z-push.net

[banks]

hi,

how can i control the access to my z-push zarafa server?
i want only a group of users which can connect to my zarafa server via z-push

we have that option scalix and exchange have also a access management option.

http://blogs.technet.com/b/exchange/arc ... 11539.aspx


cheers..
.beo

[mku]

Hi banks,

it is not possible with Z-Push 1.X but we are working on a solution for it in Z-Push 2.

Greets, Manfred

[banks]

ok thanks for answer.

have you got a idea if that´s maybe possible with a external solution.
for us is that´s enough if we could have some simple kind of allow option for users.

could i filter that maybe with apache or with some zarafa options (ldap)?

we are starting a migration from scalix -> zarafa and that´s a big security issue for us if we open our mailstore for 400users

[mku]

Hi banks,

the simplest solution would be to add something like $allowed_users or $disallowed_users array to config.php with user names which are allowed or not to use Z-Push (whatever is easier to manage for you). And then add a check to Login function if the user has a permission to sync.

Another option would be to add an attribute to your LDAP scheme (e.g. by extending Zarafa scheme), map it in ldap.propmap.cfg, get this property in Login function and check if the user has a permission to sync.

Greets, Manfred

[banks]

hi,

we have create a patch for that

--- index.php.orig 2011-11-10 12:30:36.000000000 +0000
+++ index.php 2011-11-10 12:31:09.000000000 +0000
@@ -86,6 +86,20 @@
}
$auth_pw = $_SERVER['PHP_AUTH_PW'];

+
+$ds = ldap_connect("ldap://localhost") or die("no connect");
+$dn = "o=company,c=com";
+$filter = "(&(uid=$auth_user)(zarafaEnabledFeatures=zpush))";
+
+$sr = ldap_search($ds, $dn, $filter, array("zarafaEnabledFeatures")) or die("no result");
+
+$allowed = ldap_get_entries($ds, $sr);
+
+if ($allowed["count"] == 0) {
+ $auth_user = "";
+ $auth_pw = "";
+}
+
debugLog("Start");
debugLog("Z-Push version: $zpush_version");
debugLog("Client IP: ". $_SERVER['REMOTE_ADDR']);
@@ -231,4 +245,4 @@

debugLog("end");
debugLog("--------");
-?>
\ Kein Zeilenumbruch am Dateiende.
+?>

but i need a 2nd fiter = deviceid
we want only to allow the access on our comapany iphones.

i could add the deviceid in the zarafaEnabledFeatures but how can i compare it during the authentification (config.php)???

[mku]

Hi banks,

it would be better to do this in Login function and not in the index.php.

You have to save a list of allowed deviceids somewhere. Either as a global list in a text file or you add another attribute to ldap for the user with the allowed deviceid and map it via ldap.propmap.cfg.

Greets, Manfred

[banks]

thanks for the tip manfred!

in which file could i find the login function?

i can´t find anything with grep -i login ...lib/core...

[mku]

Hi branks,

every backend has its own Logon (sorry, it was my typo in the previous post) function. For zarafa it's in backend/zarafa/zarafa.php.

Greets, Manfred