[Kolab-devel] Kolab and FreeIPA article

kvaps kvapss at gmail.com
Thu Nov 1 15:40:13 CET 2018 

Hi, article updated.

Patch is not needed anymore, setting unique_attribute to ipauniqueid
fully solves this issue.

There was also some problems, with auto renaming some random users.
Some fields like displayName and uid can be updated by Kolab.
I was updated their type from Generated (read-only) to Normal, now it seems ok.

Hey is that possible to make them readonly but disable automatic
generation for them?

- kvaps
On Thu, Oct 11, 2018 at 11:37 AM kvaps <kvapss at gmail.com> wrote:
>
> Hi Jochen, thanks for your notes,
>
> >Here I think we should create "special users", not normal FreeIPA
> >accounts:
>
> Good point about placing special users to
> `cn=sysaccounts,cn=etc,dc=example,dc=org`, I will review that.
>
> >That way you could leave that out:
> >
> >> Now we can exclude users which ends with -svc from our addressbook:
>
> I still need to receive mail for some service users (not humans), it
> always better to have a way for exclude them from global address book
>
> >Can you elaborate why the pykolab patch is needed?
>
> Yep, I forgot to say about the patch. Without this patch pykolab
> wasn't create mailboxes.
> Sorry, I'm not saved the logs, but if I remember well, there was an
> error something like:
>
>     AttributeError("'bool' object has no attribute 'lower'",)
>
> I found the solution on git.kolab.org for the similar error for the
> attribute "type" and applied it for the "uid" attribute too.
> (can't find this link anymore)
>
> > Do we need to replicate the tree cn=kolab,cn=config to IPA replicas?
>
> This tree contains kolab domain namespaces and aliases configuration.
> In my opinion If this configuration static for you, you can just add
> it to all your servers which kolab can connect to.
> In case if you want to have opportunity to manage domains and add
> aliases any time, you probably should configure replication.
>
> - kvaps
> On Thu, Oct 4, 2018 at 6:44 PM Jochen Hein <jochen at jochen.org> wrote:
> >
> > kvaps <kvapss at gmail.com> writes:
> >
> > > OK, here is my article about Kolab and FreeIPA integration:
> > >
> > > https://medium.com/@kvapss/install-kolab-and-integrate-it-with-freeipa-c80c3b34b7b7
> >
> > Wonderful.  It mostly looks like what I'd do.  Some comments:
> >
> > ,----
> > | On FreeIPA server
> > |
> > | Create users:
> > |
> > |     kolab-svc
> > |     kolab-admin-svc
> > |     cyrus-svc
> > `----
> >
> > Here I think we should create "special users", not normal FreeIPA
> > accounts:
> >
> > dn: uid=<user>,cn=sysaccounts,cn=etc,dc=example,dc=org
> > changetype: add
> > objectclass: account
> > objectclass: simplesecurityobject
> > uid: nextcloud-fetch
> > userPassword: <password>
> > passwordExpirationTime: 20380119031407Z
> > nsIdleTimeout: 0
> >
> > And probably setting rights like that:
> >
> > dn: dc=example,dc=org
> > changetype: modify
> > add: aci
> > aci: (targetattr = "nsuniqueid || dn || uid || telephoneNumber || mobile || mail || sn || givenName || objectClass || displayName || gecos || uid || sn ||ou || dc || cn || homeDirectory") (version 3.0; acl "Kolab user can access some fields."; allow (read,search) userdn = "ldap:///uid=<user>,cn=sysaccounts,cn=etc,dc=example,dc=org";)
> >
> > That way you could leave that out:
> >
> > > Now we can exclude users which ends with -svc from our addressbook:
> >
> > Can you elaborate why the pykolab patch is needed?
> >
> > Do we need to replicate the tree cn=kolab,cn=config to IPA replicas?
> > That's something we should have in mind.
> >
> > I can add some comments for these:
> >
> > - Using ipa-getcert to get TLS certificates for IMAP, SMTP,
> >   Webmail/Webadmin.  I do run IMAP, SMTP and Kolab on logical hosts -
> >   that makes the configuration interesting :-)
> >
> > - Single-Sign-On for IMAP (I never got roundcube and Kerberos to
> >   cooperate).
> >
> > Thanks for sharing!
> >
> > Jochen
> >
> > --
> > This space is intentionally left blank.
> > _______________________________________________
> > devel mailing list
> > devel at lists.kolab.org
> > https://lists.kolab.org/mailman/listinfo/devel

More information about the devel mailing list