egroupware_official/addressbook/doc/README
Ralf Becker 5e0d628d93 - added LDAP ACL stuff to the readme
- reworked Admin >> Addressbook >> Site config
- fixed for LDAP and SQL (eg. LDAP error are now forwarded to the UI)
2006-06-13 21:53:00 +00:00

110 lines
4.4 KiB
Plaintext

eGroupWare Addressbook 1.3+ LDAP support
========================================
The new Addressbook requires only the inetOrgPerson schema.
If you want to use extra attributes availible in the SQL addressbook
like eg. the home-address you need to use some other supported schema:
- evolutionOrgPerson used by evolution
- mozillaAbPersonAlpha used by thunderbird & sunbird 1.5+
- mozillaOrgPerson older mozilla schema (depricated, but mostly compatible to mozillaAbPersonAlpha)
Please note:
You can or should install the evolutionPerson schema together with ONE
of the mozilla schemas. You can NOT install both mozilla schema!
If the addressbook detects a schema, it fills the extra fields of that schema.
LDAP layout used for the eGroupWare addressbook
-----------------------------------------------
dc=domain,dc=com base DN of your LDAP server
|
+-o=default base DN for the addressbook of eGroupWare domain / DB instance "default"
| | (specified in Admin >> Addressbook >> Site config)
| |
| +-ou=accounts base DN for accounts (specified in Setup >> Configuration)
| | +-uid=ralf entry for user ralf
| | +-uid=lars entry for user lars
| | +-uid=... other users
| |
| +-ou=groups base DN for groups (specified in Setup >> Configuration)
| | +-cn=Default entry for the group Default
| | +-cn=... other groups
| |
| +ou=contacts
| |
| +-ou=shared shared addressbooks of the groups
| | +-cn=default addressbook of group Default
| | +-cn=...
| |
| +-ou=personal personal addressbooks of the users
| +-cn=ralf addressbook of user ralf
| +-cn=lars addressbook of user lars
| +-cn=...
|
+-o=other other eGroupWare domain / DB instance
+-...
The contact base DN must include the accounts and groups base DN, otherwise they will not be
searched AND the ACL given below does NOT work!
The following ACL in slapd conf allow:
-------------------------------------
- everyone to read the account addressbook
- the user to edit his account (incl. password)
- the egwadmin user for each domain to edit all accounts (eGW uses it when admins edit accounts)
- only the user to read, edit or delete in his personal addressbook
- group-members to read, edit or delete in their group addressbook
Add or include the rows after the line behind the exiting ACL rules in your slapd.conf
Please note:
-----------
- You need to change all dc=domain,dc=com with the base DN your LDAP uses!!!
- If you want to use the old mozillaOrgPerson schema, you need to change it here too!
---------------------------------------------------------------------------------------------------
# Access to users personal addressbooks
# allow read of addressbook by owner and egwadmin account
access to dn.regex="^cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=domain,dc=com$"
attrs=entry
by dn.regex="uid=$1,ou=accounts,o=$2,dc=domain,dc=com" read
by dn.regex="cn=egwadmin,o=$2,dc=domain,dc=com" write
by users none
# allow user to create entries in own addressbook; no-one else can access it
# needs write access to the entries ENTRY attribute ...
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=domain,dc=com$"
attrs=children
by dn.regex="uid=$1,ou=accounts,o=$2,dc=domain,dc=com" write
by users none
# ... and the entries CHILDREN
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=domain,dc=com$"
attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson
by dn.regex="uid=$1,ou=accounts,o=$2,dc=domain,dc=com" write
by users none
# Access to groups addressbooks
# allow read of addressbook by members and egwadmin account
access to dn.regex="^cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=domain,dc=com$"
attrs=entry
by group.expand="cn=$1,ou=groups,o=$2,dc=domain,dc=com" read
by dn.regex="cn=egwadmin,o=$2,dc=domain,dc=com" write
by users none
# allow members to create entries in there group addressbooks; no-one else can access it
# needs write access to the entries ENTRY attribute ...
access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=domain,dc=com$"
attrs=children
by group.expand="cn=$1,ou=groups,o=$2,dc=domain,dc=com" write
by users none
# ... and the entries CHILDREN
access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=domain,dc=com$"
attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson
by group.expand="cn=$1,ou=groups,o=$2,dc=domain,dc=com" write
by users none