Hello EGroupware masters,
we want to try EGroupware CE in our school environment. EGroupware 17.1.20180321
(from download.opensuse.org/repositories/server:/eGroupWare/CentOS_7/) is installed
on Centos 7 Linux (PHP 5.6.34, MariaDB 5.5.56, Apache httpd 2.4.6).
Perhaps key point is need for user authentication against Novell/NetIQ eDirectory,
which can be accessed via LDAP service. And that’s probably a place we can not get
through.
- EGW installs somehow - all RPM packages was installed, but in
/root/egroupware-epl-install.log was some problems (maybe not fundamental), see
log below.
- It was possible to enter EGW setup URL and log in both as header admin and
setup/config admin.
- It was possible log in as normal previously in eDirectory existing user
- But is not possible to login as EGW admin account (was set by EGW install to
user ‘sysop’) with administrative rights. Nor is possible in setup menu create
new EGW admin account - but I can create new admin account with same username
as existing eDirectory user.
Problems are perhaps caused by fact that LDAP root dn has no rights to change
other user password nor create new user or group (at least I think so, but I’m
not a expert over eDirectory).
What I see (on wireshark packet capture) is, as EGW with LDAP authentication
want store some accounts data in LDAP, and some in SQL DB. But here LDAP
modifications ends with error - e.g.:
- add to LDAP group cn=Default (gidnumber=1001,uid=dummy) /constraintViolation (NDS error: syntax violation (-613))/
- add to LDAP group cn=Default (gidnumber=1001) /namingViolation (NDS error: bad naming attributes (-646))/
- modify LDAP user password /objectClassViolation (NDS error: illegal attribute (-608))/
eDirectory LDAP interface should be from EGW accessed (if possible) read-only,
because certain operations for LDAP change fails (but these eDirectory
modifications can be made by other eDirectory tools).
For this case, it is possible to use EGW with this LDAP authentication?
‘egw_accounts’ dump show there is groups “Default” (EGW all users group),
“Admins” (administrators group), “NoGroup” for anonymous users - these
groups not exist in eDirectory (but there are groups with same purposes,
but different names). It is possible instead of these groups insert these
from eDirectory?
Or, would it help to manually insert some (user/group) objects EGW expects
(wants to create itself) into eDirectory?
Thanks in advance, Franta
PS: Some details about EGW installation and eDirectory LDAP user and group
items:
--------------------------------------------------------------------------
# cat /root/egroupware-epl-install.log
/usr/bin/php -d memory_limit=-1 /usr/share/egroupware/setup/setup-cli.php --admin 'default,admin,i;qsnnY|vY01GG7K,sysop,Ps&=VgNOvhxLM(-s,en’
An error happened:
Installation failed --> exiting!
EGroupware successful updated
/bin/chown: cannot access ‘/var/lib/egroupware/*/files/sqlfs’: No such file or directory
Tue Mar 27 01:36:02 CEST 2018
/bin/chown: cannot access ‘/var/lib/egroupware/*/files/sqlfs’: No such file or directory
EGroupware successful installed
===============================
Please note the following user names and passwords:
Setup username: admin
password: 8bNm?IMg6)118afH
EGroupware username: sysop
password: <-ya1)i2<hC4SsgJ
You can log into EGroupware by pointing your browser to http://localhost/egroupware/
Please replace localhost with the appropriate hostname, if you connect remote.
*** Database has no root password set, please fix that immediatly: mysqladmin -u root password NEWPASSWORD
---------------------------------------------------------------
eDirectory LDAP export presents users and groups in form as these:
# User record:
#--------------
dn: cn=zakp,ou=Z,o=SPSE
homeDirectory: /Home/Zspse/zakp
gecos:: UGF2ZWwgxb3DoWs=
gidNumber: 122
uidNumber: 1219
mail: zakp@spseplzen.cz
uid: zakp
givenName: Peter
fullName:: UGV0ZXIgxb3DoWs=
sn:: xb3DoWs=
securityEquals: cn=3l,ou=Groups,o=SPSE
securityEquals: cn=everyone,ou=Groups,o=SPSE
securityEquals: cn=zaci,ou=Groups,o=SPSE
securityEquals: cn=filr,ou=Groups,o=SPSE
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: Person
objectClass: ndsLoginProperties
objectClass: Top
objectClass: kerio-Mail-User
objectClass: posixAccount
groupMembership: cn=2c,ou=Groups,o=SPSE
groupMembership: cn=everyone,ou=Groups,o=SPSE
groupMembership: cn=zaci,ou=Groups,o=SPSE
description:: c3R1ZHVqw61jw60=
cn: zakp
cn:: xb3DoQ==
cn: GP1WT
# Group record:
#--------------
dn: cn=2c,ou=Groups,o=SPSE
gidNumber: 122
equivalentToMe: cn=zakp,ou=Z,o=SPSE
...
objectClass: groupOfNames
objectClass: Top
objectClass: posixGroup
member: cn=zakp,ou=Z,o=SPSE
...
cn: 3l
