[Kolab-devel] Kolab and FreeIPA article

[Jochen Hein]

kvaps <kvapss at gmail.com> writes:

> OK, here is my article about Kolab and FreeIPA integration:
>
> https://medium.com/@kvapss/install-kolab-and-integrate-it-with-freeipa-c80c3b34b7b7

Wonderful.  It mostly looks like what I'd do.  Some comments:

,----
| On FreeIPA server
| 
| Create users:
| 
|     kolab-svc
|     kolab-admin-svc
|     cyrus-svc
`----

Here I think we should create "special users", not normal FreeIPA
accounts:

dn: uid=<user>,cn=sysaccounts,cn=etc,dc=example,dc=org
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: nextcloud-fetch
userPassword: <password>
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0

And probably setting rights like that:

dn: dc=example,dc=org
changetype: modify
add: aci
aci: (targetattr = "nsuniqueid || dn || uid || telephoneNumber || mobile || mail || sn || givenName || objectClass || displayName || gecos || uid || sn ||ou || dc || cn || homeDirectory") (version 3.0; acl "Kolab user can access some fields."; allow (read,search) userdn = "ldap:///uid=<user>,cn=sysaccounts,cn=etc,dc=example,dc=org";)

That way you could leave that out:

> Now we can exclude users which ends with -svc from our addressbook:

Can you elaborate why the pykolab patch is needed?

Do we need to replicate the tree cn=kolab,cn=config to IPA replicas?
That's something we should have in mind.

I can add some comments for these:

- Using ipa-getcert to get TLS certificates for IMAP, SMTP,
  Webmail/Webadmin.  I do run IMAP, SMTP and Kolab on logical hosts -
  that makes the configuration interesting :-)

- Single-Sign-On for IMAP (I never got roundcube and Kerberos to
  cooperate).

Thanks for sharing!

Jochen

-- 
This space is intentionally left blank.