0004257: Security concern? Backup file generated with 'sogo-tool backup' contains full LDIF data of user - SOGo

ID	Project	Category	View Status	Date Submitted	Last Update

0004257	SOGo	sogo-tool	public	2017-08-22 06:56	2022-01-26 19:05

Reporter	zhb	Assigned To
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	no change required

Summary	0004257: Security concern? Backup file generated with 'sogo-tool backup' contains full LDIF data of user
Description	We store mail accounts in OpenLDAP, why does SOGo backup file contains full LDIF data of user? especially attribute "userPassword". I suppose only uid (full email address) should be enough. because we have LDAP query filter defined in sogo.conf, SOGo can always get the LDAP dn and full LDIF data with the ldap query filter and login username, there's no need to store full LDIF at all. It becomes a security concern if sysadmin didn’t realize the backup file contains (hashed) password and didn’t set proper owner/group and file permission.
Tags	No tags attached.

zhb 2017-08-22 06:59 reporter ~0012203 Last edited: 2022-01-26 19:04	What we're talking about in backup file: `{ "ldif_record" = "dn: mail=user@domain.com,ou=users,domainname=domain.com,o=domains,dc=mydc,dc=com mtatransport: dovecot accountstatus: active ...`

zhb 2021-10-08 03:05 reporter ~0015535	Dear developers, Any update?

Christian Mack 2021-10-08 08:00 developer ~0015537	userPassword was removed a long time ago. It is still open, because attributes are not restricted to needed ones.

francis 2022-01-26 19:05 administrator ~0015820	Reopen if necessary.

Date Modified	Username	Field	Change
2017-08-22 06:56	zhb	New Issue
2017-08-22 06:59	zhb	Note Added: 0012203
2021-10-08 03:05	zhb	Note Added: 0015535
2021-10-08 08:00	Christian Mack	Note Added: 0015537
2022-01-26 19:04	francis	Note Edited: 0012203
2022-01-26 19:05	francis	Status	new => closed
2022-01-26 19:05	francis	Resolution	open => no change required
2022-01-26 19:05	francis	Note Added: 0015820