Ralf Becker wrote:
Aleksander Adamowski aleksander.adamowski.egroupware@altkom.pl wrote:
- It seems to me that it still isn’t possible to configure eGroupWare
for the most common scenario of LDAP usage with regards to Addressbook.
This scenario looks like this:
a) eGroupWare authentication is done through LDAP
b) eGroupWare user profiles are in a SQL database
c) Addressbook global, read-only contact list is based on LDAP (on the
same subtree that holds the accounts for “a)”)
d) Addressbook private, writable contacts are in a SQL database.
Not sure why this should be the most commen sencario. Why, for example, do
you want to store the accounts in LDAP and not use them as accounts for eGW.
(That might have made some sense with eGW 1.2, which required that extra
schema, but it makes no sense anymore.)
Well, from my experimenting with the latest Subversion eGW source, I can
see that I have to modify my LDAP directory to yet another new schema:
rfc2307bis.schema, otherwise the Groups won’t work and I won’t be able
to even create the admin account.
So SQL is much simpler to set up with existing LDAP directory - this is
a significant advantage.
Messing with schema on an existing production LDAP server is a bad
idea, it’s risky. It needs extensive testing in a test environment, and
even then, with OpenLDAP, the directory needs to be stopped for a short
time, to export the whole directory to LDIF with slapcat, change the
schema and import the data again. I’ve observed that using slapcat on a
busy, running OpenLDAP directory can corrupt the database 
And using simply LDAP authentication and storing accounts/groups in SQL
is much simpler, and eGroupWare can be easily connected to a running
LDAP directory this way.
BTW, in the rfc2307bis.schema, the attributetype memberUid misses this
one type of match that was present in nis.schema:
caseExactIA5SubstringsMatch
It should look like this:
attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid’
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
IMO it should be harmless to add it.
RFC 2307 has it, look for yourself:
http://www.faqs.org/rfcs/rfc2307.html
It seems that it’s missing in Your schema due to some mistake.
Also, You need to mention in phpgwapi/doc/ldap/README that after adding
"objectclass groupOfNames" to every group, all the objects need the
change in “structuralobjectClass:” special attribute (slapcat outputs it).
And there’s no example for giving a special eGroupWare LDAP user write
access to the Groups subtree.
I suggest the following changes to the README (I hope the diff won’t get
messed up by my mail program):
— README 2006-06-19 16:05:31.000000000 +0200
+++ README.olo 2006-06-25 01:06:58.000000000 +0200
@@ -6,7 +6,8 @@
- valid Groups have a posixGroup object class and store there members
in the memberuid attribute.
If you want to use group-addressbooks in LDAP, the ACL requires that
groups get expanded by the LDAP server.
-To do so, we need to use groupOfNames together with posixGroup
(groupOfNames stores the dn, posixGroup only the uid).
+To do so, we need to use groupOfNames together with posixGroup
(groupOfNames stores the dn in the member
+attribute, posixGroup only the uid in the memberUid attribute).
If your LDAP uses the original nis.schema, posixGroup is a structural
object and can NOT be used together!
Newer SuSE distributions use a rfc2307bis schema, which can be used on
other distributions too
(instead of the nis.schema, NOT together). The schema is in the same
directory as this README.
@@ -15,6 +16,7 @@
- create an ldif from your ldap: slapcat > my.ldif
- add objectclass groupOfNames to every group (only the groups!)
± change every occurence of “structuralObjectClass: posixGroup” to
"structuralObjectClass: groupOfNames"
- edit your slapd.conf:
- remove the include of the nis.schema
- include the rfc2307bis.schema in this dir
@@ -26,4 +28,17 @@
eGroupWare detects if it can use groupOfNames together with posixGroup
and fills the member attribute,
if you edit the group or changes the members.
+To create a dedicated LDAP account for eGroupWare, you can use the
following sample LDIF:
+
+dn: cn=eGroupWare,dc=domain,dc=com
+cn: eGroupWare
+objectClass: person
+sn: eGroupWare
+userPassword: SOME_LONG_RANDOM_PASSWORD
+
+To give eGroupWare permission to manage the groups, you can use the
following ACL:
+access to dn.subtree=“ou=groups,dc=domain,dc=com”
Ralf
Specifically the “c)” part seems impossible currently because one has to
choose - store all the Addressbook either in LDAP, or in SQL.
From reading “addressbook/doc/README” I can see, that eGroupWare depens
on a specific directory layout for Addressbook, with branches named
"ou=contacts", “ou=shared”, “ou=personal”. This is an “everything or
nothing” approach - either you restructure your LDAP directory to
eGroupWare requirements, or you don’t connect Addressbook to LDAP at all.
We will later on (not yet coded) allow to support further addressbooks,
which can eg. be readonly.
So your case can simply be accomplished by leaving the standard addressbook
and (if you wish so) the accouns in SQL and just define an extra readonly
LDAP addressbook at a certain dn. These extra addressbook will not require
any structure / hirashy in LDAP.
That would be EXACTLY what I’m talking about. This is also how all the
LDAP clients in mail software work (Mozilla, Outlook, Evolution etc.).
This is how people expect it to work.
I’m looking forward to it - as soon as it arrives in Subversion, I’ll
test it 
In eGroupWare, one cannot do it this way, one cannot hold the public
read-only addres book in LDAP, and private, writable contacs in SQL.
Instead, either everything is in SQL, or everything is in LDAP.
And to accomodate everything in LDAP, there’s a forced layout with a
separate branch for accounts (ou=accounts,o=default) and for the shared
address book (cn=default,ou=shared,ou=contacts,o=default).
Why are they separated? Why can’t Addressbook simply search for contacts
in the same branch which is used for LDAP authentication? This would be
We need the hirashical structur, as we could not implement the necessary ACL
withing the limited possebilities of OpenLDAP on that account.
Note that I was talking about the read-only public address book.
There’s no need for any ACLs in such case - simple anonymous bind (or on
a fixed, dedicated account) will suffice, provided that there are
relevant ACLs that provide read access.
A typical LDAP directory will have those read ACLs in place already,
because a public read-only organization-wide address book is the most
typical LDAP usage scenario.
so much simpler and avoid unnecessary redundancy. There could be just
one LDAP entry instead of two entries for each employee. Two entries
need to be somehow kept in sync and removed together when the employee
leaves the company - who would take care of that?
Here you totaly wrong! We dont require any redundancy, as the accounts tree
is used as an addessbook too. With read access for everyone and write-access
for addmins only. You you no longer need to create your system users again
in the addessbook! This is one of the big benefits of the new addressbook.
Does that mean that if LDAP is used for authentication, the new
Addressbook automatically shows all the accounts present in LDAP,
without further configuration? That would be wonderful! But I cannot get
it to work on my test installation from Subversion.
Maybe I’m doing something wrong - I have the following settings:
type of authentication: LDAP
where you want to store/retrieve use: SQL (tried with LDAP, too)
Usernames are casesensitive: Yes
Auto create account records for authenticated users: Yes
Add auto-created users to this group (‘Default’ will be attempted if
this is empty.):
I go to Addressbook, enter a fragment of my own name in the search
filed, and click search, and nothing is found.
Also, if I store accounts in LDAP, “Add auto-created users to Default
group” doesn’t seem to work - the admin user was added to the Default
group (cn=Default,ou=Groups,ROOT_DN), but an ordinary user isn’t added
to the Default group when he logs in.
My LDAP ACLs are probably OK - eGroupWare managed to add the admin user
to the Default group, only other users aren’t added…
For the rest of the text: Addressbook updates are happening very seldome,
most access is reading and search. Exactly where LDAP is made for. So I cant
follow that arguments.
Well, You’re probably right. Although some large sale departments may
generate quite a significant traffic in their Addressbooks - it’s the
main tool in their job…
What definitely shouldn’t be in LDAP, are the attributes You’ve placed
in phpgwaccount.schema: phpgwAccountLastLogin,phpgwAccountLastLoginFrom.
Updating LDAP with timestamps and IP addresses for all logins would
bring many OpenLDAP installations to a halt - they do updates very slowly!
Look carefully at rfc2307bis.schema: notice that the posixAccount and
shadowAccount objectclasses don’t have any attributes like that - only
the timestamp of lsta password change, which occurs much less frequently
than logins.
This is on purpose - LDAP isn’t designed to handle a continuous stream
of updates along with searches.
–
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575
http://olo.org.pl
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers
