AW: AW: LDAP Users can see other's mails

2017-11-27 Thread Katterl Christian 
Update:
By modifying the parameter from $config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 
'group'; to $config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'user'; it seems to 
accomplish the same without changing code in /var/www/piler/model/user/auth.php



Christian Katterl
Teamleader Technical IT

[cid:0139-0001@01d3681d.1f8ac597]

Asamer Baustoffe AG
Unterthalham Straße 2
4694 Ohlsdorf
Austria
tel  +43 50 799 - 2511
mobile +43 664 811 54 99
email c.katt...@asamer.at
www.abag.at



This message is confidential. It may not be disclosed to, or used by, anyone 
other than the addressee. If you receive this message by mistake, please advise 
the sender.
Firmenbuch: Landesgericht Wels, FN: 407726y, ATU 68646334

Von: Janos SUTO [mailto:s...@acts.hu]
Gesendet: Dienstag, 28. November 2017 08:11
An: Piler User
Betreff: Re: AW: LDAP Users can see other's mails

OK, if it gives you a proper result, then case is solved. Be sure to save your 
fix in case of a future upgrade. Or I may introduce a configure option to apply 
your fix.
Janos

From: Katterl Christian
Sent: Tue Nov 28 06:35:25 GMT+01:00 2017
To: Piler User
Subject: AW: AW: LDAP Users can see other's mails



Hello,

maybe I have found a solution for this issue.

In /var/www/piler/model/user/auth.php

I changed the line 217, which originally looked like this:

$query = $ldap->query($ldap_base_dn, 
"(|(&(objectClass=$ldap_account_objectclass)($ldap_mail_attr=$username_prefix$username))(&(objectClass=$ldap_distributionlist_objectclass)($ldap_distributionlist_attr=$username_prefix$username)"
 . 
")(&(objectClass=$ldap_distributionlist_objectclass)($ldap_distributionlist_attr="
 . $a['dn'] . ")))", array());

To only:
  $query = $ldap->query($ldap_base_dn, 
"(|(&(objectClass=$ldap_account_objectclass)($ldap_mail_attr=$username_prefix$username)))",
 array());

I mean - I removed all the group- and distribution-list things.
I am not sure, what this else will/could cause (I am not a programmer)?

But from what I saw in a very quick test, now only my personal emails are shown.

BR, Christian


 Christian Katterl
Teamleader Technical IT

Asamer Baustoffe AG
Unterthalham Straße 2
4694 Ohlsdorf
Austria
tel +43 50 799 - 2511

mobile  +43 664 811 54 99
c.katt...@asamer.at
www.abag.at


This message is confidential. It may not be disclosed to, or used by, anyone 
other than the addressee. If you receive this
message by mistake, please advise the sender.
Firmenbuch: Landesgericht Wels, FN: 407726y, ATU 68646334


-Ursprüngliche Nachricht-
Von: s...@acts.hu [mailto:s...@acts.hu]
Gesendet: Sonntag, 26. November 2017 17:56
An: Piler User
Betreff: Re: AW: LDAP Users can see other's mails



Hmm, it's odd. Even if a user is member of a group with other users which is 
totally normal a user still shouldn't see others' emails.

Some of the addresses look like some distribution lists. Can you show me such a 
message you can see and meant for someone else?
I'm interested the headers only. (You may send it privately to my address). The 
selected messages should not belong to any distribution list you are on.

Janos

On 2017-11-23 12:09, Katterl Christian wrote:

 It seems that i can see all messages of members of the same ad-groups.


 In my case, piler would not need to take care of groups…..

 VON: Janos SUTO [mailto:s...@acts.hu]
 GESENDET: Donnerstag, 23. November 2017 09:45
 AN: Piler User
 BETREFF: Re: LDAP Users can see other's mails

 Show me the sphinx query from the mail log related to the given user.

 Janos

 -

 FROM: Katterl Christian
 SENT: Thu Nov 23 07:35:19 GMT+01:00 2017
 TO: "piler-user@list.acts.hu"
 SUBJECT: LDAP Users can see other's mails

 Dear all,

 i configured piler (1.3.1) on Debian (9) using LDAP authentication
 against Active Directory.

 Basically, authentication works.

 BUT:

 Successfully logged in users cannot only see their own mails, but also
 mails of other users?

 My ldap-config from config-site.php looks like this:

 $config['ENABLE_LDAP_AUTH'] = 1;

 $config['LDAP_HOST'] = 'mydomaincontroller.mydomain.myforest.tld';

 $config['LDAP_HELPER_DN'] =
 'CN=pilerldap,OU=ServicesAccounts,DC=mydomain,DC=myforest,DC=tld';

 $config['LDAP_HELPER_PASSWORD'] = 'highpressurecompressor';

 $config['LDAP_MAIL_ATTR'] = 'mail';

 $config['LDAP_ACCOUNT_OBJECTCLASS'] = 'user';

 $config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'group';

 $config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'member';

 $config['LDAP_BASE_DN'] = DC=mydomain,DC=myforest,DC=tld;

 $config['LDAP_AUDITOR_MEMBER_DN'] = '';

 $config['LDAP_ADMIN_MEMBER_DN'] = '';

 Any ideas?

 BR, Christian

 CHRISTIAN KATTERL
 Teamleader Technical IT

 ASAMER BAUSTOFFE AG
 Unterthalham Straße 2
 4694 Ohlsdorf
 Austria
 TEL  +43 50 799 - 2511
 MOBILE +43 664 811 54 99
 EMAIL

AW: AW: LDAP Users can see other's mails

2017-11-27 Thread Katterl Christian 
I will save my fix – but i think it would be useful for others too.
I wonder, that no one came across this issue before?

BR and thanks for your help and support,

Christian



Christian Katterl
Teamleader Technical IT

[cid:0076-0001@01d36818.3d87f6d7]

Asamer Baustoffe AG
Unterthalham Straße 2
4694 Ohlsdorf
Austria
tel  +43 50 799 - 2511
mobile +43 664 811 54 99
email c.katt...@asamer.at
www.abag.at



This message is confidential. It may not be disclosed to, or used by, anyone 
other than the addressee. If you receive this message by mistake, please advise 
the sender.
Firmenbuch: Landesgericht Wels, FN: 407726y, ATU 68646334

Von: Janos SUTO [mailto:s...@acts.hu]
Gesendet: Dienstag, 28. November 2017 08:11
An: Piler User
Betreff: Re: AW: LDAP Users can see other's mails

OK, if it gives you a proper result, then case is solved. Be sure to save your 
fix in case of a future upgrade. Or I may introduce a configure option to apply 
your fix.
Janos

From: Katterl Christian
Sent: Tue Nov 28 06:35:25 GMT+01:00 2017
To: Piler User
Subject: AW: AW: LDAP Users can see other's mails



Hello,

maybe I have found a solution for this issue.

In /var/www/piler/model/user/auth.php

I changed the line 217, which originally looked like this:

$query = $ldap->query($ldap_base_dn, 
"(|(&(objectClass=$ldap_account_objectclass)($ldap_mail_attr=$username_prefix$username))(&(objectClass=$ldap_distributionlist_objectclass)($ldap_distributionlist_attr=$username_prefix$username)"
 . 
")(&(objectClass=$ldap_distributionlist_objectclass)($ldap_distributionlist_attr="
 . $a['dn'] . ")))", array());

To only:
  $query = $ldap->query($ldap_base_dn, 
"(|(&(objectClass=$ldap_account_objectclass)($ldap_mail_attr=$username_prefix$username)))",
 array());

I mean - I removed all the group- and distribution-list things.
I am not sure, what this else will/could cause (I am not a programmer)?

But from what I saw in a very quick test, now only my personal emails are shown.

BR, Christian


 Christian Katterl
Teamleader Technical IT

Asamer Baustoffe AG
Unterthalham Straße 2
4694 Ohlsdorf
Austria
tel +43 50 799 - 2511

mobile  +43 664 811 54 99
c.katt...@asamer.at
www.abag.at


This message is confidential. It may not be disclosed to, or used by, anyone 
other than the addressee. If you receive this
message by mistake, please advise the sender.
Firmenbuch: Landesgericht Wels, FN: 407726y, ATU 68646334


-Ursprüngliche Nachricht-
Von: s...@acts.hu [mailto:s...@acts.hu]
Gesendet: Sonntag, 26. November 2017 17:56
An: Piler User
Betreff: Re: AW: LDAP Users can see other's mails



Hmm, it's odd. Even if a user is member of a group with other users which is 
totally normal a user still shouldn't see others' emails.

Some of the addresses look like some distribution lists. Can you show me such a 
message you can see and meant for someone else?
I'm interested the headers only. (You may send it privately to my address). The 
selected messages should not belong to any distribution list you are on.

Janos

On 2017-11-23 12:09, Katterl Christian wrote:

 It seems that i can see all messages of members of the same ad-groups.


 In my case, piler would not need to take care of groups…..

 VON: Janos SUTO [mailto:s...@acts.hu]
 GESENDET: Donnerstag, 23. November 2017 09:45
 AN: Piler User
 BETREFF: Re: LDAP Users can see other's mails

 Show me the sphinx query from the mail log related to the given user.

 Janos

 -

 FROM: Katterl Christian
 SENT: Thu Nov 23 07:35:19 GMT+01:00 2017
 TO: "piler-user@list.acts.hu"
 SUBJECT: LDAP Users can see other's mails

 Dear all,

 i configured piler (1.3.1) on Debian (9) using LDAP authentication
 against Active Directory.

 Basically, authentication works.

 BUT:

 Successfully logged in users cannot only see their own mails, but also
 mails of other users?

 My ldap-config from config-site.php looks like this:

 $config['ENABLE_LDAP_AUTH'] = 1;

 $config['LDAP_HOST'] = 'mydomaincontroller.mydomain.myforest.tld';

 $config['LDAP_HELPER_DN'] =
 'CN=pilerldap,OU=ServicesAccounts,DC=mydomain,DC=myforest,DC=tld';

 $config['LDAP_HELPER_PASSWORD'] = 'highpressurecompressor';

 $config['LDAP_MAIL_ATTR'] = 'mail';

 $config['LDAP_ACCOUNT_OBJECTCLASS'] = 'user';

 $config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'group';

 $config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'member';

 $config['LDAP_BASE_DN'] = DC=mydomain,DC=myforest,DC=tld;

 $config['LDAP_AUDITOR_MEMBER_DN'] = '';

 $config['LDAP_ADMIN_MEMBER_DN'] = '';

 Any ideas?

 BR, Christian

 CHRISTIAN KATTERL
 Teamleader Technical IT

 ASAMER BAUSTOFFE AG
 Unterthalham Straße 2
 4694 Ohlsdorf
 Austria
 TEL  +43 50 799 - 2511
 MOBILE +43 664 811 54 99
 EMAIL c.katt...@asamer.at
 WWW.ABAG.AT [1]

Re: AW: LDAP Users can see other's mails

2017-11-27 Thread Janos SUTO 
OK, if it gives you a proper result, then case is solved. Be sure to save your 
fix in case of a future upgrade. Or I may introduce a configure option to apply 
your fix.

Janos


 Original Message 
From: Katterl Christian 
Sent: Tue Nov 28 06:35:25 GMT+01:00 2017
To: Piler User 
Subject: AW: AW: LDAP Users can see other's mails

Hello,

maybe I have found a solution for this issue.

In /var/www/piler/model/user/auth.php

I changed the line 217, which originally looked like this:

$query = $ldap->query($ldap_base_dn, 
"(|(&(objectClass=$ldap_account_objectclass)($ldap_mail_attr=$username_prefix$username))(&(objectClass=$ldap_distributionlist_objectclass)($ldap_distributionlist_attr=$username_prefix$username)"
 . 
")(&(objectClass=$ldap_distributionlist_objectclass)($ldap_distributionlist_attr="
 . $a['dn'] . ")))", array());

To only:
  $query = $ldap->query($ldap_base_dn, 
"(|(&(objectClass=$ldap_account_objectclass)($ldap_mail_attr=$username_prefix$username)))",
 array());

I mean - I removed all the group- and distribution-list things.
I am not sure, what this else will/could cause (I am not a programmer)?

But from what I saw in a very quick test, now only my personal emails are shown.

BR, Christian


 Christian Katterl
Teamleader Technical IT

Asamer Baustoffe AG
Unterthalham Straße 2
4694 Ohlsdorf
Austria
tel +43 50 799 - 2511

mobile  +43 664 811 54 99
c.katt...@asamer.at
www.abag.at


This message is confidential. It may not be disclosed to, or used by, anyone 
other than the addressee. If you receive this
message by mistake, please advise the sender.
Firmenbuch: Landesgericht Wels, FN: 407726y, ATU 68646334


-Ursprüngliche Nachricht-
Von: s...@acts.hu [mailto:s...@acts.hu]
Gesendet: Sonntag, 26. November 2017 17:56
An: Piler User
Betreff: Re: AW: LDAP Users can see other's mails



Hmm, it's odd. Even if a user is member of a group with other users which is 
totally normal a user still shouldn't see others' emails.

Some of the addresses look like some distribution lists. Can you show me such a 
message you can see and meant for someone else?
I'm interested the headers only. (You may send it privately to my address). The 
selected messages should not belong to any distribution list you are on.

Janos

On 2017-11-23 12:09, Katterl Christian wrote:
> It seems that i can see all messages of members of the same ad-groups.
>
>
> In my case, piler would not need to take care of groups…..
>
> VON: Janos SUTO [mailto:s...@acts.hu]
> GESENDET: Donnerstag, 23. November 2017 09:45
> AN: Piler User
> BETREFF: Re: LDAP Users can see other's mails
>
> Show me the sphinx query from the mail log related to the given user.
>
> Janos
>
> -
>
> FROM: Katterl Christian
> SENT: Thu Nov 23 07:35:19 GMT+01:00 2017
> TO: "piler-user@list.acts.hu"
> SUBJECT: LDAP Users can see other's mails
>
> Dear all,
>
> i configured piler (1.3.1) on Debian (9) using LDAP authentication
> against Active Directory.
>
> Basically, authentication works.
>
> BUT:
>
> Successfully logged in users cannot only see their own mails, but also
> mails of other users?
>
> My ldap-config from config-site.php looks like this:
>
> $config['ENABLE_LDAP_AUTH'] = 1;
>
> $config['LDAP_HOST'] = 'mydomaincontroller.mydomain.myforest.tld';
>
> $config['LDAP_HELPER_DN'] =
> 'CN=pilerldap,OU=ServicesAccounts,DC=mydomain,DC=myforest,DC=tld';
>
> $config['LDAP_HELPER_PASSWORD'] = 'highpressurecompressor';
>
> $config['LDAP_MAIL_ATTR'] = 'mail';
>
> $config['LDAP_ACCOUNT_OBJECTCLASS'] = 'user';
>
> $config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'group';
>
> $config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'member';
>
> $config['LDAP_BASE_DN'] = DC=mydomain,DC=myforest,DC=tld;
>
> $config['LDAP_AUDITOR_MEMBER_DN'] = '';
>
> $config['LDAP_ADMIN_MEMBER_DN'] = '';
>
> Any ideas?
>
> BR, Christian
>
> CHRISTIAN KATTERL
> Teamleader Technical IT
>
> ASAMER BAUSTOFFE AG
> Unterthalham Straße 2
> 4694 Ohlsdorf
> Austria
> TEL  +43 50 799 - 2511
> MOBILE +43 664 811 54 99
> EMAIL c.katt...@asamer.at
> WWW.ABAG.AT [1]
>
> This message is confidential. It may not be disclosed to, or used by,
> anyone other than the addressee. If you receive this message by
> mistake, please advise the sender.
> Firmenbuch: Landesgericht Wels, FN: 407726y, ATU 68646334
>
>
>
> Links:
> --
> [1] https://www.abag.at

AW: AW: LDAP Users can see other's mails

2017-11-27 Thread Katterl Christian 
Hello,

maybe I have found a solution for this issue.

In /var/www/piler/model/user/auth.php

I changed the line 217, which originally looked like this:

$query = $ldap->query($ldap_base_dn, 
"(|(&(objectClass=$ldap_account_objectclass)($ldap_mail_attr=$username_prefix$username))(&(objectClass=$ldap_distributionlist_objectclass)($ldap_distributionlist_attr=$username_prefix$username)"
 . 
")(&(objectClass=$ldap_distributionlist_objectclass)($ldap_distributionlist_attr="
 . $a['dn'] . ")))", array());

To only:
  $query = $ldap->query($ldap_base_dn, 
"(|(&(objectClass=$ldap_account_objectclass)($ldap_mail_attr=$username_prefix$username)))",
 array());

I mean - I removed all the group- and distribution-list things.
I am not sure, what this else will/could cause (I am not a programmer)?

But from what I saw in a very quick test, now only my personal emails are shown.

BR, Christian


 Christian Katterl
Teamleader Technical IT

Asamer Baustoffe AG
Unterthalham Straße 2
4694 Ohlsdorf
Austria
tel +43 50 799 - 2511

mobile  +43 664 811 54 99
c.katt...@asamer.at
www.abag.at


This message is confidential. It may not be disclosed to, or used by, anyone 
other than the addressee. If you receive this
message by mistake, please advise the sender.
Firmenbuch: Landesgericht Wels, FN: 407726y, ATU 68646334


-Ursprüngliche Nachricht-
Von: s...@acts.hu [mailto:s...@acts.hu]
Gesendet: Sonntag, 26. November 2017 17:56
An: Piler User
Betreff: Re: AW: LDAP Users can see other's mails



Hmm, it's odd. Even if a user is member of a group with other users which is 
totally normal a user still shouldn't see others' emails.

Some of the addresses look like some distribution lists. Can you show me such a 
message you can see and meant for someone else?
I'm interested the headers only. (You may send it privately to my address). The 
selected messages should not belong to any distribution list you are on.

Janos

On 2017-11-23 12:09, Katterl Christian wrote:
> It seems that i can see all messages of members of the same ad-groups.
>
>
> In my case, piler would not need to take care of groups…..
>
> VON: Janos SUTO [mailto:s...@acts.hu]
> GESENDET: Donnerstag, 23. November 2017 09:45
> AN: Piler User
> BETREFF: Re: LDAP Users can see other's mails
>
> Show me the sphinx query from the mail log related to the given user.
>
> Janos
>
> -
>
> FROM: Katterl Christian
> SENT: Thu Nov 23 07:35:19 GMT+01:00 2017
> TO: "piler-user@list.acts.hu"
> SUBJECT: LDAP Users can see other's mails
>
> Dear all,
>
> i configured piler (1.3.1) on Debian (9) using LDAP authentication
> against Active Directory.
>
> Basically, authentication works.
>
> BUT:
>
> Successfully logged in users cannot only see their own mails, but also
> mails of other users?
>
> My ldap-config from config-site.php looks like this:
>
> $config['ENABLE_LDAP_AUTH'] = 1;
>
> $config['LDAP_HOST'] = 'mydomaincontroller.mydomain.myforest.tld';
>
> $config['LDAP_HELPER_DN'] =
> 'CN=pilerldap,OU=ServicesAccounts,DC=mydomain,DC=myforest,DC=tld';
>
> $config['LDAP_HELPER_PASSWORD'] = 'highpressurecompressor';
>
> $config['LDAP_MAIL_ATTR'] = 'mail';
>
> $config['LDAP_ACCOUNT_OBJECTCLASS'] = 'user';
>
> $config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'group';
>
> $config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'member';
>
> $config['LDAP_BASE_DN'] = DC=mydomain,DC=myforest,DC=tld;
>
> $config['LDAP_AUDITOR_MEMBER_DN'] = '';
>
> $config['LDAP_ADMIN_MEMBER_DN'] = '';
>
> Any ideas?
>
> BR, Christian
>
> CHRISTIAN KATTERL
> Teamleader Technical IT
>
> ASAMER BAUSTOFFE AG
> Unterthalham Straße 2
> 4694 Ohlsdorf
> Austria
> TEL  +43 50 799 - 2511
> MOBILE +43 664 811 54 99
> EMAIL c.katt...@asamer.at
> WWW.ABAG.AT [1]
>
> This message is confidential. It may not be disclosed to, or used by,
> anyone other than the addressee. If you receive this message by
> mistake, please advise the sender.
> Firmenbuch: Landesgericht Wels, FN: 407726y, ATU 68646334
>
>
>
> Links:
> --
> [1] https://www.abag.at