[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP ACL/ ADRESSBOOK Problems and more

To: openldap-technical@openldap.org
Subject: LDAP ACL/ ADRESSBOOK Problems and more
From: Sebastian Reinhardt <snr@lmv-hartmannsdorf.de>
Date: Sun, 15 Jun 2008 19:15:23 +0200
User-agent: Thunderbird 2.0.0.12 (X11/20080226)

Hi,

I have some huge (for me, but I hope not for the experts in this list)
problems:

First the server config:
- openSuSE 10.3 (x86_64)
- openldap openldap2-2.3.37-7.4
User administration, NFS and also Apache (for company intern information
websites, not for "real" web) is running without problems and 5 clients
(openSuSE 10.3 (x86_64 and i586), too),  replication is not setup yet,
but this is not the major problem.

1. Problem:

I added an central adressbook into the ldap- directory. It can be edited
by KAdressBook and also used by Thunderbird from every Client, but for
editing the ldap-root- Login is required (no good idea, I know and I
like to change) and everyone can read the hole ldap- directory (have to
be changed, too).
I tried to give only users of group "adressbook_write" permission to
edit entries in "ou=people"- part (adressbook) of ldap and users of
"adressbook_read"- group the "read"- rights. Any other should not be
allowed to read or write in "ou=people" or other parts of the ldap
directory.

This is the section of slap.conf:
----------------------------------
access to dn.base=""
       by * read

access to dn.base="cn=Subschema"
       by * read

access to attrs=userPassword,userPKCS12
       by self write
       by * auth

access to attrs=shadowLastChange
       by self write
       by * read

access to dn.base="ou=people,dc=LMV,dc=LMV"
      by group="cn=adressbook_read,dc=LMV,dc=LMV" read
      by group="cn=adressbook_write,dc=LMV,dc=LMV" write

access to *
       by * read
-----------------------------------------

I tried it also without "dn.base=" in front of first line (access to..),
but then user- auth. was disabled. What is wrong? Can I delete "access
to * by * read", without disabling Login- capability ?

2. Problem:

KAddressBook can access (r/w, only by using root- access, simple auth.)
the ldap- address book (ou=people).  Reading is no problem, but by
saving an new entry, KAddressBook shows the busy- symbol (mouse symbol)
an the new entry is not shown in KAddressBook, but the entry is saved in
ldap (it can be read/ edited by other applications; ldapbrowser or
other). Whats the problem? KAddressBook, user read/write permissions? Or
is it LDAP? To show the new entry in KAddressBook, the program has to be
restarted. But KAddressBook is not crashed or frozen, the user can add
new address or show/ edit old entries.

3. Problem:

Is any schema available, which can handle more (3 or more) email-
addresses for every entry?  I can not figure out, if the mozilla- schema
( german HowTo and schema taken from:
http://www.pro-linux.de/t_office/openldap-adressbuch.html ) can handle
more than one email- entry per person. Is this possible or is
Thunderbird unable to read more than one email address from ldap? And if
so, how can store all addresses from KAdressBook in LDAP (to share it
with other KAddressBook- Clients)?

4. Auto- LogIn

Some Clients where used only by one person/ login. With local user
management, openSuSE provides the option to login an standard user at
boot. Is an automatic user login with ldap-users  and ldap- user
management possible?

5. file/ dir- modes

Is it possible to change the default file- mode (644) and dir- mode
(755) in ldap user accounts for new generated files into file: 660 and
dir: 770 ? So the group- members can edit files/ dirs generated by other
users of same ldap managed group ?


Thanks

--
Mit freundlichen Grüßen

Sebastian Reinhardt

Prev by Date: Re: help with ldapsearch on uid
Next by Date: slapd-passwd backend problems
Index(es):
- Chronological
- Thread