[Kolab-devel] Allow one domain admin to manage several domains
Timotheus Pokorra
timotheus at pokorra.de
Mon Apr 29 17:49:55 CEST 2013
Hello Jeroen,
I have looked at the permissions of domain admins in LDAP in more detail.
In a default installation of Kolab3, this is how the permissions on
cn=kolab,cn=config look like (domains added with webadmin):
[root at kolab ~]# ldapsearch -x -h localhost -D "cn=Directory Manager"
-w "test" -b "cn=kolab,cn=config" \* nsRole
# extended LDIF
#
# LDAPv3
# base <cn=kolab,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: * nsRole
#
# kolab, config
dn: cn=kolab,cn=config
objectClass: top
objectClass: extensibleobject
cn: kolab
aci: (targetattr = "*") (version 3.0;acl "Kolab Services";allow (read,compare,
search)(userdn = "ldap:///uid=kolab-service,ou=Special Users,dc=test,dc=tbits
,dc=net");)
# test.tbits.net, kolab, config
dn: associateddomain=test.tbits.net,cn=kolab,cn=config
objectClass: top
objectClass: domainrelatedobject
associatedDomain: test.tbits.net
aci: (targetattr = "*") (version 3.0;acl "Read Access for test.tbits.net Users
";allow (read,compare,search)(userdn = "ldap:///dc=test,dc=tbits,dc=net??sub?
(objectclass=*)");)
# test2.tbits.net, kolab, config
dn: associateddomain=test2.tbits.net,cn=kolab,cn=config
objectClass: top
objectClass: domainrelatedobject
associatedDomain: test2.tbits.net
# test3.tbits.net, kolab, config
dn: associateddomain=test3.tbits.net,cn=kolab,cn=config
objectClass: top
objectClass: domainrelatedobject
associatedDomain: test3.tbits.net
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 4
I have tried, a user from eg. test2.tbits.net with role kolab-admin
does not have read permissions on cn=kolab,cn=config.
I now have modified my previous patch, and now when setting
permissions for a domain admin on another domain, I will add the
permissions through acl (similar to "Read Access for test.tbits.net
Users" above) so that the domain admin can see the other domain.
I have updated my patch here:
https://gist.github.com/tpokorra/5244642#file-patchmultidomainadmins-patch
And the branch off git master is here:
https://github.com/tpokorra/kolab-wap/commits/admin_for_multiple_domains_V2
It does not read the kolab.conf file anymore.
I also tried to follow your other suggestions from your comments.
Please let me know what you think.
Thanks,
Timotheus
On 23 April 2013 13:27, Timotheus Pokorra <timotheus at pokorra.de> wrote:
> Hello Jeroen,
>
> thank you for your comments.
> They make good sense, and some answer or confirm questions that I had myself.
>
> I have tried to work on it this week, but I am getting distracted by
> other projects.
>
> I have tried to avoid using kolab.conf for the domain names, made some
> progress, but have not found a presentable solution yet.
> I will let you know next week.
>
> All the best,
> Timotheus
>
>
>
> On 20 April 2013 13:17, Jeroen van Meeuwen (Kolab Systems)
> <vanmeeuwen at kolabsys.com> wrote:
>> On 2013-04-17 09:08, Timotheus Pokorra wrote:
>>> Hello,
>>>
>>> I hope I have changed as little as possible, and not broken anything
>>> else.
>>>
>>> Please let me know what you think!
>>>
>>
>> Hi Timotheus,
>>
>> I've placed some inline comments on some of the code snippets at
>> https://github.com/tpokorra/kolab-wap/commit/1b70df580177e8f7a86b50adab51b9e244d9106e
>>
>> Kind regards,
>>
>> Jeroen van Meeuwen
>>
>> --
>> Systems Architect, Kolab Systems AG
>>
>> e: vanmeeuwen at kolabsys.com
>> m: +44 74 2516 3817
>> w: http://www.kolabsys.com
>>
>> pgp: 9342 BF08
>>
>> _______________________________________________
>> Kolab-devel mailing list
>> Kolab-devel at kolab.org
>> https://www.intevation.de/mailman/listinfo/kolab-devel
More information about the devel
mailing list