forked from extern/egroupware
54 lines
2.4 KiB
Plaintext
54 lines
2.4 KiB
Plaintext
/* $Id$ */
|
|
|
|
eGroupWare needs no more special LDAP schemas since version 1.3.007:
|
|
|
|
- valid eGroupWare users have a posixAccount and shadowAccount object class.
|
|
- valid Groups have a posixGroup object class and store there members in the memberuid attribute.
|
|
|
|
If you want to use group-addressbooks in LDAP, the ACL requires that groups get expanded by the LDAP server.
|
|
To do so, we need to use groupOfNames together with posixGroup (groupOfNames stores the dn in the member
|
|
attribute, posixGroup only the uid in the memberUid attribute).
|
|
If your LDAP uses the original nis.schema, posixGroup is a structural object and can NOT be used together!
|
|
Newer SuSE distributions use a rfc2307bis schema, which can be used on other distributions too
|
|
(instead of the nis.schema, NOT together). The schema is in the same directory as this README.
|
|
|
|
To change to the rfc2307bis.schema (not needed with newer SuSE distros!):
|
|
----------------------------------
|
|
1. create an ldif from your ldap: slapcat > my.ldif
|
|
2. run: ./nis2rfc2307bis.php my.ldif > new.ldif
|
|
or alternativly edit my.ldif by hand:
|
|
- add objectclass groupOfNames to every group (only the groups!)
|
|
- change every occurence of "structuralObjectClass: posixGroup" to "structuralObjectClass: groupOfNames"
|
|
- add the required (by groupOfNames) member attributes, by using the information from memberUid,
|
|
eg. memberUid: hugo --> member: uid=hugo,ou=account,o=egw,dc=domain,dc=com
|
|
--> easier: use the provided script
|
|
3. edit your slapd.conf:
|
|
+ remove the include of the nis.schema
|
|
+ include the rfc2307bis.schema in this dir
|
|
4. stoping ldap
|
|
5. empty the ldap database (eg. by removing the content of /var/lib/ldap)
|
|
6. add the edited ldif file: slapadd -f new.ldif
|
|
7. start ldap again
|
|
|
|
Please note:
|
|
-----------
|
|
You can use nis2rfc2307bis.php on newer SuSE distros too, to get groupOfNames and the member
|
|
attributes set, without editing & saving each group in Admin >> Manage groups.
|
|
|
|
|
|
eGroupWare detects if it can use groupOfNames together with posixGroup and fills the member attribute,
|
|
if you edit the group or changes the members.
|
|
|
|
To create a dedicated LDAP account for eGroupWare, you can use the following sample LDIF:
|
|
cn=eGroupWare,dc=domain,dc=com
|
|
cn: eGroupWare
|
|
objectClass: person
|
|
sn: eGroupWare
|
|
userPassword: SOME_LONG_RANDOM_PASSWORD
|
|
|
|
To give eGroupWare permission to manage the groups, you can use the following ACL:
|
|
access to dn.subtree="ou=groups,dc=domain,dc=com"
|
|
by dn="cn=eGroupWare,dc=domain,dc=com" write
|
|
|
|
Ralf
|