Changes

Jump to: navigation, search

Talk:Kolab

1,359 bytes added, 23:35, 21 September 2005
ACL in openldap
Please press 'alt-+', or click on '''+''' link at the top of this page (next to '''edit''') to add a comment.
 
== ACL in openldap ==
 
Nice article, however you don't speak about ACL in openldap. This part was the tricky one for
me, as you have to mix samba and kolab access to ldap.
 
If you compare slapd.conf from Samba and Kolab, you'll be able to write a mixed slapd.conf to
allow samba and kolab access, but as your users aren't stored in the same place as original
kolab installation, you'll have access problem.
 
In Kolab, your users are stored in the root of the ldap :
 
cn=test,dc=example,dc=com
 
In Samba, your users are stored in branch Users or People of your ldap:
 
cn=test,ou=Users,dc=example,dc=com
or, cn=test,ou=People,dc=example,dc=com
 
With Kolab, Postfix needs to have nobody access to 3 attributes of your users: mail, alias
AND kolabDeleteflag. If your access list is wrong, postfix can't deliver mails to your users.
 
Either you let the user nobody access your branch Users (security risk?), either you allow
nobody to read kolabDeleteflag.
 
I added this ACL to my slapd.conf to allow Postfix to read kolabDeleteflag attribute :
 
access to attr=kolabDeleteflag
by group/kolabGroupOfNames="cn=admin,cn=internal,dc=example,dc=com" write
by group/kolabGroupOfNames="cn=maintainer,cn=internal,dc=example,dc=com" write
by * read stop
 
With correct ACL in my ldap, everything is working like a dream...
 
Thanks for great work.
2
edits

Navigation menu