> On Aug 22, 2017, at 7:18 PM, Christian Mack ([email protected]) > <[email protected]> wrote: > > You can change that. > Just do _not_ give the administrative account (used to query the > Lprovided DAP) read privileges on attribute userPassword. > It is not necessary anyway, as SOGo does a bind with the password > provided by the user.
I don’t think this is a good idea, a LDAP dn has read/write privilege to all its own attributes are quite normal, for example, change password in self-service applications (we do this in Roundcube webmail too). Besides, setting ACL in LDAP server is a good idea. If we go this way, we have to create a new bind dn for just SOGO itself, and add one more ACL in LDAP server to control which LDAP objectClass/attribute it can read. This is making software deployment more complex. So, why not simply don’t store unnecessary data in backup file? This should be the best solution. ---- Zhang Huangbin, founder of iRedMail project: http://www.iredmail.org/ Time zone: GMT+8 (China/Beijing). Available on Telegram: https://t.me/iredmail -- [email protected] https://inverse.ca/sogo/lists
