2006-06-13 06:30:16 +02:00
|
|
|
eGroupWare Addressbook 1.3+ LDAP support
|
|
|
|
========================================
|
|
|
|
|
|
|
|
The new Addressbook requires only the inetOrgPerson schema.
|
|
|
|
|
|
|
|
If you want to use extra attributes availible in the SQL addressbook
|
|
|
|
like eg. the home-address you need to use some other supported schema:
|
|
|
|
- evolutionOrgPerson used by evolution
|
|
|
|
- mozillaAbPersonAlpha used by thunderbird & sunbird 1.5+
|
|
|
|
- mozillaOrgPerson older mozilla schema (depricated, but mostly compatible to mozillaAbPersonAlpha)
|
|
|
|
|
|
|
|
Please note:
|
2006-06-13 23:53:00 +02:00
|
|
|
You can or should install the evolutionPerson schema together with ONE
|
2006-06-13 06:30:16 +02:00
|
|
|
of the mozilla schemas. You can NOT install both mozilla schema!
|
|
|
|
|
2006-06-13 23:53:00 +02:00
|
|
|
If the addressbook detects a schema, it fills the extra fields of that schema.
|
2006-06-13 06:30:16 +02:00
|
|
|
|
2006-06-13 23:53:00 +02:00
|
|
|
LDAP layout used for the eGroupWare addressbook
|
|
|
|
-----------------------------------------------
|
|
|
|
|
|
|
|
dc=domain,dc=com base DN of your LDAP server
|
|
|
|
|
|
|
|
|
+-o=default base DN for the addressbook of eGroupWare domain / DB instance "default"
|
|
|
|
| | (specified in Admin >> Addressbook >> Site config)
|
|
|
|
| |
|
|
|
|
| +-ou=accounts base DN for accounts (specified in Setup >> Configuration)
|
|
|
|
| | +-uid=ralf entry for user ralf
|
|
|
|
| | +-uid=lars entry for user lars
|
|
|
|
| | +-uid=... other users
|
|
|
|
| |
|
|
|
|
| +-ou=groups base DN for groups (specified in Setup >> Configuration)
|
|
|
|
| | +-cn=Default entry for the group Default
|
|
|
|
| | +-cn=... other groups
|
|
|
|
| |
|
|
|
|
| +ou=contacts
|
|
|
|
| |
|
|
|
|
| +-ou=shared shared addressbooks of the groups
|
|
|
|
| | +-cn=default addressbook of group Default
|
|
|
|
| | +-cn=...
|
|
|
|
| |
|
|
|
|
| +-ou=personal personal addressbooks of the users
|
|
|
|
| +-cn=ralf addressbook of user ralf
|
|
|
|
| +-cn=lars addressbook of user lars
|
|
|
|
| +-cn=...
|
|
|
|
|
|
|
|
|
+-o=other other eGroupWare domain / DB instance
|
|
|
|
+-...
|
|
|
|
|
|
|
|
The contact base DN must include the accounts and groups base DN, otherwise they will not be
|
|
|
|
searched AND the ACL given below does NOT work!
|
|
|
|
|
|
|
|
The following ACL in slapd conf allow:
|
|
|
|
-------------------------------------
|
|
|
|
- everyone to read the account addressbook
|
|
|
|
- the user to edit his account (incl. password)
|
|
|
|
- the egwadmin user for each domain to edit all accounts (eGW uses it when admins edit accounts)
|
|
|
|
- only the user to read, edit or delete in his personal addressbook
|
|
|
|
- group-members to read, edit or delete in their group addressbook
|
|
|
|
|
|
|
|
Add or include the rows after the line behind the exiting ACL rules in your slapd.conf
|
|
|
|
|
|
|
|
Please note:
|
|
|
|
-----------
|
|
|
|
- You need to change all dc=domain,dc=com with the base DN your LDAP uses!!!
|
|
|
|
- If you want to use the old mozillaOrgPerson schema, you need to change it here too!
|
|
|
|
---------------------------------------------------------------------------------------------------
|
|
|
|
# Access to users personal addressbooks
|
|
|
|
|
|
|
|
# allow read of addressbook by owner and egwadmin account
|
|
|
|
access to dn.regex="^cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=domain,dc=com$"
|
|
|
|
attrs=entry
|
|
|
|
by dn.regex="uid=$1,ou=accounts,o=$2,dc=domain,dc=com" read
|
|
|
|
by dn.regex="cn=egwadmin,o=$2,dc=domain,dc=com" write
|
|
|
|
by users none
|
|
|
|
|
|
|
|
# allow user to create entries in own addressbook; no-one else can access it
|
|
|
|
# needs write access to the entries ENTRY attribute ...
|
|
|
|
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=domain,dc=com$"
|
|
|
|
attrs=children
|
|
|
|
by dn.regex="uid=$1,ou=accounts,o=$2,dc=domain,dc=com" write
|
|
|
|
by users none
|
|
|
|
|
|
|
|
# ... and the entries CHILDREN
|
|
|
|
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=domain,dc=com$"
|
|
|
|
attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson
|
|
|
|
by dn.regex="uid=$1,ou=accounts,o=$2,dc=domain,dc=com" write
|
|
|
|
by users none
|
|
|
|
|
|
|
|
# Access to groups addressbooks
|
|
|
|
|
|
|
|
# allow read of addressbook by members and egwadmin account
|
|
|
|
access to dn.regex="^cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=domain,dc=com$"
|
|
|
|
attrs=entry
|
|
|
|
by group.expand="cn=$1,ou=groups,o=$2,dc=domain,dc=com" read
|
|
|
|
by dn.regex="cn=egwadmin,o=$2,dc=domain,dc=com" write
|
|
|
|
by users none
|
|
|
|
|
|
|
|
# allow members to create entries in there group addressbooks; no-one else can access it
|
|
|
|
# needs write access to the entries ENTRY attribute ...
|
|
|
|
access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=domain,dc=com$"
|
|
|
|
attrs=children
|
|
|
|
by group.expand="cn=$1,ou=groups,o=$2,dc=domain,dc=com" write
|
|
|
|
by users none
|
|
|
|
|
|
|
|
# ... and the entries CHILDREN
|
|
|
|
access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=domain,dc=com$"
|
|
|
|
attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson
|
|
|
|
by group.expand="cn=$1,ou=groups,o=$2,dc=domain,dc=com" write
|
|
|
|
by users none
|