* Addressbook/LDAP: documented how to get ACL for group-addressbooks working without deprecated rfc2307bis schema

This commit is contained in:
Ralf Becker 2012-04-29 15:43:40 +00:00
parent 9d42e85478
commit a2e587ad54

View File

@ -56,12 +56,10 @@ The example acl_addressbook.conf allow:
Please note:
-----------
- The group ACL requires that the used groups have the groupOfNames objectclass with
member attributes containing the dn's of all members! The memberUid attribute of
posixGroup is NOT enough. If you use a distribution other then SuSE, you can NOT
use both objectclasses together, as both are structural objects. You have to use
the alternative rfc2307bis.schema instead of the stock nis.schema to do so.
The README in phpgwapi/doc/ldap describs how to change your ldap accordingly!
- There are two way to archive the group ACL, pick one of them
a) groups use just posixGroup with memberUid containing uid of members
b) groups use groupOfNames with member containing dn of members
(Using deprecated rfc2307bis schema, you can have both, thought you still need to choose how to implement group ACL)
- You need to copy our example acl_addressbook.conf into your openldap conf dir.
- You need to change all dc=domain,dc=com with the base DN your LDAP uses!!!
- If you want to use the old mozillaOrgPerson schema, you need to change it here too!
@ -114,12 +112,13 @@ access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=domain,dc=co
by dn.regex="uid=$1,ou=accounts,o=$2,dc=domain,dc=com" write
by users none
# Access to groups addressbooks
# YOU NEED TO REMOVE EITHER NEXT 3 ACL ENTRIES
# Access to group addressbooks: with just posixGroup (case a) above)
# allow read of addressbook by members and egwadmin account
access to dn.regex="^cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=domain,dc=com$"
attrs=entry
by group.expand="cn=$1,ou=groups,o=$2,dc=domain,dc=com" read
by set.expand="user/uid & [cn=$1,ou=groups,o=$2,dc=domain,dc=com]/memberUid" read
by dn.regex="cn=egwadmin,o=$2,dc=domain,dc=com" write
by users none
@ -127,11 +126,34 @@ access to dn.regex="^cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=domain,dc=com
# needs write access to the entries ENTRY attribute ...
access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=domain,dc=com$"
attrs=children
by group.expand="cn=$1,ou=groups,o=$2,dc=domain,dc=com" write
by set.expand="user/uid & [cn=$1,ou=groups,o=$2,dc=domain,dc=com]/memberUid" write
by users none
# ... and the entries CHILDREN
access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=domain,dc=com$"
attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson
by group.expand="cn=$1,ou=groups,o=$2,dc=domain,dc=com" write
by set.expand="user/uid & [cn=$1,ou=groups,o=$2,dc=domain,dc=com]/memberUid" write
by users none
# OR THE FOLLOWING 3 ACL ENTRIES, YOU CAN NOT HAVE BOTH!
# Access to group addressbooks: with groupOfNames (case b) above)
#
# allow read of addressbook by members and egwadmin account
#access to dn.regex="^cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=domain,dc=com$"
# attrs=entry
# by group.expand="cn=$1,ou=groups,o=$2,dc=domain,dc=com" read
# by dn.regex="cn=egwadmin,o=$2,dc=domain,dc=com" write
# by users none
#
# allow members to create entries in there group addressbooks; no-one else can access it
# needs write access to the entries ENTRY attribute ...
#access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=domain,dc=com$"
# attrs=children
# by group.expand="cn=$1,ou=groups,o=$2,dc=domain,dc=com" write
# by users none
#
# ... and the entries CHILDREN
#access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=domain,dc=com$"
# attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson
# by group.expand="cn=$1,ou=groups,o=$2,dc=domain,dc=com" write
# by users none