Controlling ActiveSync device or user access

Clarify issues about the installation

Controlling ActiveSync device or user access

Postby banks » Sat Oct 29, 2011 10:48 am

hi,

how can i control the access to my z-push zarafa server?
i want only a group of users which can connect to my zarafa server via z-push

we have that option scalix and exchange have also a access management option.

http://blogs.technet.com/b/exchange/arc ... 11539.aspx


cheers..
.beo
banks
 
Posts: 6
Joined: Sat Oct 29, 2011 10:40 am

Re: Controlling ActiveSync device or user access

Postby mku » Sat Oct 29, 2011 5:27 pm

Hi banks,

it is not possible with Z-Push 1.X but we are working on a solution for it in Z-Push 2.

Greets, Manfred
Try using forum search as well!
Please do not PM me asking for support. Use the forum instead. Thank you.
mku
Site Admin
 
Posts: 1343
Joined: Thu Sep 20, 2007 4:48 pm
Location: Belo Horizonte / Brazil

Re: Controlling ActiveSync device or user access

Postby banks » Sun Oct 30, 2011 11:21 am

ok thanks for answer.

have you got a idea if that´s maybe possible with a external solution.
for us is that´s enough if we could have some simple kind of allow option for users.

could i filter that maybe with apache or with some zarafa options (ldap)?

we are starting a migration from scalix -> zarafa and that´s a big security issue for us if we open our mailstore for 400users
banks
 
Posts: 6
Joined: Sat Oct 29, 2011 10:40 am

Re: Controlling ActiveSync device or user access

Postby mku » Tue Nov 01, 2011 8:46 pm

Hi banks,

the simplest solution would be to add something like $allowed_users or $disallowed_users array to config.php with user names which are allowed or not to use Z-Push (whatever is easier to manage for you). And then add a check to Login function if the user has a permission to sync.

Another option would be to add an attribute to your LDAP scheme (e.g. by extending Zarafa scheme), map it in ldap.propmap.cfg, get this property in Login function and check if the user has a permission to sync.

Greets, Manfred
Try using forum search as well!
Please do not PM me asking for support. Use the forum instead. Thank you.
mku
Site Admin
 
Posts: 1343
Joined: Thu Sep 20, 2007 4:48 pm
Location: Belo Horizonte / Brazil

Re: Controlling ActiveSync device or user access

Postby banks » Wed Aug 29, 2012 11:54 am

hi,

we have create a patch for that

--- index.php.orig 2011-11-10 12:30:36.000000000 +0000
+++ index.php 2011-11-10 12:31:09.000000000 +0000
@@ -86,6 +86,20 @@
}
$auth_pw = $_SERVER['PHP_AUTH_PW'];

+
+$ds = ldap_connect("ldap://localhost") or die("no connect");
+$dn = "o=company,c=com";
+$filter = "(&(uid=$auth_user)(zarafaEnabledFeatures=zpush))";
+
+$sr = ldap_search($ds, $dn, $filter, array("zarafaEnabledFeatures")) or die("no result");
+
+$allowed = ldap_get_entries($ds, $sr);
+
+if ($allowed["count"] == 0) {
+ $auth_user = "";
+ $auth_pw = "";
+}
+
debugLog("Start");
debugLog("Z-Push version: $zpush_version");
debugLog("Client IP: ". $_SERVER['REMOTE_ADDR']);
@@ -231,4 +245,4 @@

debugLog("end");
debugLog("--------");
-?>
\ Kein Zeilenumbruch am Dateiende.
+?>


but i need a 2nd fiter = deviceid
we want only to allow the access on our comapany iphones.

i could add the deviceid in the zarafaEnabledFeatures but how can i compare it during the authentification (config.php)???
banks
 
Posts: 6
Joined: Sat Oct 29, 2011 10:40 am

Re: Controlling ActiveSync device or user access

Postby mku » Wed Aug 29, 2012 6:09 pm

Hi banks,

it would be better to do this in Login function and not in the index.php.

You have to save a list of allowed deviceids somewhere. Either as a global list in a text file or you add another attribute to ldap for the user with the allowed deviceid and map it via ldap.propmap.cfg.

Greets, Manfred
Try using forum search as well!
Please do not PM me asking for support. Use the forum instead. Thank you.
mku
Site Admin
 
Posts: 1343
Joined: Thu Sep 20, 2007 4:48 pm
Location: Belo Horizonte / Brazil

Re: Controlling ActiveSync device or user access

Postby banks » Thu Aug 30, 2012 8:41 am

thanks for the tip manfred!

in which file could i find the login function?

i can´t find anything with grep -i login ...lib/core...
banks
 
Posts: 6
Joined: Sat Oct 29, 2011 10:40 am

Re: Controlling ActiveSync device or user access

Postby mku » Thu Aug 30, 2012 3:16 pm

Hi branks,

every backend has its own Logon (sorry, it was my typo in the previous post) function. For zarafa it's in backend/zarafa/zarafa.php.

Greets, Manfred
Try using forum search as well!
Please do not PM me asking for support. Use the forum instead. Thank you.
mku
Site Admin
 
Posts: 1343
Joined: Thu Sep 20, 2007 4:48 pm
Location: Belo Horizonte / Brazil

Re: Controlling ActiveSync device or user access

Postby banks » Mon Feb 10, 2014 2:42 pm

hi,

i have an issue with restriction script.

i want to add the deviceid as zarafaEnabledFeatures LDAP Attribute to every user who have a company iphone and/or ipad
it seems to work but if i reboot a device its doesn´t work anymore. very strange...

i used the restriction script http://www.isartor.org/wiki/Restrict_Z-Push_usage_per_user from isartor.org but i want to switch from the ldap zpush attribute to deviceid.
i want to allow/filter only our company devices


<?php

$check_user = Request::GetGETUser();
$check_deviceid = Request::GetDeviceID();

// Default value when the user doesn't have the attribute
$default_allow = False;

$ldap_host="localhost";
$ldap_user="xxxxx";
$ldap_pass="xxxxxx";
$ldap_base="dc=xxxxxx,dc=xxx";

// This script will check for this Attribute
//$ldap_result_attr = "zarafaAllowZpush";
$ldap_result_attr = "zarafaEnabledFeatures";

// The Attribute needs the following value to allow ZPush
$ldap_result_attr_true_value = "$check_deviceid";

if ( $check_user != "unknown" ) {
$ldap_filter = "(uid=$check_user)";
//$ldap_filter = "(&(uid=$check_user)(zarafaEnabledFeatures=$check_deviceid))";

$ldap_attributes = array("$ldap_result_attr");

$ldap = ldap_connect("ldap://{$ldap_host}") or die('Could not connect to LDAP server.');

ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

@ldap_bind($ldap, "{$ldap_user}", $ldap_pass) or die('Could not bind to LDAP.');


$result = ldap_search($ldap, $ldap_base, $ldap_filter, $ldap_attributes);

$entries = ldap_get_entries($ldap, $result);

//Seems like result attributes need to be addressed lowecase
$ldap_result_attr = strtolower($ldap_result_attr);

$allow_zpush = False;

//DEBUG Setting
//$file = fopen("log.dat", "w");
//fwrite($file, var_export($entries,1));
//fclose($file);



if ($entries["count"] == "0") {
// 0 Results
ZLog::Write(LOGLEVEL_INFO, "RESTRICT: Disallowing z-push for user: $chec
k_user and $check_deviceid");
exit();
} elseif ($entries["count"] > 1) {
// Ambigous result
exit();
} else {
// 1 result: OK
//echo print_r($entries,1);
//echo print_r($entries[0]["count"],1);
if ($entries[0]["count"] == 0) {
//Attribute not found
$allow_zpush = $default_allow;
} else {
for ($i = 0; $i < $entries[0]["$ldap_result_attr"]["count"]; $i++) {
if ($entries[0]["$ldap_result_attr"][$i] == $ldap_result_attr_true_value) {
$allow_zpush = True;
}
}
}
}

ldap_unbind($ldap);


if (! $allow_zpush) {
// Stop script execution if zpush is not allowed
ZLog::Write(LOGLEVEL_INFO, "RESTRICT: Disallowing z-push for user: $check_user $check_deviceid");
exit();
} else {
ZLog::Write(LOGLEVEL_INFO, "RESTRICT: Allowing z-push for user: $check_user $check_deviceid");
}

}

?>
banks
 
Posts: 6
Joined: Sat Oct 29, 2011 10:40 am


Return to Installation

Who is online

Users browsing this forum: No registered users and 1 guest

cron