LDAP address book - problem with groups

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP address book - problem with groups

Franta Hanzlík
Hi,
new to Roundcube, I have still some confusion about configuring the LDAP
address book. Please, is somewhere a little detailed description of the
configuration scenarios and individual options?

Now I have something as this (found somewhere on the net):

$config['ldap_public']['public'] = array(
    'name'              => 'Public LDAP Addressbook',
    'hosts'             => array('ldap.mydomain'),
    'base_dn'           => 'o=spse',
    'bind_dn'           => 'cn=binduser,o=myorg',
    'bind_pass'         => 'binduseracces',
    'filter'            => '(&(objectClass=inetOrgPerson)(cn=z*))',
    'sort'              => 'sn',
    'global_search'     => true,
    'fuzzy_search'      => true,
    'groups'            => array(
        'base_dn'         => '',
        'mail'            => '{Mail-Address}@mydomain.com',
        'filter'          => '(&(objectClass=groupOfNames)(Mail-Address=*))',
        'object_classes'  => array("top", "groupOfNames"),
        'class_member_attr' => array(
          'groupofnames'       => 'member',
          'groupofuniquenames' => 'uniquemember'
        ),
    ),
    'name_field' => 'uid',
    'email_field' => 'mail',
    'surname_field' => 'sn',
    'firstname_field' => 'givenName',
    'scope' => 'sub'
);

and although as I understand the description for individual people, I do
not even understand the description of groups - whole this block:

    'groups'            => array(
        'base_dn'         => '',
        'mail'            => '{Mail-Address}@mydomain.com',
        'filter'          => '(&(objectClass=groupOfNames)(Mail-Address=*))',
        'object_classes'  => array("top", "groupOfNames"),
        'class_member_attr' => array(
          'groupofnames'       => 'member',
          'groupofuniquenames' => 'uniquemember'
        ),
    ),

- why it is included just where it is?
- what is meant by:

 'object_classes'  => array("top", "groupOfNames"),

? what is block:

        'class_member_attr' => array(
          'groupofnames'       => 'member',
          'groupofuniquenames' => 'uniquemember'
        ),

In spite of all the confusion, RC puts something out. But what bothers
 me and I need to have it differently:

- when in new mail I write recipient address, autocompletion offers me
the required group. But when I click on it, in the address bar appears
no single address (groupname@mydomain), but mail addresses of all group
members! What with this?

- in address book menu, I want to display group names (as is now), but
not their members (or at least not to all RC users).
Is this possible somehow?

I'm trying Roundcube version 1.3.4, LDAP DB is some commercial one with
schema roughly corresponding with Openldap core, and groups are defined
as:

dn: cn=_groupName_,ou=Groups,o=myorg
Mail-Address: _groupName_
objectClass: groupOfNames
objectClass: Top
objectClass: Mail-Group
member: cn=_user1_,ou=XX,o=myorg
member: cn=_user2_,ou=YY,o=myorg
...
cn: _groupName_

(there isn't complete mail address - only part before '@'. All groups
in addressbook are in one domain)

Thanks in advance for your help!
Franta Hanzlik
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: LDAP address book - problem with groups

A.L.E.C
On 02/10/2018 12:03 AM, Franta Hanzlík wrote:

>     'groups'            => array(
>         'base_dn'         => '',
>         'mail'            => '{Mail-Address}@mydomain.com',
>         'filter'          => '(&(objectClass=groupOfNames)(Mail-Address=*))',
>         'object_classes'  => array("top", "groupOfNames"),
>         'class_member_attr' => array(
>           'groupofnames'       => 'member',
>           'groupofuniquenames' => 'uniquemember'
>         ),
>     ),

Here's an example from defaults.inc.php file:

// definition for contact groups (uncomment if no groups are supported)
// for the groups base_dn, the user replacements %fu, %u, %d and %dc
work as for base_dn (see above)
// if the groups base_dn is empty, the contact base_dn is used for the
groups as well
// -> in this case, assure that groups and contacts are separated due to
the concernig filters!
  'groups'  => array(
    'base_dn'           => '',
    'scope'             => 'sub',       // Search mode: sub|base|list
    'filter'            => '(objectClass=groupOfNames)',
    'object_classes'    => array('top', 'groupOfNames'),   // Object
classes to be assigned to new groups
    'member_attr'       => 'member',   // Name of the default member
attribute, e.g. uniqueMember
    'name_attr'         => 'cn',       // Attribute to be used as group name
    'email_attr'        => 'mail',     // Group email address attribute
(e.g. for mailing lists)
    'member_filter'     => '(objectclass=*)',  // Optional filter to use
when querying for group members
    'vlv'               => false,      // Use VLV controls to list groups
    'class_member_attr' => array(      // Mapping of group object class
to member attribute used in these objects
      'groupofnames'       => 'member',
      'groupofuniquenames' => 'uniquemember'
    ),
  ),


So, there's no such thing as your "composite" 'mail' attribute
specification. A group with an email_attr that contains an email address
will not resolve to members' addresses.

--
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer         [http://kolab.org]
Roundcube Webmail Developer   [http://roundcube.net]
----------------------------------------------------
PGP: 19359DC1 # Blog: https://kolabian.wordpress.com
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: LDAP address book - problem with groups

Franta Hanzlík
On Sun, 11 Feb 2018 10:23:09 +0100
"A.L.E.C" <[hidden email]> wrote:

> On 02/10/2018 12:03 AM, Franta Hanzlík wrote:
> >     'groups'            => array(
> >         'base_dn'         => '',
> >         'mail'            => '{Mail-Address}@mydomain.com',
> >         'filter'          => '(&(objectClass=groupOfNames)(Mail-Address=*))',
> >         'object_classes'  => array("top", "groupOfNames"),
> >         'class_member_attr' => array(
> >           'groupofnames'       => 'member',
> >           'groupofuniquenames' => 'uniquemember'
> >         ),
> >     ),  
>
> Here's an example from defaults.inc.php file:
>
> // definition for contact groups (uncomment if no groups are supported)
> // for the groups base_dn, the user replacements %fu, %u, %d and %dc
> work as for base_dn (see above)
> // if the groups base_dn is empty, the contact base_dn is used for the
> groups as well
> // -> in this case, assure that groups and contacts are separated due to
> the concernig filters!
>   'groups'  => array(
>     'base_dn'           => '',
>     'scope'             => 'sub',       // Search mode: sub|base|list
>     'filter'            => '(objectClass=groupOfNames)',
>     'object_classes'    => array('top', 'groupOfNames'),   // Object
> classes to be assigned to new groups
>     'member_attr'       => 'member',   // Name of the default member
> attribute, e.g. uniqueMember
>     'name_attr'         => 'cn',       // Attribute to be used as group name
>     'email_attr'        => 'mail',     // Group email address attribute
> (e.g. for mailing lists)
>     'member_filter'     => '(objectclass=*)',  // Optional filter to use
> when querying for group members
>     'vlv'               => false,      // Use VLV controls to list groups
>     'class_member_attr' => array(      // Mapping of group object class
> to member attribute used in these objects
>       'groupofnames'       => 'member',
>       'groupofuniquenames' => 'uniquemember'
>     ),
>   ),
>
>
> So, there's no such thing as your "composite" 'mail' attribute
> specification. A group with an email_attr that contains an email address
> will not resolve to members' addresses.

Hi Aleksander,
thanks for Your reply - now it is clear. The problem is that group e-mail
address is stored in LDAP DB in form as user part only (without '@domain),
and I perhaps cannot change this. It is solvable somehow?

(something that would replace my "composite" expression. Dovecot server has
for it this:
https://wiki.dovecot.org/AuthDatabase/LDAP/Userdb?highlight=%28You+can+mix+static+text+with+the+value+returned+from+LDAP%29

Some form of GAWK gensub() (regexp based substitution) would be IMO best...

And, please, is some page, where are those RC '*_attr' listed/described,
or it is necessary to search in RC php code?
--
Thanks, Franta Hanzlik
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users