Thanks, it's even better. I'll add it to the FAQ. Janos
-------- Original Message -------- From: Katterl Christian <[email protected]> Sent: Tue Nov 28 08:47:20 GMT+01:00 2017 To: Piler User <[email protected]> Subject: AW: AW: LDAP Users can see other's mails Update: By modifying the parameter from $config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'group'; to $config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'user'; it seems to accomplish the same without changing code in /var/www/piler/model/user/auth.php Christian Katterl Teamleader Technical IT [cid:[email protected]] Asamer Baustoffe AG Unterthalham Straße 2 4694 Ohlsdorf Austria tel +43 50 799 - 2511 mobile +43 664 811 54 99 email [email protected]<mailto:[email protected]> www.abag.at<https://www.abag.at> This message is confidential. It may not be disclosed to, or used by, anyone other than the addressee. If you receive this message by mistake, please advise the sender. Firmenbuch: Landesgericht Wels, FN: 407726y, ATU 68646334 Von: Janos SUTO [mailto:[email protected]] Gesendet: Dienstag, 28. November 2017 08:11 An: Piler User Betreff: Re: AW: LDAP Users can see other's mails OK, if it gives you a proper result, then case is solved. Be sure to save your fix in case of a future upgrade. Or I may introduce a configure option to apply your fix. Janos ________________________________ From: Katterl Christian Sent: Tue Nov 28 06:35:25 GMT+01:00 2017 To: Piler User Subject: AW: AW: LDAP Users can see other's mails Hello, maybe I have found a solution for this issue. In /var/www/piler/model/user/auth.php I changed the line 217, which originally looked like this: $query = $ldap->query($ldap_base_dn, "(|(&(objectClass=$ldap_account_objectclass)($ldap_mail_attr=$username_prefix$username))(&(objectClass=$ldap_distributionlist_objectclass)($ldap_distributionlist_attr=$username_prefix$username)" . ")(&(objectClass=$ldap_distributionlist_objectclass)($ldap_distributionlist_attr=" . $a['dn'] . ")))", array()); To only: $query = $ldap->query($ldap_base_dn, "(|(&(objectClass=$ldap_account_objectclass)($ldap_mail_attr=$username_prefix$username)))", array()); I mean - I removed all the group- and distribution-list things. I am not sure, what this else will/could cause (I am not a programmer)? But from what I saw in a very quick test, now only my personal emails are shown. BR, Christian Christian Katterl Teamleader Technical IT Asamer Baustoffe AG Unterthalham Straße 2 4694 Ohlsdorf Austria tel +43 50 799 - 2511 mobile +43 664 811 54 99 [email protected]<mailto:[email protected]> www.abag.at<http://www.abag.at> This message is confidential. It may not be disclosed to, or used by, anyone other than the addressee. If you receive this message by mistake, please advise the sender. Firmenbuch: Landesgericht Wels, FN: 407726y, ATU 68646334 -----Ursprüngliche Nachricht----- Von: [email protected]<mailto:[email protected]> [mailto:[email protected]] Gesendet: Sonntag, 26. November 2017 17:56 An: Piler User Betreff: Re: AW: LDAP Users can see other's mails Hmm, it's odd. Even if a user is member of a group with other users which is totally normal a user still shouldn't see others' emails. Some of the addresses look like some distribution lists. Can you show me such a message you can see and meant for someone else? I'm interested the headers only. (You may send it privately to my address). The selected messages should not belong to any distribution list you are on. Janos On 2017-11-23 12:09, Katterl Christian wrote: It seems that i can see all messages of members of the same ad-groups. In my case, piler would not need to take care of groups….. VON: Janos SUTO [mailto:[email protected]] GESENDET: Donnerstag, 23. November 2017 09:45 AN: Piler User BETREFF: Re: LDAP Users can see other's mails Show me the sphinx query from the mail log related to the given user. Janos ------------------------- FROM: Katterl Christian SENT: Thu Nov 23 07:35:19 GMT+01:00 2017 TO: "[email protected]<mailto:[email protected]>" SUBJECT: LDAP Users can see other's mails Dear all, i configured piler (1.3.1) on Debian (9) using LDAP authentication against Active Directory. Basically, authentication works. BUT: Successfully logged in users cannot only see their own mails, but also mails of other users? My ldap-config from config-site.php looks like this: $config['ENABLE_LDAP_AUTH'] = 1; $config['LDAP_HOST'] = 'mydomaincontroller.mydomain.myforest.tld'; $config['LDAP_HELPER_DN'] = 'CN=pilerldap,OU=ServicesAccounts,DC=mydomain,DC=myforest,DC=tld'; $config['LDAP_HELPER_PASSWORD'] = 'highpressurecompressor'; $config['LDAP_MAIL_ATTR'] = 'mail'; $config['LDAP_ACCOUNT_OBJECTCLASS'] = 'user'; $config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'group'; $config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'member'; $config['LDAP_BASE_DN'] = DC=mydomain,DC=myforest,DC=tld; $config['LDAP_AUDITOR_MEMBER_DN'] = ''; $config['LDAP_ADMIN_MEMBER_DN'] = ''; Any ideas? BR, Christian CHRISTIAN KATTERL Teamleader Technical IT ASAMER BAUSTOFFE AG Unterthalham Straße 2 4694 Ohlsdorf Austria TEL +43 50 799 - 2511 MOBILE +43 664 811 54 99 EMAIL [email protected]<mailto:[email protected]> WWW.ABAG.AT<http://WWW.ABAG.AT> [1] This message is confidential. It may not be disclosed to, or used by, anyone other than the addressee. If you receive this message by mistake, please advise the sender. Firmenbuch: Landesgericht Wels, FN: 407726y, ATU 68646334 Links: ------ [1] https://www.abag.at
