diff --git a/phpgwapi/doc/ldap/README b/phpgwapi/doc/ldap/README index 9f18d4cbb6..122ea0de2e 100644 --- a/phpgwapi/doc/ldap/README +++ b/phpgwapi/doc/ldap/README @@ -6,7 +6,8 @@ eGroupWare needs no more special LDAP schemas since version 1.3.007: - valid Groups have a posixGroup object class and store there members in the memberuid attribute. If you want to use group-addressbooks in LDAP, the ACL requires that groups get expanded by the LDAP server. -To do so, we need to use groupOfNames together with posixGroup (groupOfNames stores the dn, posixGroup only the uid). +To do so, we need to use groupOfNames together with posixGroup (groupOfNames stores the dn in the member +attribute, posixGroup only the uid in the memberUid attribute). If your LDAP uses the original nis.schema, posixGroup is a structural object and can NOT be used together! Newer SuSE distributions use a rfc2307bis schema, which can be used on other distributions too (instead of the nis.schema, NOT together). The schema is in the same directory as this README. @@ -15,6 +16,7 @@ To change to the rfc2307bis.schema (not needed with newer SuSE distros!): ---------------------------------- - create an ldif from your ldap: slapcat > my.ldif - add objectclass groupOfNames to every group (only the groups!) +- change every occurence of "structuralObjectClass: posixGroup" to "structuralObjectClass: groupOfNames" - edit your slapd.conf: + remove the include of the nis.schema + include the rfc2307bis.schema in this dir @@ -26,4 +28,15 @@ To change to the rfc2307bis.schema (not needed with newer SuSE distros!): eGroupWare detects if it can use groupOfNames together with posixGroup and fills the member attribute, if you edit the group or changes the members. +To create a dedicated LDAP account for eGroupWare, you can use the following sample LDIF: +cn=eGroupWare,dc=domain,dc=com +cn: eGroupWare +objectClass: person +sn: eGroupWare +userPassword: SOME_LONG_RANDOM_PASSWORD + +To give eGroupWare permission to manage the groups, you can use the following ACL: + access to dn.subtree="ou=groups,dc=domain,dc=com" + by dn="cn=eGroupWare,dc=domain,dc=com" write + Ralf diff --git a/phpgwapi/doc/ldap/rfc2307bis.schema b/phpgwapi/doc/ldap/rfc2307bis.schema index aad7d08c5a..3b7d17a217 100644 --- a/phpgwapi/doc/ldap/rfc2307bis.schema +++ b/phpgwapi/doc/ldap/rfc2307bis.schema @@ -79,6 +79,7 @@ attributetype ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid' EQUALITY caseExactIA5Match + SUBSTRINGS caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup'