo 2007-07-24 16:38:45 UTC #13

[quote=“Ralf Becker-3”]
Hi,

Ralf

notwo schrieb:

Hi,

notwo schrieb:

Hello,

I have upgraded from eGW 1.2 to eGW 1.4. The TTS application has been
upgraded to Tracker. However, a problem described in

http://www.nabble.com/LDAP%2C-priamry-group%2C-and-TTS-tf3527776s3741.html#a9843854
and
http://www.nabble.com/TTS-LDAP-prmary-group-tf3847109s3741.html#a10895936

still remains.

It appears that eGW has no way of inheriting group membership from LDAP,
unless that group is the eGW primary group. Unfortunately this creates a
security problem because it means that everybody who uses eGW Tracker and
wants to assign tickets to other people has to belong to the same primary
group on LDAP, which in turn means all company users have access to all
other company users’ network files via group membership.

eGW does NOT use the primary group, it uses only the membership
attributes of the group. The group membership is read directly from
LDAP, eGW only caches them during the session.

I plan to change it to the “standard” way, that the primary group is
counted as membership too, which is not the case at the moment. I also
want to implement an option to use only groupOfNames instead of
posixGroup, as newer SuSE distros does it (without the need of the
rfc2306bis schema).

As far as I understand you suggested to change the ACL to use only the
primary group and not the other memberships. This can only a
configuration option, you can switch on for new installs, as it will
break the ACL in an existing installation. I dont have any planns to
implement that, as you are the first to ask for this. If you want a
quick solution with it, you probably have to sponsor the feature.

Ralf

Ralf,

It seems like we have quite a bit of misunderstanding. I do not wish that
the primary group be used for all membership. I prefer quite the opposite,
i.e that other group memberships defined in LDAP be used. You say that that
is the way it works, but with Tracker only a user’s LDAP primary group is
read for group memebership when assigning tickets. So if userA’s primary
LDAP group is groupA, he/she can assign tickets to only users in groupA,
which has only userA. Likewise for security reasons userB’s primary LDAP
group is groupB. It would be nice if userA and userB are defined as members
of a third LDAP group, groupC, which eGW Tracker takes into consideration
when determining to whom userA and userB can assign tickets. Then we could
set ACL to groupC and tell Tracker to use groupC membership to determine
who can assign a ticket to whom. At the same time, when userA creates a file
on the network it will belong to userA,groupA, not userAgroupC.

Thank you.

Regards,

Krassimir S.

Ralf,

The problem I am having must be related to LDAP because if on eGW, I change the ( go to User accounts/username/Edit/primary Group) it changes the primary group for that user inside the LDAP tree; it replaces the user’s with the group number selected under . What I keep trying to ask is why does the group that is chosen on the eGW user setup interface (egroupware/index.php?menuaction=admin.uiaccounts.edit_user&account_id=1000) as have to be the same group as that user’s in LDAP?
In the main eGW configuration the group context for LDAP tells eGW where user groups are. This context can be any context defined inside LDAP and groups inside that context should be used as for eGW’s purposes, completely separate from users’ .

Let me know if you think I am doing something terribly wrong.

Thank you.

Krassimir S.

Ralf_Becker_6 2007-07-24 18:43:58 UTC #14

Hi,

the primary group in eGW is in eGW to be able to change it in LDAP,
that’s the primary reason. It’s now also used for a user-selection mode.
I dont get why you want to remove the ability to manage that LDAP
attribute from within eGW.

Ralf

notwo schrieb:

Hi,

I think your “I can only assign people of my primary group” problem has
nothing to do with LDAP, but with the commen preference “How do you want
to select users”. There’s a setting to show you only your primary group …

Ralf

notwo schrieb:

Hi,

notwo schrieb:

Hello,

I have upgraded from eGW 1.2 to eGW 1.4. The TTS application has been
upgraded to Tracker. However, a problem described in

http://www.nabble.com/LDAP%2C-priamry-group%2C-and-TTS-tf3527776s3741.html#a9843854
and
http://www.nabble.com/TTS-LDAP-prmary-group-tf3847109s3741.html#a10895936

still remains.

It appears that eGW has no way of inheriting group membership from LDAP,
unless that group is the eGW primary group. Unfortunately this creates a
security problem because it means that everybody who uses eGW Tracker and
wants to assign tickets to other people has to belong to the same primary
group on LDAP, which in turn means all company users have access to all
other company users’ network files via group membership.
eGW does NOT use the primary group, it uses only the membership
attributes of the group. The group membership is read directly from
LDAP, eGW only caches them during the session.

I plan to change it to the “standard” way, that the primary group is
counted as membership too, which is not the case at the moment. I also
want to implement an option to use only groupOfNames instead of
posixGroup, as newer SuSE distros does it (without the need of the
rfc2306bis schema).

As far as I understand you suggested to change the ACL to use only the
primary group and not the other memberships. This can only a
configuration option, you can switch on for new installs, as it will
break the ACL in an existing installation. I dont have any planns to
implement that, as you are the first to ask for this. If you want a
quick solution with it, you probably have to sponsor the feature.

Ralf

Ralf,

It seems like we have quite a bit of misunderstanding. I do not wish
that
the primary group be used for all membership. I prefer quite the opposite,
i.e that other group memberships defined in LDAP be used. You say that
that
is the way it works, but with Tracker only a user’s LDAP primary group is
read for group memebership when assigning tickets. So if userA’s primary
LDAP group is groupA, he/she can assign tickets to only users in groupA,
which has only userA. Likewise for security reasons userB’s primary LDAP
group is groupB. It would be nice if userA and userB are defined as
members
of a third LDAP group, groupC, which eGW Tracker takes into consideration
when determining to whom userA and userB can assign tickets. Then we
could
set ACL to groupC and tell Tracker to use groupC membership to determine
who can assign a ticket to whom. At the same time, when userA creates a
file
on the network it will belong to userA,groupA, not userAgroupC.

Thank you.

Regards,

Krassimir S.

Ralf,

The problem I am having must be related to LDAP because if on eGW, I change
the ( go to User accounts/username/Edit/primary Group) it
changes the primary group for that user inside the LDAP tree; it replaces
the user’s with the group number selected under .
What I keep trying to ask is why does the group that is chosen on the eGW
user setup interface
(egroupware/index.php?menuaction=admin.uiaccounts.edit_user&account_id=1000)
as have to be the same group as that user’s in
LDAP?
In the main eGW configuration the group context for LDAP tells eGW where
user groups are. This context can be any context defined inside LDAP and
groups inside that context should be used as for eGW’s
purposes, completely separate from users’ .

Let me know if you think I am doing something terribly wrong.

Thank you.

Krassimir S.

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

notwo 2007-07-24 19:49:48 UTC #15

[quote=“Ralf Becker-3”]
Hi,

Ralf

notwo schrieb:

Hi,

I think your “I can only assign people of my primary group” problem has
nothing to do with LDAP, but with the commen preference “How do you want
to select users”. There’s a setting to show you only your primary group …

Ralf

notwo schrieb:

Hi,

notwo schrieb:

Hello,

I have upgraded from eGW 1.2 to eGW 1.4. The TTS application has been
upgraded to Tracker. However, a problem described in

http://www.nabble.com/LDAP%2C-priamry-group%2C-and-TTS-tf3527776s3741.html#a9843854
and
http://www.nabble.com/TTS-LDAP-prmary-group-tf3847109s3741.html#a10895936

still remains.

It appears that eGW has no way of inheriting group membership from LDAP,
unless that group is the eGW primary group. Unfortunately this creates a
security problem because it means that everybody who uses eGW Tracker and
wants to assign tickets to other people has to belong to the same primary
group on LDAP, which in turn means all company users have access to all
other company users’ network files via group membership.
eGW does NOT use the primary group, it uses only the membership
attributes of the group. The group membership is read directly from
LDAP, eGW only caches them during the session.

I plan to change it to the “standard” way, that the primary group is
counted as membership too, which is not the case at the moment. I also
want to implement an option to use only groupOfNames instead of
posixGroup, as newer SuSE distros does it (without the need of the
rfc2306bis schema).

As far as I understand you suggested to change the ACL to use only the
primary group and not the other memberships. This can only a
configuration option, you can switch on for new installs, as it will
break the ACL in an existing installation. I dont have any planns to
implement that, as you are the first to ask for this. If you want a
quick solution with it, you probably have to sponsor the feature.

Ralf

Ralf,

It seems like we have quite a bit of misunderstanding. I do not wish
that
the primary group be used for all membership. I prefer quite the opposite,
i.e that other group memberships defined in LDAP be used. You say that
that
is the way it works, but with Tracker only a user’s LDAP primary group is
read for group memebership when assigning tickets. So if userA’s primary
LDAP group is groupA, he/she can assign tickets to only users in groupA,
which has only userA. Likewise for security reasons userB’s primary LDAP
group is groupB. It would be nice if userA and userB are defined as
members
of a third LDAP group, groupC, which eGW Tracker takes into consideration
when determining to whom userA and userB can assign tickets. Then we
could
set ACL to groupC and tell Tracker to use groupC membership to determine
who can assign a ticket to whom. At the same time, when userA creates a
file
on the network it will belong to userA,groupA, not userAgroupC.

Thank you.

Regards,

Krassimir S.

Ralf,

The problem I am having must be related to LDAP because if on eGW, I change
the ( go to User accounts/username/Edit/primary Group) it
changes the primary group for that user inside the LDAP tree; it replaces
the user’s with the group number selected under .
What I keep trying to ask is why does the group that is chosen on the eGW
user setup interface
(egroupware/index.php?menuaction=admin.uiaccounts.edit_user&account_id=1000)
as have to be the same group as that user’s in
LDAP?
In the main eGW configuration the group context for LDAP tells eGW where
user groups are. This context can be any context defined inside LDAP and
groups inside that context should be used as for eGW’s
purposes, completely separate from users’ .

Let me know if you think I am doing something terribly wrong.

Thank you.

Krassimir S.

Ralf,

I am not against primary group attribute management. However, I am not sure that eGW’s ability to manage primary group settings is fully functional. Currently, all my users have to belong to the same primary group so that they can assign Tracker tickets. For security reasons, eGW should not be allowed to change the LDAP tree. In my view, full management of the LDAP tree should be an option not default.To manage the primary group is one thing, the way an application uses the primary group is another thing. So I see two possible fixes: a) either ensure eGW reads non-primary group memberships inside the LDAP group context, or b) set on eGW different from the primary group for LDAP.

I hope this clarifies my position on the issue.

I look forward to your reply.

Thanks.

Krassimir

P.S. Could you provide a bit more details about what user-selection mode means.

Ralf_Becker_6 2007-07-25 07:13:18 UTC #16

Hi Krassimir,

notwo schrieb:

Ralf,

I am not against primary group attribute management. However, I am not sure
that eGW’s ability to manage primary group settings is fully functional.
Currently, all my users have to belong to the same primary group so that
they can assign Tracker tickets. For security reasons, eGW should not be

That is NOT the case! I can only come back to the "user selection mode"
in the common preferences. PLEASE have a look there, I’m sure you set it
to “Primary group with search” or “Selectbox with groupmembers”.

allowed to change the LDAP tree. In my view, full management of the LDAP
tree should be an option not default.To manage the primary group is one

Managing LDAP is NOT the default, it’s an option. If you want to use
LDAP only for authentication, you can do so and store eGW’s account and
memberships in the database.

thing, the way an application uses the primary group is another thing. So I
see two possible fixes: a) either ensure eGW reads non-primary group
memberships inside the LDAP group context, or b) set on eGW

a) is already the case!

different from the primary group for LDAP.

b) as I wrote before, I dont see the point of this, but as eGW is OS:
feel free to implement that for yourself

Ralf

I hope this clarifies my position on the issue.

I look forward to your reply.

Thanks.

Krassimir

P.S. Could you provide a bit more details about what user-selection mode
means.

Hi,

the primary group in eGW is in eGW to be able to change it in LDAP,
that’s the primary reason. It’s now also used for a user-selection mode.
I dont get why you want to remove the ability to manage that LDAP
attribute from within eGW.

Ralf

notwo schrieb:

Hi,

I think your “I can only assign people of my primary group” problem has
nothing to do with LDAP, but with the commen preference “How do you want
to select users”. There’s a setting to show you only your primary group
…

Ralf
–
Ralf Becker
eGroupWare Training & Support ==> http://www.egroupware-support.de
Outdoor Unlimited Training GmbH [www.outdoor-training.de]
Handelsregister HRB Kaiserslautern 3587
Geschäftsführer Birgit und Ralf Becker
Leibnizstr. 17, 67663 Kaiserslautern, Germany
Telefon +49 (0)631 31657-0

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

notwo 2007-07-25 16:53:33 UTC #17

[quote=“Ralf Becker-3”]
Hi Krassimir,

notwo schrieb:

Ralf,

I am not against primary group attribute management. However, I am not sure
that eGW’s ability to manage primary group settings is fully functional.
Currently, all my users have to belong to the same primary group so that
they can assign Tracker tickets. For security reasons, eGW should not be

allowed to change the LDAP tree. In my view, full management of the LDAP
tree should be an option not default.To manage the primary group is one

Managing LDAP is NOT the default, it’s an option. If you want to use
LDAP only for authentication, you can do so and store eGW’s account and
memberships in the database.

thing, the way an application uses the primary group is another thing. So I
see two possible fixes: a) either ensure eGW reads non-primary group
memberships inside the LDAP group context, or b) set on eGW

a) is already the case!

different from the primary group for LDAP.

b) as I wrote before, I dont see the point of this, but as eGW is OS:
feel free to implement that for yourself

Ralf

I hope this clarifies my position on the issue.

I look forward to your reply.

Thanks.

Krassimir

P.S. Could you provide a bit more details about what user-selection mode
means.

Hi,

the primary group in eGW is in eGW to be able to change it in LDAP,
that’s the primary reason. It’s now also used for a user-selection mode.
I dont get why you want to remove the ability to manage that LDAP
attribute from within eGW.

Ralf

notwo schrieb:

Hi,

I think your “I can only assign people of my primary group” problem has
nothing to do with LDAP, but with the commen preference “How do you want
to select users”. There’s a setting to show you only your primary group
…

Ralf

Hi Ralf,

It is always possible that I am missing something. So I tested all common preferences (did logout/login) and unfortunately the results are still the same, Tracker does not list any users who are not part of the same . You said, eGW determines group memberships via the group context. Can you be more specific, which attributes does eGW check to determine all group memberships for a particular users?

Thank you.

Krassimir S.

Ralf_Becker_6 2007-07-25 20:54:36 UTC #18

Hi,

I already answered that questions: eGW uses the memberUid attribute of
the posixGroup. It does NOT use any context for group-membership.

Ralf

notwo schrieb:

Hi Krassimir,

notwo schrieb:

Ralf,

I am not against primary group attribute management. However, I am not
sure
that eGW’s ability to manage primary group settings is fully functional.
Currently, all my users have to belong to the same primary group so that
they can assign Tracker tickets. For security reasons, eGW should not be

That is NOT the case! I can only come back to the "user selection mode"
in the common preferences. PLEASE have a look there, I’m sure you set it
to “Primary group with search” or “Selectbox with groupmembers”.

allowed to change the LDAP tree. In my view, full management of the LDAP
tree should be an option not default.To manage the primary group is one

Managing LDAP is NOT the default, it’s an option. If you want to use
LDAP only for authentication, you can do so and store eGW’s account and
memberships in the database.

thing, the way an application uses the primary group is another thing. So
I
see two possible fixes: a) either ensure eGW reads non-primary group
memberships inside the LDAP group context, or b) set on
eGW

a) is already the case!

different from the primary group for LDAP.

b) as I wrote before, I dont see the point of this, but as eGW is OS:
feel free to implement that for yourself

Ralf

I hope this clarifies my position on the issue.

I look forward to your reply.

Thanks.

Krassimir

P.S. Could you provide a bit more details about what user-selection mode
means.

Hi,

the primary group in eGW is in eGW to be able to change it in LDAP,
that’s the primary reason. It’s now also used for a user-selection mode.
I dont get why you want to remove the ability to manage that LDAP
attribute from within eGW.

Ralf

notwo schrieb:

Hi,

I think your “I can only assign people of my primary group” problem has
nothing to do with LDAP, but with the commen preference “How do you want
to select users”. There’s a setting to show you only your primary group
…

Ralf

Hi Ralf,

It is always possible that I am missing something. So I tested all common
preferences (did logout/login) and unfortunately the results are still the
same, Tracker does not list any users who are not part of the same <primary

. You said, eGW determines group memberships via the group context.
Can you be more specific, which attributes does eGW check to determine all
group memberships for a particular users?

Thank you.

Krassimir S.

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

notwo 2007-07-26 21:23:57 UTC #19

[quote=“Ralf Becker-3”]
Hi,

I already answered that questions: eGW uses the memberUid attribute of
the posixGroup. It does NOT use any context for group-membership.

Ralf

notwo schrieb:

Hi Krassimir,

notwo schrieb:

Ralf,

I am not against primary group attribute management. However, I am not
sure
that eGW’s ability to manage primary group settings is fully functional.
Currently, all my users have to belong to the same primary group so that
they can assign Tracker tickets. For security reasons, eGW should not be

That is NOT the case! I can only come back to the "user selection mode"
in the common preferences. PLEASE have a look there, I’m sure you set it
to “Primary group with search” or “Selectbox with groupmembers”.

allowed to change the LDAP tree. In my view, full management of the LDAP
tree should be an option not default.To manage the primary group is one

Managing LDAP is NOT the default, it’s an option. If you want to use
LDAP only for authentication, you can do so and store eGW’s account and
memberships in the database.

thing, the way an application uses the primary group is another thing. So
I
see two possible fixes: a) either ensure eGW reads non-primary group
memberships inside the LDAP group context, or b) set on
eGW

a) is already the case!

different from the primary group for LDAP.

b) as I wrote before, I dont see the point of this, but as eGW is OS:
feel free to implement that for yourself

Ralf

I hope this clarifies my position on the issue.

I look forward to your reply.

Thanks.

Krassimir

P.S. Could you provide a bit more details about what user-selection mode
means.

Hi,

the primary group in eGW is in eGW to be able to change it in LDAP,
that’s the primary reason. It’s now also used for a user-selection mode.
I dont get why you want to remove the ability to manage that LDAP
attribute from within eGW.

Ralf

notwo schrieb:

Hi,

I think your “I can only assign people of my primary group” problem has
nothing to do with LDAP, but with the commen preference “How do you want
to select users”. There’s a setting to show you only your primary group
…

Ralf

Hi Ralf,

It is always possible that I am missing something. So I tested all common
preferences (did logout/login) and unfortunately the results are still the
same, Tracker does not list any users who are not part of the same . You said, eGW determines group memberships via the group context.
Can you be more specific, which attributes does eGW check to determine all
group memberships for a particular users?

Thank you.

Krassimir S.

Hi Ralf,

a) either ensure eGW reads non-primary group
memberships inside the LDAP group context

a) is already the case!

but later you said that

eGW uses the memberUid attribute of
the posixGroup. It does NOT use any context for group-membership.

Please help me clarify this.

As you say, memberUid is an attribute for a group (posixGroup) only, not posixAccount. This means that the minimal requirement to determine is one group. If no group context is used to determine , the only group available to determine is eGW , which is read from user’s posixAccount. If this is correct, then all users must be members of the same to assign Tracker tickets to each other.

This sounds like a possible explanation of what is happening with our eGW implementation.

Does it to you?

Thank you.

Krassimir S.