[Kolab-devel] kolab_setup (part of Kolab bootstrap rewrite)

Buchan Milne bgmilne at obsidian.co.za
Tue Mar 23 13:32:51 CET 2004 

On Tue, 23 Mar 2004, Martin Konold wrote:

> Am Dienstag, 23. März 2004 12:08 schrieb Bo Thorsen:
> 
> Hi Bo,
> 
> > Generally: What is the difference between the administrator and the
> > manager? Is it a bug to have both? Why are there two?
> 
> Please have a look at:
> 
> Description Architecture:	
> http://kroupware.kde.org/administration-1.0-html/c24.html
> 
> Description of Maintainer:
> 	http://kroupware.kde.org/administration-1.0-html/x122.html
> "a maintainer account can administer all user related settings on the server 
> (except editing the maintainer and administrator groups). So special accounts 
> can be given to people who are responsible to keep the users data up to date 
> on the Kolab server. [...] Also a users name can be changed by the 
> maintainer. Note the difference between the name of a user and his uid and 
> E-Mail address which can not be changed in the web interface. A maintainer 
> can additionally choose if the users data should be made available to the 
> public addressbook."
> 
> Description of Administrator:
> 	http://kroupware.kde.org/administration-1.0-html/x181.html
> "Apart from the actions the maintainer group can perform, the administrator 
> group can also administer basic server settings. The hostname and the domain 
> name of the E-Mail domain can be set in the server menue. Note that changes 
> within those settings directly affect the mail transport system and can 
> result in delivery problems of E-Mails. [...] The administration of the two 
> groups administrator and maintainer is possible from within the menues 
> Administrator or Maintainer. Accounts within the groups can be created or 
> removed. As those accounts do not possess own E-Mail addresses only few 
> information is needed to specify an account. These credentials are first and 
> last name, a password an an uid. [...] Although the Kolab server has the 
> ability to interoperate with legacy clients this behaviour can be turned off. 
> The preferred services of the Kolab server are: POP3S, IMAPS, SIEVE and 
> HTTPS. In legacy mode the services POP3, IMAP, FTP and HTTP are also 
> supported. Within the menue services of the web interface an administrator 
> can disable some or all of the legacy services."
> 
> Last but not least there is the manager account. In contrast to the above 
> groups (Maintainers and Adminitrators) there is only a single manager. The 
> manager can be considerer to be comparable to the root user on unix systems.
> The manager account is not meant to be administered via the webgui. 
> 

My issue with this is that it needlessly pollutes the root of the LDAP 
tree ..

BTW, I have a nice set of ACLs for samba/posix (allowing samba DCs to 
create user accounts, groups and group mappings, so allowing the use of 
User Manager for Domains) and allowing user accounts to create shared 
contacts, using regex-based ACLs, such as:

access to dn="^(.*,)?ou=Contacts,(dc=.+,?)+$$"
        attrs=children,entry,inetOrgPerson
        by dn="uid=.*,ou=People,$2" write
        by * read

I think this is a better approach as it would allow multi-domain support 
on one LDAP tree more easily.

(Of course there would be a number of implications).

Regards,
Buchan

More information about the devel mailing list