[Plugins] - Mail - Zimbra Method: Clarification on Account Lock Behavior When Using Supann
[Plugins] - Mail - Zimbra Method: Clarification on Account Lock Behavior When Using Supann
[Plugins] - Mail - Zimbra Method: Clarification on Account Lock Behavior When Using Supann
The primary issue arises from the side effect of locking an account via Supann, which in turn triggers a password change. The current Mail Zimbra method checks if the password is locked, and if it is, the mail account is also locked (or other actions are taken, depending on configuration).
When Supann is not in use, this locking mechanism works well, as the "general lock" option on the management page simultaneously locks both the mail account and the user account.
However, since most of us are using Supann, we have two default resources: Mail and Account.
When Supann is active, the Supann resource state for Account (supannRessourceEtat "Compte") can be set to a value other than "Active," which triggers a password change and locks the account. However—this is a key point—it does not affect the Supann resource state for Mail (supannRessourceEtat "Mail"), meaning that the linked Zimbra mail account is not locked immediately.
The issue arises because, for users not using the Supann plugin, the Zimbra plugin verifies password changes when an account is locked. This results in the mail account being locked even when the Supann mail resource is set to active, which creates inconsistent behavior.
Proposed Solutions
-
Restrict Editing of Locked Accounts: The root problem lies in the ability to edit a locked account. Once an account is locked, there should be no need for further edits except to unlock it. We propose a new feature that will prevent any data modifications on a locked account, allowing only the unlocking process.
-
Adjust Automatic Mail Account Locking: The automatic locking of the mail account when the password is locked is problematic when Supann is in use. This behavior is only necessary for environments where Supann is not used. Therefore, we propose adding a condition to trigger automatic mail locking only if Supann is not in use. This will preserve the "one-click" lock functionality for non-Supann users.
-
Configurable Locking Mechanism for Supann Users: When Supann is installed and in use, only the Account and Mail resources will trigger their respective locking mechanisms. This process can be configured through the Orchestrator task system to automate the lifecycle management and locking of accounts, as needed.