Free busy & resource web-admin.
Dieter Klünter
dieter at dkluenter.de
Thu Jan 24 17:43:05 CET 2013
Am Wed, 23 Jan 2013 11:35:58 +0000
schrieb "Jeroen van Meeuwen (Kolab Systems)" <vanmeeuwen at kolabsys.com>:
> On 2013-01-22 18:18, Diane Trout wrote:
> >>
> >> Our defaults work against 389-ds, but as I recall OpenLDAP uses a
> >> specific schema root dn you can query. You should be able to
> >> supply that
> >> schema root dn in /etc/kolab/kolab.conf's [ldap] section as a
> >> setting named "schema_root_dn". Perhaps in OpenLDAP this is
> >> "cn=subschema"?
> >
> > The OpenLDAP schema root should be:
> >
> > cn=schema,cn=config
> >
> > You may need to adjust permissions to be able to read it. Look at
> > the olcAccess attribute in
> > slapd.d/cn=config/olcDatabase={0}config.ldif to see what
> > can access the cn=config tree.
> >
>
> The Kolab Web Administration Panel's API side will attempt to use
> what is specified as the "service_bind_dn" (and corresponding
> "service_bind_pw") to read the schema, as is illustrated here:
>
> http://git.kolab.org/kolab-wap/tree/lib/ext/Net/LDAP3.php#n1710
>
> So there's no reason (yet) to give out too broad read access to this
> tree.
It has allways been good practice that the root directory special entry
and the subschema entry can be read anonymously, otherwise clients may
fail. Searching for appropriate SASL Mechanisms for example, or
searching for appropriate namingContexts.
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E
More information about the users
mailing list