Zimbra

lisasali · #1 (**permalink**) 03-31-2011, 02:41 AM

Can zimbra generate an automatic welcoming screen to all its firts time users when they log in??
Just like other mailing system i think it is very important.

lisa

metux · #2 (**permalink**) 02-29-2012, 07:14 PM

Quote:

Originally Posted by lisasali

Can zimbra generate an automatic welcoming screen to all its firts time users when they log in??

We've already done this by a zimlet.

It's yet a bit hackish as it stores the data in the mailboxd node's local mysql database,
we probably should use LDAP instead. But it works quite well, eg. in a big international
bank.

tdesorbaix · #3 (**permalink**) 03-01-2012, 01:52 AM

Here is a simple example zimlet creating a welcome message that show up only the first time the user log in.

This use a zimlet user properties (stored in LDAP) to check if this is the first time the user log in.

metux · #4 (**permalink**) 03-01-2012, 04:25 AM

Quote:

Originally Posted by tdesorbaix

Here is a simple example zimlet creating a welcome message that show up only the first time the user log in :
Attachment 4988

This use a zimlet user properties (stored in LDAP) to check if this is the first time the user log in.

Are you sure, these properties you set on *client* side with the

Quote:

this.setUserProperty(...)

call are really written back to LDAP ?

I really doubt it, as it would be a big security hole.

tdesorbaix · #5 (**permalink**) 03-01-2012, 05:44 AM

If you have doubts, then just use an ldap explorer software and check your ldap.

The user preferences, including zimlets user preferences are in your LDAP.

Why do you think this is a big security hole?

metux · #6 (**permalink**) 03-01-2012, 06:10 AM

Quote:

Originally Posted by tdesorbaix

The user preferences, including zimlets user preferences are in your LDAP.

The question isn't whether they are store in LDAP, but whether the frontend
javascript code can simply overwrite them.

Quote:

Why do you think this is a big security hole?

Because the user then can arbitrarily change them at will.

metux · #7 (**permalink**) 03-01-2012, 06:11 AM

By the way: did you already confirm that they're actually written back to LDAP when changing them this way ?

tdesorbaix · #8 (**permalink**) 03-01-2012, 06:49 AM

Of course the user can change them, since this is user preferences.

Also, you don't even need the javascript frontend.
The changes are made by a soap request (called by the javascript).
So you just need to make the correct soap request.

And yes, I confirm that this overwrite the values in ldap.

metux · #9 (**permalink**) 03-01-2012, 07:38 AM

Quote:

Originally Posted by tdesorbaix

Of course the user can change them, since this is user preferences.

Oh, that really *has* security impact in certain environments (not an unusual
customer requirement in our projects) users should not be allowed to change
certain user properties.

Do you know which things are stored there ?

tdesorbaix · #10 (**permalink**) 03-01-2012, 08:05 AM

It's not like the user can modify everything in the LDAP.
I use the word preferences instead of properties on purpose.

The values the user can modify are the values corresponding to the preferences you can find in the User Web Client preferences tab, and the zimlets user preferences.

As example, there is a user property to enable/disable the Calendar feature, but it can't be changed by the user, only the admins can change it.

Zimbra

Downloads

Product Information

Toolbox

Why Join?