Hello,
me and my friends are creating an association to provide free hosting,
and we are very happy to use your solution.
However, we need a proper mailbox for our users.
I tried to follow your tutorial, i.e. setting up the systems plugin,
then the mail plugin, but it crashes the server as a result...
We use Debian stable, on a dedicated VM.
Once the two plugins installed, I literally cannot start any service,
the VM is barely accessible, and the LDAP is not working anymore.

Did I miss something? Is there any way I could hope to find the bug?

Thank you!

Describe the bug
After configuring either plugin, I notice the master usename and password for the service are stored in an unprotected LDAP attribute, and there is no indication to the user about this fact.

With a standard LDAP configuration, anybody can retrieve these passwords, even without binding to the directory:

$ ldapsearch -x | egrep 'fd(Dovecot|Cyrus)Password:'

fdDovecotPassword: ***
fdCyrusPassword: ***

This is a huge security risk, and should be clearly documented and warned about in the UI. Plus, it is not clear to me what is the actual purpose of this master account access (seems to be only to verify the mail account exists?) and there is no way to disable this functionality, short of removing the plugin(s).

The link "to get help" in the README.md file (displayed as the description page below the GIT listing) just leads to a 404 error. Probably the target web site was restructured.

Hello,

Still using Debian Jessie, configured with fusiondirectory repo :
deb http://repos.fusiondirectory.org/debian-jessie jessie main
Version installed is 1.0.9.1-1.
Plugin SSH installed and fusiondirectory-plugin-ssh-schema installed/inserted on my SLAPD server.

I use a ssh-ldap-pubkey script on my servers to connect using public key authentication.
When I lock a user in fusiondirectory, he can still connect to the server using his private key (no more sudo possible).

I think the way the user is locked is by adding a "! " to the encrypted password, so the ssh keys are not impacted...
It could be OK to do the same thing on all the sshPublicKey attributes of the account ?
ex : ssh-rsa !AAAAB3NzaC1yc2EAAAADAQABAAABAQD....

Or adding a keyword (diabled ?) at the begining of the key ?
ex: disabled-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD....

Regards,

Describe the bug
When a public form with a non-root creation base is used by an invitation that isn't stored on root, the two bases are combined resulting in an (usually) invalid root, causing the form to error. If base is left as an altered field in the public form, it is either similarly not handled correctly, or is ignored entirely, I was not able to verify which in my troubleshooting. It does seem that if you leave the invitation at root, but set a non-root value for the creation base for the public form, it will initially create the user and their registration at the creation base defined in the public form, but then move it to root when you confirm the user.

To Reproduce

1. Create a public form with a creation base other than root
2. Create an invitation that uses that public form and store it somewhere other than root
3. Send that invitation to yourself and fill in the form
4. Assuming the resultant mess of combined base doesn't exist in your directory, the form will fail

Expected behavior
My initial assumption was that the registration and user would be created at the creation base defined in the public form, and would then be moved to the base of the invitation after the registration was confirmed. Failing that, I would expect one or the other value to be respected, and I would expect a value set by an altered field in the public form to overwrite either, since combining them in this way will rarely if ever create a valid base.

Desktop (please complete the following information):

• OS: Windows
• PHP: php 7.4
• PHP provenance: Debian
• Browser Observed in Chrome and Firefox

**Plugin with the defect

• Plugin: public forms, invitations

Additional context
For now my workaround is to leave the creation base in the public form at root, since this allows the system to function, however it is not ideal, considering Fusion Directory's account locks are not true account locks, anything else that attempts to authenticate directly against the LDAP server will allow the account to be used, the only way to truly prevent an account from being used before it is approved is to either make sure it has no privileges at all (by not giving it any group memberships) or by removing it from the search base other applications use to find accounts. Either way, it undermines the usefulness of the account approval process.

Describe the bug

Cannot open the dashboard on a FusionDirectory (version 1.3) installation with the ppolicy plugin installed:

Fatal error:  Uncaught FusionDirectoryException: Could not find ACL for attribute "mail" in /usr/share/fusiondirectory/include/class_objects.inc:89
Stack trace:
#0 /usr/share/fusiondirectory/plugins/addons/dashboard/class_dashBoardPPolicy.inc(113): objects::ls()
#1 /usr/share/fusiondirectory/plugins/addons/dashboard/class_dashBoardPPolicy.inc(70): dashboardPpolicy->compute_accounts_info()
#2 /usr/share/fusiondirectory/include/simpleplugin/class_simpleTabs.inc(92): dashboardPpolicy->__construct()
#3 /usr/share/fusiondirectory/plugins/addons/dashboard/tabs_dashBoard.inc(25): simpleTabs->__construct()
#4 /usr/share/fusiondirectory/include/class_objects.inc(279): tabs_dashboard->__construct()
#5 /usr/share/fusiondirectory/include/simpleplugin/class_simplePlugin.inc(2054): objects::open()
#6 /usr/share/fusiondirectory/plugins/addons/dashboard/main.inc(21): simplePlugin::mainInc()
#7 /usr/share/fusiondirectory/html/main.php(284): require('/usr/share/fusi...')
#8 {main}
thrown in /usr/share/fusiondirectory/include/class_objects.inc on line 89

To Reproduce

Steps to reproduce the behavior:

1. install FusionDirectory,
2. install the ppolicy plugin,
3. log in to the web interface,
4. open the dashboard from the reporting section of the web interface,
5. see error.

Expected behavior

The dashboard is shown.

Server

• OS: Devuan GNU/Linux
• PHP: PHP 7.4.28
• PHP provenance: original Devuan

**Plugin with the defect

• Plugin: ppolicy

Additional context

Workarounds:

1. Install the FusionDirectory mail plugin;
2. Comment out this line:

   fusiondirectory-plugins/ppolicy/addons/dashboard/class_dashBoardPPolicy.inc

   Line 107 in d62a030

   'mail' => 'raw',

Adding a host under systems and under a specific subnet breaks with

PHP Fatal error: Uncaught TypeError: Argument 4 passed to DhcpHostsAttribute::postLdapSave() must be of the type array, string given, called in
/usr/share/fusiondirectory/plugins/admin/systems/class_dhcpSystem.inc on line 405 and defined in /usr/share/fusiondirectory/plugins/admin/systems/class_dhcpSystem.inc:159\nStack trace:\n#0 /usr/share/fusiondirectory/plugins/admin/systems/class_dhcpSystem.inc(405): DhcpHostsAttribute->postLdapSave(Object(ldapMultiplexer), false, false, '10.168.1.20', '10.168.1.20', false, '00:02:d1:08:05:...', '00:02:d1:08:05:...')\n#1 /usr/share/fusiondirectory/include/simpleplugin/class_simplePlugin.inc(1226): dhcpSystem->ldap_save()\n#2 /usr/share/fusiondirectory/include/simpleplugin/class_simpleTabs.inc(430): simplePlugin->save()\n#3 /usr/share/fusiondirectory/include/simpleplugin/class_simpleManagement.inc(828): simpleTabs->save()\n#4 /usr/share/fusiondirectory/include/simpleplugin/class_simpleManagement.inc(945): simpleManagement->applyChanges('apply', Array, Array)\n#5 /usr/share/fusiondirectory/includ in /usr/share/fusiondirectory/plugins/admin/systems/class_dhcpSystem.inc on line 159, referer: http://10.0.173.187/main.php?plug=81

I'm using postfix and need to set catchall email aliases.

In the Users > Mail > Alternative adddresses I need to set values like "@example.com", however when saving I get the error: "The field 'Alternative addresses' contains invalid characters! ". It doesn't appear to accept the leading '@', however this is what postfix needs to setup a catchall address.

Followed directions from here.
It appears that the documentation is referencing non-existent packages. (at least in Debian Buster, which I tried)

With regards to naming conventions, shouldn't the schema package "fusiondirectory-plugin-ipam-fd.schema" be "fusiondirectory-plugin-ipam-fd-schema" instead? Kinda looks like a typo to me.

Irrelevant, but why is Debian Buster still on fusiondirectory 1.2.3-4? Wasn't 1.3 released nearly two years ago?

I've added samba setting for ldap user, but I can't find the setting for samba password on samba tab.

Hi,

A customer of mine has a postfix + spamassassin + dovecot + pigeonhole system using a custom LDAP schema and scripts to manage it. I am in the process of evaluating FD to see if this would solve some of our admin problems, but this is proving very challenging.

This is all using packages from Debian buster (stable), except for FusionDirectory, for which I am using the Debian bullseye (testing) packages.

After days of reading documentation and code, I still can't understand the relationship between the various mail plugins, what exact functionality each one gives, and how to make FD work as I want. This is not a great report, because I am not even sure what the bug(s) are. It is about lack of documentation, implementation problems, and missing functionality. I am close to discarding the idea of using FD completely, and going back to manual LDAP administration.

Some of the problems I have encountered:

• In the services configuration, it is never clear what hostname is used for connections: the system hostname, one of its IP addresses, or the hostname defined in the service itself.
  • It is also not evident why it is mandatory to define IP addresses, when I have DNS for that.
• In the user mail settings, if there are two or more mail services (generic, dovecot or cyrus) within the same server, they all show as a single entry. I can't choose which actual service to use.
  • It is also not clear why does FD need to connect to the service at that point, which is giving me failures all the time as I try to debug this.
• It seems that at some point there was some decent sieve support, and it is still announced in FD description. But after many attempts, it seems it is only used by the cyrus plugin, and only to set a vacation message, without allowing the user to customise the script. Is there any other way? Can I use sieve with dovecot?
• I still do not understand what is the advantage of configuring a dovecot service over a generic imap service. What does the plugin do? The documentation for most plugins is nonexistant.
• I have not found any authoritative documentation of how to link postfix and dovecot to FD. So far I had to guess from the PHP code, but that is not easy to follow either.
• I still don't fully understand what the "Account identification attribute" and "Mail user template" settings are for. I have only seen them used to connect to the IMAP server, but the documentation and contextual help seem to indicate that they are used for account creation.

I am looking for answers to these questions, but more importantly, I think these should all be documented and the weird behaviours fixed.

I noticed that the web interface sanity checks were refusing my ed25519 elliptic curve ssh keys.

Simply changing line 25 in fusiondirectory-plugins/ssh/personal/ssh/class_sshAccount.inc

from:
protected $format = '/^([-[:alnum:]=",.]+\s+)?(disabled-)?(ssh-(dss|rsa)|ecdsa-sha2-nistp\d{3})\s+([[:alnum:]+\/.=]+)(\s+([[:graph:][:space:]]+))?\s*$/';

to:
protected $format = '/^([-[:alnum:]=",.]+\s+)?(disabled-)?(ssh-(dss|rsa|ed25519)|ecdsa-sha2-nistp\d{3})\s+([[:alnum:]+\/.=]+)(\s+([[:graph:][:space:]]+))?\s*$/';

allowed me to fix the problem. Maybe consider adding it to a next release?

Hello,
I'm using fusiondirectory with the ppolicy plugin, and I was wondering if it's possible to prevent the admin from changing passwords of other users.
I would like only to rely on the recovery method.
Thanks

Hello,

Using Debian Jessie, configured with fusiondirectory repo :
deb http://repos.fusiondirectory.org/debian-jessie jessie main
Version installed is 1.0.9.1-1.
Plugin SSH installed and fusiondirectory-plugin-ssh-schema installed/inserted on my SLAPD server.

When adding SSH public key to user, if the comment contains one or more space(s), fusiondirectory raises an error : "Unknown public key format!".

Seems to be a problem with the regexp matching key format.
Patch joined.

By the way, \s matches spaces, tabulations, cariage return, new line, vertical tabulation. This can produce bug with this regexp...
fusiondirectory-ssh.patch.zip

Hi,

The main FD page seems to indicate that bug reports should be posted here, but then I see that most reports are in gitlab, and that the only report open here did not get any attention for weeks.

Then, I can't register in gitlab to open a bug report. One of dozens of broken links I have found today: https://register.fusiondirectory.org/

To make things worse, it seems that there is a third bug tracker (redmine), but I can't find its location anywhere.

Seems that LDAP Import/Export plugin can't work with STARTTLS (over 389 port).

I am using next config:

<?xml version="1.0"?>
<conf>
  <!-- Main section **********************************************************
       The main section defines global settings, which might be overridden by
       each location definition inside.

       For more information about the configuration parameters, take a look at
       the FusionDirectory.conf(5) manual page.
  -->
  <main default="default"
        logging="TRUE"
        displayErrors="FALSE"
        forceSSL="FALSE"
        templateCompileDirectory="/var/spool/fusiondirectory/"
        debugLevel="0"
    >

    <!-- Location definition -->
    <location name="default"
        ldapTLS="TRUE"
    >
        <referral URI="ldap://localhost:389/dc=lalala,dc=com"
                        adminDn="cn=admin,dc=lalala,dc=com"
                        adminPassword="p@ssw0rd" />
    </location>
  </main>
</conf>

And through FD I can add/remove/view/etc users using STARTTLS.

Along the lines of #29, it would be nice to be able to add a Google Scholar author identity, which many researchers have. Since you already offer ORCID, I assume that this would be interesting as well.

According to Wikidata:

• Base URL is https://scholar.google.com/citations?user=AUTHOR_ID
• Regex for the AUTHOR_ID is [-_0-9A-Za-z]{12}

Thanks for your great work.

It would be nice to be able to add a GitHub identity. Adding the following class to personal/personal/personal/class_socialHandlers.inc should do the trick:

class socialHandler_github extends socialHandler
{
  static function getName ()
  {
    return _('GitHub');
  }

  protected $baseurl = 'https://github.com';
}

I'm having an issue where if I open a DHCP service right after I create it, then expand "Global options" the dialog goes blank with no way to input any data.

I should mention this is in Debian Wheezy.

What I do:

I have a quite big DNS zone (300 entries). Whenever I add an alias, for instance, I get
"Fatal error: not all POST variables have been transferred by PHP - please inform your administrator!"

I expanded the POST size from 8 to 20 M in php.ini

It works fine on my smaller zones.

Version:
© 2002-2014 The FusionDirectory team, 1.0.6

DSA is a nice plugin to separate system accounts, it would be nice to limit DSA objects with ACLs