[Kolab-devel] Kolab and FreeIPA article

kvaps kvapss at gmail.com
Thu Oct 11 11:37:15 CEST 2018


Hi Jochen, thanks for your notes,

>Here I think we should create "special users", not normal FreeIPA
>accounts:

Good point about placing special users to
`cn=sysaccounts,cn=etc,dc=example,dc=org`, I will review that.

>That way you could leave that out:
>
>> Now we can exclude users which ends with -svc from our addressbook:

I still need to receive mail for some service users (not humans), it
always better to have a way for exclude them from global address book

>Can you elaborate why the pykolab patch is needed?

Yep, I forgot to say about the patch. Without this patch pykolab
wasn't create mailboxes.
Sorry, I'm not saved the logs, but if I remember well, there was an
error something like:

    AttributeError("'bool' object has no attribute 'lower'",)

I found the solution on git.kolab.org for the similar error for the
attribute "type" and applied it for the "uid" attribute too.
(can't find this link anymore)

> Do we need to replicate the tree cn=kolab,cn=config to IPA replicas?

This tree contains kolab domain namespaces and aliases configuration.
In my opinion If this configuration static for you, you can just add
it to all your servers which kolab can connect to.
In case if you want to have opportunity to manage domains and add
aliases any time, you probably should configure replication.

- kvaps
On Thu, Oct 4, 2018 at 6:44 PM Jochen Hein <jochen at jochen.org> wrote:
>
> kvaps <kvapss at gmail.com> writes:
>
> > OK, here is my article about Kolab and FreeIPA integration:
> >
> > https://medium.com/@kvapss/install-kolab-and-integrate-it-with-freeipa-c80c3b34b7b7
>
> Wonderful.  It mostly looks like what I'd do.  Some comments:
>
> ,----
> | On FreeIPA server
> |
> | Create users:
> |
> |     kolab-svc
> |     kolab-admin-svc
> |     cyrus-svc
> `----
>
> Here I think we should create "special users", not normal FreeIPA
> accounts:
>
> dn: uid=<user>,cn=sysaccounts,cn=etc,dc=example,dc=org
> changetype: add
> objectclass: account
> objectclass: simplesecurityobject
> uid: nextcloud-fetch
> userPassword: <password>
> passwordExpirationTime: 20380119031407Z
> nsIdleTimeout: 0
>
> And probably setting rights like that:
>
> dn: dc=example,dc=org
> changetype: modify
> add: aci
> aci: (targetattr = "nsuniqueid || dn || uid || telephoneNumber || mobile || mail || sn || givenName || objectClass || displayName || gecos || uid || sn ||ou || dc || cn || homeDirectory") (version 3.0; acl "Kolab user can access some fields."; allow (read,search) userdn = "ldap:///uid=<user>,cn=sysaccounts,cn=etc,dc=example,dc=org";)
>
> That way you could leave that out:
>
> > Now we can exclude users which ends with -svc from our addressbook:
>
> Can you elaborate why the pykolab patch is needed?
>
> Do we need to replicate the tree cn=kolab,cn=config to IPA replicas?
> That's something we should have in mind.
>
> I can add some comments for these:
>
> - Using ipa-getcert to get TLS certificates for IMAP, SMTP,
>   Webmail/Webadmin.  I do run IMAP, SMTP and Kolab on logical hosts -
>   that makes the configuration interesting :-)
>
> - Single-Sign-On for IMAP (I never got roundcube and Kerberos to
>   cooperate).
>
> Thanks for sharing!
>
> Jochen
>
> --
> This space is intentionally left blank.
> _______________________________________________
> devel mailing list
> devel at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/devel


More information about the devel mailing list