z-push.net

[banks]

hi,

how can i control the access to my z-push zarafa server?
i want only a group of users which can connect to my zarafa server via z-push

we have that option scalix and exchange have also a access management option.

http://blogs.technet.com/b/exchange/arc ... 11539.aspx


cheers..
.beo

[mku]

Hi banks,

it is not possible with Z-Push 1.X but we are working on a solution for it in Z-Push 2.

Greets, Manfred

[banks]

ok thanks for answer.

have you got a idea if that´s maybe possible with a external solution.
for us is that´s enough if we could have some simple kind of allow option for users.

could i filter that maybe with apache or with some zarafa options (ldap)?

we are starting a migration from scalix -> zarafa and that´s a big security issue for us if we open our mailstore for 400users

[mku]

Hi banks,

the simplest solution would be to add something like $allowed_users or $disallowed_users array to config.php with user names which are allowed or not to use Z-Push (whatever is easier to manage for you). And then add a check to Login function if the user has a permission to sync.

Another option would be to add an attribute to your LDAP scheme (e.g. by extending Zarafa scheme), map it in ldap.propmap.cfg, get this property in Login function and check if the user has a permission to sync.

Greets, Manfred

[banks]

hi,

we have create a patch for that

--- index.php.orig 2011-11-10 12:30:36.000000000 +0000
+++ index.php 2011-11-10 12:31:09.000000000 +0000
@@ -86,6 +86,20 @@
}
$auth_pw = $_SERVER['PHP_AUTH_PW'];

+
+$ds = ldap_connect("ldap://localhost") or die("no connect");
+$dn = "o=company,c=com";
+$filter = "(&(uid=$auth_user)(zarafaEnabledFeatures=zpush))";
+
+$sr = ldap_search($ds, $dn, $filter, array("zarafaEnabledFeatures")) or die("no result");
+
+$allowed = ldap_get_entries($ds, $sr);
+
+if ($allowed["count"] == 0) {
+ $auth_user = "";
+ $auth_pw = "";
+}
+
debugLog("Start");
debugLog("Z-Push version: $zpush_version");
debugLog("Client IP: ". $_SERVER['REMOTE_ADDR']);
@@ -231,4 +245,4 @@

debugLog("end");
debugLog("--------");
-?>
\ Kein Zeilenumbruch am Dateiende.
+?>

but i need a 2nd fiter = deviceid
we want only to allow the access on our comapany iphones.

i could add the deviceid in the zarafaEnabledFeatures but how can i compare it during the authentification (config.php)???

[mku]

Hi banks,

it would be better to do this in Login function and not in the index.php.

You have to save a list of allowed deviceids somewhere. Either as a global list in a text file or you add another attribute to ldap for the user with the allowed deviceid and map it via ldap.propmap.cfg.

Greets, Manfred

[banks]

thanks for the tip manfred!

in which file could i find the login function?

i can´t find anything with grep -i login ...lib/core...

[mku]

Hi branks,

every backend has its own Logon (sorry, it was my typo in the previous post) function. For zarafa it's in backend/zarafa/zarafa.php.

Greets, Manfred

[banks]

hi,

i have an issue with restriction script.

i want to add the deviceid as zarafaEnabledFeatures LDAP Attribute to every user who have a company iphone and/or ipad
it seems to work but if i reboot a device its doesn´t work anymore. very strange...

i used the restriction script http://www.isartor.org/wiki/Restrict_Z-Push_usage_per_user from isartor.org but i want to switch from the ldap zpush attribute to deviceid.
i want to allow/filter only our company devices

<?php

$check_user = Request::GetGETUser();
$check_deviceid = Request::GetDeviceID();

// Default value when the user doesn't have the attribute
$default_allow = False;

$ldap_host="localhost";
$ldap_user="xxxxx";
$ldap_pass="xxxxxx";
$ldap_base="dc=xxxxxx,dc=xxx";

// This script will check for this Attribute
//$ldap_result_attr = "zarafaAllowZpush";
$ldap_result_attr = "zarafaEnabledFeatures";

// The Attribute needs the following value to allow ZPush
$ldap_result_attr_true_value = "$check_deviceid";

if ( $check_user != "unknown" ) {
$ldap_filter = "(uid=$check_user)";
//$ldap_filter = "(&(uid=$check_user)(zarafaEnabledFeatures=$check_deviceid))";

$ldap_attributes = array("$ldap_result_attr");

$ldap = ldap_connect("ldap://{$ldap_host}") or die('Could not connect to LDAP server.');

ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

@ldap_bind($ldap, "{$ldap_user}", $ldap_pass) or die('Could not bind to LDAP.');


$result = ldap_search($ldap, $ldap_base, $ldap_filter, $ldap_attributes);

$entries = ldap_get_entries($ldap, $result);

//Seems like result attributes need to be addressed lowecase
$ldap_result_attr = strtolower($ldap_result_attr);

$allow_zpush = False;

//DEBUG Setting
//$file = fopen("log.dat", "w");
//fwrite($file, var_export($entries,1));
//fclose($file);



if ($entries["count"] == "0") {
// 0 Results
ZLog::Write(LOGLEVEL_INFO, "RESTRICT: Disallowing z-push for user: $chec
k_user and $check_deviceid");
exit();
} elseif ($entries["count"] > 1) {
// Ambigous result
exit();
} else {
// 1 result: OK
//echo print_r($entries,1);
//echo print_r($entries[0]["count"],1);
if ($entries[0]["count"] == 0) {
//Attribute not found
$allow_zpush = $default_allow;
} else {
for ($i = 0; $i < $entries[0]["$ldap_result_attr"]["count"]; $i++) {
if ($entries[0]["$ldap_result_attr"][$i] == $ldap_result_attr_true_value) {
$allow_zpush = True;
}
}
}
}

ldap_unbind($ldap);


if (! $allow_zpush) {
// Stop script execution if zpush is not allowed
ZLog::Write(LOGLEVEL_INFO, "RESTRICT: Disallowing z-push for user: $check_user $check_deviceid");
exit();
} else {
ZLog::Write(LOGLEVEL_INFO, "RESTRICT: Allowing z-push for user: $check_user $check_deviceid");
}

}

?>