ACI'S SET FOR CALENDAR 7 WITHIN THE DIRECTORY SERVER SHOULD BE MORE RESTRICTIVE (Doc ID 1525016.1)

Last updated on SEPTEMBER 14, 2016

Applies to:

Oracle Communications Calendar Server - Version 7.0 (JCS 7) and later
Information in this document applies to any platform.

Symptoms

The following document gives an example of a caldav "user-to-user read any attribute" aci:

Adding LDAP Access Control for Calendar Server Features


By following this example, it is noted that it is not only revealing social information such as department and memberships, but also password information in a simple, non-encrypted format (base64) in sunUCExternalMailProfile, if the user has external pop accounts configured with 'store password' enabled.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms