2001-05-17 04:31:36 +02:00
|
|
|
/* $Id$ */
|
|
|
|
|
2006-06-08 00:27:22 +02:00
|
|
|
eGroupWare needs no more special LDAP schemas since version 1.3.007:
|
2004-01-08 14:28:00 +01:00
|
|
|
|
2006-06-08 00:27:22 +02:00
|
|
|
- valid eGroupWare users have a posixAccount and shadowAccount object class.
|
|
|
|
- valid Groups have a posixGroup object class and store there members in the memberuid attribute.
|
2004-03-08 00:27:03 +01:00
|
|
|
|
2006-06-18 07:07:10 +02:00
|
|
|
If you want to use group-addressbooks in LDAP, the ACL requires that groups get expanded by the LDAP server.
|
2006-07-01 23:37:09 +02:00
|
|
|
To do so, we need to use groupOfNames together with posixGroup (groupOfNames stores the dn in the member
|
|
|
|
attribute, posixGroup only the uid in the memberUid attribute).
|
2006-06-18 07:07:10 +02:00
|
|
|
If your LDAP uses the original nis.schema, posixGroup is a structural object and can NOT be used together!
|
|
|
|
Newer SuSE distributions use a rfc2307bis schema, which can be used on other distributions too
|
|
|
|
(instead of the nis.schema, NOT together). The schema is in the same directory as this README.
|
|
|
|
|
|
|
|
To change to the rfc2307bis.schema (not needed with newer SuSE distros!):
|
|
|
|
----------------------------------
|
|
|
|
- create an ldif from your ldap: slapcat > my.ldif
|
|
|
|
- add objectclass groupOfNames to every group (only the groups!)
|
2006-07-01 23:37:09 +02:00
|
|
|
- change every occurence of "structuralObjectClass: posixGroup" to "structuralObjectClass: groupOfNames"
|
2006-06-18 07:07:10 +02:00
|
|
|
- edit your slapd.conf:
|
|
|
|
+ remove the include of the nis.schema
|
|
|
|
+ include the rfc2307bis.schema in this dir
|
|
|
|
- stoping ldap
|
|
|
|
- empty the ldap database (eg. by removing the content of /var/lib/ldap)
|
|
|
|
- add the edited ldif file
|
|
|
|
- start ldap again
|
|
|
|
|
|
|
|
eGroupWare detects if it can use groupOfNames together with posixGroup and fills the member attribute,
|
|
|
|
if you edit the group or changes the members.
|
|
|
|
|
2006-07-01 23:37:09 +02:00
|
|
|
To create a dedicated LDAP account for eGroupWare, you can use the following sample LDIF:
|
|
|
|
cn=eGroupWare,dc=domain,dc=com
|
|
|
|
cn: eGroupWare
|
|
|
|
objectClass: person
|
|
|
|
sn: eGroupWare
|
|
|
|
userPassword: SOME_LONG_RANDOM_PASSWORD
|
|
|
|
|
|
|
|
To give eGroupWare permission to manage the groups, you can use the following ACL:
|
|
|
|
access to dn.subtree="ou=groups,dc=domain,dc=com"
|
|
|
|
by dn="cn=eGroupWare,dc=domain,dc=com" write
|
|
|
|
|
2006-06-18 07:07:10 +02:00
|
|
|
Ralf
|