Changes
ACL in openldap
Please press 'alt-+', or click on '''+''' link at the top of this page (next to '''edit''') to add a comment.
== ACL in openldap ==
Nice article, however you don't speak about ACL in openldap. This part was the tricky one for me, as you have to mix samba and kolab access to ldap.
If you compare slapd.conf from Samba and Kolab, you'll be able to write a mixed slapd.conf to allow samba and kolab access, but as your users aren't stored in the same place as original kolab installation, you'll have access problem.
In Kolab, your users are stored in the root of the ldap :
cn=test,dc=example,dc=com
In Samba, your users are stored in branch Users or People of your ldap:
cn=test,ou=Users,dc=example,dc=com
or, cn=test,ou=People,dc=example,dc=com
With Kolab, Postfix needs to have nobody access to 3 attributes of your users: mail, alias AND kolabDeleteflag. If your access list is wrong, postfix can't deliver mails to your users.
Either you let the user nobody access your branch Users (security risk?), either you allow nobody to read kolabDeleteflag.
I added this ACL to my slapd.conf to allow Postfix to read kolabDeleteflag attribute :
access to attr=kolabDeleteflag
by group/kolabGroupOfNames="cn=admin,cn=internal,dc=example,dc=com" write
by group/kolabGroupOfNames="cn=maintainer,cn=internal,dc=example,dc=com" write
by * read stop
With correct ACL in my ldap, everything is working like a dream...
Thanks for great work.