1
0
mirror of https://github.com/EGroupware/egroupware.git synced 2024-12-23 15:18:58 +01:00
egroupware_official/phpgwapi/doc/ldap
2007-06-21 08:58:15 +00:00
..
acl_egw_addressbook.conf bumped phpgwapi version number for new release and added working ldap acl example for egw ldap addressbook 2007-05-15 04:04:38 +00:00
fix-ldap-charset-for-egw1.1.pl fix the handling of charsets in the contacts_ldap class and provide admins with a script, that helps to fix old, corrupted eGW-LDAP-addressbooks. For a description of why and when this is necessary, please read the header of the fix-ldap-charset-for-egw1.1.pl script. This should appear in the release-notes for eGW 1.1. 2005-08-13 21:01:14 +00:00
ldap_init.txt a basic ldap setup example 2003-11-03 23:02:23 +00:00
nis2rfc2307bis.php Patch from Oscar (omgs) to fix bug : nis2rfc2307bis.php produces corrupts output. 2006-12-30 07:25:11 +00:00
README "added note about newer openLDAP with hardcoded uid/gidNumber attribute" 2007-06-21 08:58:15 +00:00
rfc2307bis.schema fixing a syntax error 2006-07-24 07:20:44 +00:00

/* $Id$ */

eGroupWare needs no more special LDAP schemas since version 1.3.007:

- valid eGroupWare users have a posixAccount and shadowAccount object class.
- valid Groups have a posixGroup object class and store there members in the memberuid attribute.

If you want to use group-addressbooks in LDAP, the ACL requires that groups get expanded by the LDAP server.
To do so, we need to use groupOfNames together with posixGroup (groupOfNames stores the dn in the member
attribute, posixGroup only the uid in the memberUid attribute).
If your LDAP uses the original nis.schema, posixGroup is a structural object and can NOT be used together!
Newer SuSE distributions use a rfc2307bis schema, which can be used on other distributions too
(instead of the nis.schema, NOT together). The schema is in the same directory as this README.

To change to the rfc2307bis.schema (not needed with newer SuSE distros!):
----------------------------------
1. create an ldif from your ldap: slapcat > my.ldif
2. run: ./nis2rfc2307bis.php my.ldif > new.ldif
or alternativly edit my.ldif by hand:
- add objectclass groupOfNames to every group (only the groups!)
- change every occurence of "structuralObjectClass: posixGroup" to "structuralObjectClass: groupOfNames"
- add the required (by groupOfNames) member attributes, by using the information from memberUid,
  eg. memberUid: hugo --> member: uid=hugo,ou=account,o=egw,dc=domain,dc=com
--> easier: use the provided script
3. edit your slapd.conf:
  + remove the include of the nis.schema
  + include the rfc2307bis.schema in this dir
4. stoping ldap
5. empty the ldap database (eg. by removing the content of /var/lib/ldap)
6. add the edited ldif file: slapadd -l new.ldif
7. start ldap again

Please note:
-----------
a)	You can use nis2rfc2307bis.php on newer SuSE distros too, to get groupOfNames and the member
	attributes set, without editing & saving each group in Admin >> Manage groups. 
	
b)	Newer openLDAP servers already have uidNumber and gidNumber hardcoded. You have to comment out
	the definition of them in the rfc2307bis.schema file:
	
# disable to accomodate for newer openLDAP servers, which have these values hardcoded
#attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber'
#  DESC 'An integer uniquely identifying a user in an administrative domain'
#  EQUALITY integerMatch
#  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
#  SINGLE-VALUE )
#
#attributetype ( 1.3.6.1.1.1.1.1 NAME 'gidNumber'
#  DESC 'An integer uniquely identifying a group in an
#        administrative domain'
#  EQUALITY integerMatch
#  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
#  SINGLE-VALUE )

eGroupWare detects if it can use groupOfNames together with posixGroup and fills the member attribute,
if you edit the group or changes the members.

To create a dedicated LDAP account for eGroupWare, you can use the following sample LDIF:
cn=eGroupWare,dc=domain,dc=com
cn: eGroupWare
objectClass: person
sn: eGroupWare
userPassword: SOME_LONG_RANDOM_PASSWORD

To give eGroupWare permission to manage the groups, you can use the following ACL:
	access to dn.subtree="ou=groups,dc=domain,dc=com"
		by dn="cn=eGroupWare,dc=domain,dc=com" write

Ralf