Difference between revisions of "Talk:Kolab"

From WPKG | Open Source Software Deployment and Distribution
Jump to: navigation, search
m (Reverted edit of 216.110.12.175, changed back to last version by WPKGSysop)
Line 1: Line 1:
 
Discussion about '''Samba and Kolab user management using LAM'''.
 
Discussion about '''Samba and Kolab user management using LAM'''.
  
Please press 'alt- ', or click on ''' ''' link at the top of this page (next to '''edit''') to add a comment.
+
Please press 'alt-+', or click on '''+''' link at the top of this page (next to '''edit''') to add a comment.
  
 
== ACL in openldap ==
 
== ACL in openldap ==

Revision as of 20:15, 17 June 2007

Discussion about Samba and Kolab user management using LAM.

Please press 'alt-+', or click on + link at the top of this page (next to edit) to add a comment.

ACL in openldap

Nice article, however you don't speak about ACL in openldap. This part was the tricky one for me, as you have to mix samba and kolab access to ldap.

If you compare slapd.conf from Samba and Kolab, you'll be able to write a mixed slapd.conf to allow samba and kolab access, but as your users aren't stored in the same place as original kolab installation, you'll have access problem.

In Kolab, your users are stored in the root of the ldap :

 cn=test,dc=example,dc=com

In Samba, your users are stored in branch Users or People of your ldap :

 cn=test,ou=Users,dc=example,dc=com
 or, cn=test,ou=People,dc=example,dc=com

With Kolab, Postfix needs to have nobody access to 3 attributes of your users: mail, alias AND kolabDeleteflag. If your access list is wrong, postfix can't deliver mails to your users.

Either you let the user nobody access your branch Users (security risk?), either you allow nobody to read kolabDeleteflag.

I added this ACL to my slapd.conf to allow Postfix to read kolabDeleteflag attribute :

 access to attr=kolabDeleteflag
     by group/kolabGroupOfNames="cn=admin,cn=internal,dc=example,dc=com" write
     by group/kolabGroupOfNames="cn=maintainer,cn=internal,dc=example,dc=com" write
     by * read stop

With correct ACL in my ldap, everything is working like a dream...

Thanks for great work.

Problems with rootdn

I had problems being able to log into the Kolab webadmin (to administer the services, distribution lists, etc.) and also getting the Kolab accounts actually created if I used anything but the default rootdn that Kolab used (cn=manager,cn=internal,dc=...)

I just updated my Samba PDC to use the Kolab default rootdn and all was good.

On another note, on subsequent installs, I would unfortunately get a "Could log in to database; invalid credentials" error. I have not found a solution to that as yet, and it only pops up on some installs :-(

All in all,however, great work!

-Alan Murrell