Re: Addressbook in LDAP ... should be simple right?

[Ron Scott-Adams <ron@tohuw.net>]

OUs are not groups. OUs are organizational units. For groups, consider creating entities with the ObjectClass groupOfNames, part of RFC 2256 (section 7.10) and included in OpenLDAP’s core schema. This requires the attribute “member”, which accepts a list of DNs as group members.

There’s other solutions (posixGroup from the NIS schema, for example), but that’s the low-hanging fruit approach.




On Jul 8, 2014, at 12:28 AM, Adam Goryachev <mailinglists@websitemanagers.com.au> wrote:

> I've been messing with LDAP for the past couple of days, and following various online tutorials on how to create an addressbook for Thunderbird in openldap. Sure, this isn't too difficult, and I have it working as a proof of concept. I can use phpldapadmin to create new entries in my addressbook, and these will show up in Thunderbird's addressbook.
> 
> I've also spent the day reading most of the openldap admin guide (250 pages), which eventually I noticed is missing section E, where I'm sure something simple like this would appear.
> 
> However, now I want to organise the addresses into groups.
> eg, say we have the following staff:
> John Smith works in the head office and is the CEO
> Ann Johnson works in the head office and is a general admin person
> Mary Brown works in the branch office and is the state manager
> Jane Martin works in the branch office and is a general admin person
> 
> I want everybody to be listed in a People group...
> I want all four people listed in a Staff group...
> I want John Smith and Mary Brown in a Managers group
> I want John Smith and Ann Johnson in a Head Office group
> I want Mary Brown and Jane Martin in a Branch Office group
> 
> So, I could do this like this:
> dn: dc=example,dc=com
> objectClass: top
> objectClass: dcObject
> objectClass: organization
> o: My Organization
> dc: example
> 
> dn: ou=People,dc=example,dc=com
> objectClass: top
> objectClass: organizationalUnit
> ou: People
> description: All the people
> 
> dn: ou=Staff,dc=example,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: Staff
> 
> dn: cn=John Smith+mail=jsmith@example.com,ou=People,dc=example,dc=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: mozillaAbPersonAlpha
> givenName: John
> sn: Smith
> cn: John Smitih
> mail: jsmith@example.com
> 
> etc for other people
> 
> Then I can configure the groups like this:
> 
> dn: cn=Managers,dc=example,dc=com
> cn: Managers of example.com
> objectclass: groupofNames
> member: cn=John Smith+mail=jsmith@example.com,ou=People,dc=example,dc=com
> member: cn=Mary Brown+mail=mbrown@example.com,ou=People,dc=example,dc=com
> 
> However, thunderbird doesn't seem to have any smart way to show this group...
> So, I thought, maybe I could duplicate the "People" and put complete addressbook records into the Managers ou, but then it complains that the same CN already exists, besides the fact that this just seems like a kludge, and not a very "nice" way to achieve this.
> 
> PS, the context is to try and replace MS Outlook with Mozilla Thunderbird. With email in IMAP4, that works well. I can share the calendar from thunderbird to iphones/android phones with http://calendarserver.org/. Now I'm just trying to resolve the "shared contacts" issue, which is currently solved by copying (at login) a pst file from a share to the local users profile, and having that configured to open in outlook (add pst data file). I'd prefer to replace all that with ldap, since thunderbird supports ldap for an addressbook, and it would then update immediately (instead of after next login). Also, long term it would be useful to use ldap for other web based login authentication, squid proxy auth, and/or even windows authentication, but, one step/problem at a time.
> 
> Thank you for any advise or suggestions, or pointers to documentation.
> 
> Regards,
> Adam
> 
> -- 
> Adam Goryachev Website Managers www.websitemanagers.com.au
>