egroupware/addressbook/doc
2006-06-14 16:27:21 +00:00
..
acl_addressbook.conf fixed the ACL stuff, it was included in the wrong position 2006-06-14 16:27:21 +00:00
evolutionperson.schema reworked and restructured LDAP support: 2006-06-13 04:30:16 +00:00
mozillaabpersonalpha.schema reworked and restructured LDAP support: 2006-06-13 04:30:16 +00:00
mozillaorgperson.schema reworked and restructured LDAP support: 2006-06-13 04:30:16 +00:00
README fixed the ACL stuff, it was included in the wrong position 2006-06-14 16:27:21 +00:00

eGroupWare Addressbook 1.3+ LDAP support
========================================

The new Addressbook requires only the inetOrgPerson schema.

If you want to use extra attributes availible in the SQL addressbook
like eg. the home-address you need to use some other supported schema:
- evolutionOrgPerson	used by evolution
- mozillaAbPersonAlpha	used by thunderbird & sunbird 1.5+
- mozillaOrgPerson		older mozilla schema (depricated, but mostly compatible to mozillaAbPersonAlpha)

Please note: 
You can or should install the evolutionPerson schema together with ONE
of the mozilla schemas. You can NOT install both mozilla schema!

If the addressbook detects a schema, it fills the extra fields of that schema.

LDAP layout used for the eGroupWare addressbook
-----------------------------------------------

dc=domain,dc=com    base DN of your LDAP server
|
+-o=default         base DN for the addressbook of eGroupWare domain / DB instance "default"
| |                 (specified in Admin >> Addressbook >> Site config)
| |
| +-ou=accounts     base DN for accounts (specified in Setup >> Configuration)
| | +-uid=ralf      entry for user ralf
| | +-uid=lars      entry for user lars
| | +-uid=...       other users
| |
| +-ou=groups       base DN for groups (specified in Setup >> Configuration)
| | +-cn=Default    entry for the group Default
| | +-cn=...        other groups
| |
| +ou=contacts
|   |
|   +-ou=shared     shared addressbooks of the groups
|   | +-cn=default  addressbook of group Default
|   | +-cn=...
|   |
|   +-ou=personal   personal addressbooks of the users
|     +-cn=ralf     addressbook of user ralf
|     +-cn=lars     addressbook of user lars
|     +-cn=...
|
+-o=other           other eGroupWare domain / DB instance
  +-...

The contact base DN must include the accounts and groups base DN, otherwise they will not be 
searched AND the ACL given below does NOT work!
 
The example acl_addressbook.conf allow:
--------------------------------------
- only the user to read, edit or delete in his personal addressbook
- group-members to read, edit or delete in their group addressbook(s)

Please note: 
-----------
- You need to copy our example acl_addressbook.conf into your openldap conf dir.
- You need to change all dc=domain,dc=com with the base DN your LDAP uses!!!
- If you want to use the old mozillaOrgPerson schema, you need to change it here too!
- You need to include "your" acl_addressbook.conf BEFORE the last acl entry (access to *) 
  in your slapd.conf and restart the LDAP server. 
  
This is how the default ACL's in /etc/openldap/slapd.conf of my (SuSE 10.1) looks and 
where I included it:

access to dn.base=""
        by * read

access to dn.base="cn=Subschema"
        by * read

access to attrs=userPassword,userPKCS12
        by self write
        by * auth

access to attrs=shadowLastChange
        by self write
        by * read

include /etc/openldap/acl_addressbook.conf

access to *
        by * read

---- acl_addressbook.conf --------------------------------------------------------

# Access to users personal addressbooks

# allow read of addressbook by owner and egwadmin account
access to dn.regex="^cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=domain,dc=com$"
	attrs=entry
	by dn.regex="uid=$1,ou=accounts,o=$2,dc=domain,dc=com" read
	by dn.regex="cn=egwadmin,o=$2,dc=domain,dc=com" write
	by users none

# allow user to create entries in own addressbook; no-one else can access it
# needs write access to the entries ENTRY attribute ...
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=domain,dc=com$"
	attrs=children
	by dn.regex="uid=$1,ou=accounts,o=$2,dc=domain,dc=com" write
	by users none

# ... and the entries CHILDREN
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=domain,dc=com$"
	attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson
	by dn.regex="uid=$1,ou=accounts,o=$2,dc=domain,dc=com" write
	by users none

# Access to groups addressbooks

# allow read of addressbook by members and egwadmin account
access to dn.regex="^cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=domain,dc=com$"
	attrs=entry
	by group.expand="cn=$1,ou=groups,o=$2,dc=domain,dc=com" read
	by dn.regex="cn=egwadmin,o=$2,dc=domain,dc=com" write
	by users none

# allow members to create entries in there group addressbooks; no-one else can access it
# needs write access to the entries ENTRY attribute ...
access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=domain,dc=com$"
	attrs=children
	by group.expand="cn=$1,ou=groups,o=$2,dc=domain,dc=com" write
	by users none

# ... and the entries CHILDREN
access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=domain,dc=com$"
	attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson
	by group.expand="cn=$1,ou=groups,o=$2,dc=domain,dc=com" write
	by users none