Kolab + FreeIPA

Carlos R Laguna carlosr at jovenclub.cu
Mon Nov 10 17:35:10 CET 2014


El 09/11/14 a las 20:12, Matt . escribió:
> Hi Carlos
>
> I'm figuring out the kolab.conf with the cn/dn and so on and I get
> errors on the bind.
>
> Can you send me your example of what you sued for freeipa ? I think
> the devs can use it too as they are working on integration.
>
> Would be great!
>
> Thanks!
>
> Matt
>
> 2014-11-09 20:59 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>> Hi Carlos,
>>
>> OK, I figured out in the IRC channgel that we need the 99kolab.ldif in
>>   /etc/dirsrv/slapd-$instance/schema/99kolab.ldif but the rest is still
>> very vague to me.
>>
>> What kind of service do we need to add to the
>> kolabhost.local.domain at LOCAL.DOMAIN in IPA ? and what rights does the
>> cyrus-admin needs.
>>
>> If you remember something, it's welcome!
>>
>> Cheers,
>>
>> Matt
>>
>> 2014-11-09 19:23 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>> Hi Carlos,
>>>
>>> Do you have any information about the  kolab-service and the
>>> cyrus-admin account ? What kind of rights does the cyrus admin need to
>>> have ?
>>>
>>> I have imported the Schema with commenting out dn=schema in the
>>> kolab3.ldif, you needed to do this also ?
>>>
>>> Was it btw needed to setupt the full ldap on the kolab server and than
>>> change the ldap stuff in the kolab.conf or was an install
>>> --without-ldap working ?
>>>
>>> I hope you can help me out.
>>>
>>> Thanks again!
>>>
>>> Cheers,
>>>
>>> Matt
>>>
>>> 2014-11-09 1:24 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>>> I'm still testing this without any luck.
>>>>
>>>> I'm doing a setup-kolab --without-ldap
>>>>
>>>> When I check the kolab.conf I see what to change but I'm not 100% sure
>>>> as this differs from other LDAP configs as it seems, it requires the
>>>> Directory Manager instead of the admin from FreeIPA.
>>>>
>>>> Also adding the schema is not what I can find out so far.
>>>>
>>>> Any howto's are welcome!
>>>>
>>>> Is the integration for ldap questions from Boddie already in the
>>>> Ubuntu Packages ?
>>>>
>>>> Thanks,
>>>>
>>>> Matt
>>>>
>>>> 2014-11-09 0:10 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>>>> Great to hear!
>>>>>
>>>>> That is quite some users indeed. I'm thinking about starting locally
>>>>> as I need Kolab at the moment and seperate later on.
>>>>>
>>>>> Can you keep me updated about your progress ?
>>>>>
>>>>> Would be great!
>>>>>
>>>>> Matt
>>>>>
>>>>> 2014-11-09 0:09 GMT+01:00 Carlos Raúl Laguna <carlosla1987 at gmail.com>:
>>>>>> In my test lab yes, i am also about to deploy kolab for 6000 and also and
>>>>>> separate all the server but still on research. Regards
>>>>>>
>>>>>> 2014-11-08 18:04 GMT-05:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> Same thing here, we rely on IPA so it's needed.
>>>>>>>
>>>>>>> I also was investigating to seperate all services but this is not
>>>>>>> documented well enough.
>>>>>>>
>>>>>>> Your users just worked out of the box ?
>>>>>>>
>>>>>>> Thanks!
>>>>>>>
>>>>>>> Matt
>>>>>>>
>>>>>>> 2014-11-09 0:01 GMT+01:00 Carlos Raúl Laguna <carlosla1987 at gmail.com>:
>>>>>>>> Hi,
>>>>>>>> In my case i needed, to many users, hard to keep tracking .
>>>>>>>>
>>>>>>>> 2014-11-08 17:10 GMT-05:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> Mhh it would be needed actually or it doesn't make sense to use your
>>>>>>>>> existing ipa.
>>>>>>>>>
>>>>>>>>> 2014-11-08 23:00 GMT+01:00 Carlos Raúl Laguna <carlosla1987 at gmail.com>:
>>>>>>>>>> Existing user in IPA server? only if meet kolab user.lastname policy
>>>>>>>>>> but
>>>>>>>>>> not
>>>>>>>>>> 100% sure . Regards
>>>>>>>>>>
>>>>>>>>>> 2014-11-08 16:53 GMT-05:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>>>>>>
>>>>>>>>>>> HI,
>>>>>>>>>>>
>>>>>>>>>>> OK great to know... existing users will be usable in Kolab directly
>>>>>>>>>>> ?
>>>>>>>>>>> no remapping needed ?
>>>>>>>>>>>
>>>>>>>>>>> Cheers,
>>>>>>>>>>>
>>>>>>>>>>> Matt
>>>>>>>>>>>
>>>>>>>>>>> 2014-11-08 22:50 GMT+01:00 Carlos Raúl Laguna
>>>>>>>>>>> <carlosla1987 at gmail.com>:
>>>>>>>>>>>> Hi, try both, however ended doing manually. Regards
>>>>>>>>>>>>
>>>>>>>>>>>> Carlos
>>>>>>>>>>>>
>>>>>>>>>>>> 2014-11-08 16:44 GMT-05:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hi Carlos,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks for your information!
>>>>>>>>>>>>>
>>>>>>>>>>>>> What did you do with the settings ? Did you changed the install
>>>>>>>>>>>>> script
>>>>>>>>>>>>>   or did all manual ?
>>>>>>>>>>>>>
>>>>>>>>>>>>> If I see something I will let you know.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2014-11-08 22:38 GMT+01:00 Carlos Raúl Laguna
>>>>>>>>>>>>> <carlosla1987 at gmail.com>:
>>>>>>>>>>>>>> Actually i setup both boxes aside and them make the changes.
>>>>>>>>>>>>>> about
>>>>>>>>>>>>>> your
>>>>>>>>>>>>>> second question i can't help you i am not in the office right
>>>>>>>>>>>>>> now
>>>>>>>>>>>>>> but
>>>>>>>>>>>>>> if
>>>>>>>>>>>>>> i
>>>>>>>>>>>>>> recall correctly the schema is added just like the 389-DS and
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> object
>>>>>>>>>>>>>> your can search in IPA Server > Configuration > add
>>>>>>>>>>>>>> objectclass.
>>>>>>>>>>>>>> Regards
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> If you find other mean to do it i would like to hear about.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2014-11-08 16:09 GMT-05:00 Matt . <yamakasi.014 at gmail.com>:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> OK, I have seen something about changing the setup script so
>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>> will
>>>>>>>>>>>>>>> set the ipa server already instead of localhost ?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Do you have some directions to add the schema and object ?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Matt
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 2014-11-08 22:04 GMT+01:00 Carlos Raúl Laguna
>>>>>>>>>>>>>>> <carlosla1987 at gmail.com>:
>>>>>>>>>>>>>>>> Hi, you need to add kolab schema to FreeIPA and add the
>>>>>>>>>>>>>>>> kolab
>>>>>>>>>>>>>>>> object
>>>>>>>>>>>>>>>> trought
>>>>>>>>>>>>>>>> FreeIPA-GUI to start, after that you will need to point all
>>>>>>>>>>>>>>>> kolab
>>>>>>>>>>>>>>>> element to
>>>>>>>>>>>>>>>> freeipa that include and modify the search queries to
>>>>>>>>>>>>>>>> FreeIPA,
>>>>>>>>>>>>>>>> also
>>>>>>>>>>>>>>>> you
>>>>>>>>>>>>>>>> will
>>>>>>>>>>>>>>>> need to recreate part of of Kolab LDAP tree in FreeIPA, i
>>>>>>>>>>>>>>>> only
>>>>>>>>>>>>>>>> used
>>>>>>>>>>>>>>>> this
>>>>>>>>>>>>>>>> in
>>>>>>>>>>>>>>>> a test environment, but in a few week will do it again for
>>>>>>>>>>>>>>>> production
>>>>>>>>>>>>>>>> one
>>>>>>>>>>>>>>>> domain only. Regards
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users
This is ldap portion in kolab.conf in my testlab

[ldap]
kolab_user_filter = (objectclass=kolabinetorgperson)
mail_attributes = mail, alias
mailserver_attribute = mailhost
group_filter = (|(objectclass=groupofuniquenames)(objectclass=groupofurls))
unique_attribute = nsuniqueid
kolab_user_base_dn = cn=users,cn=accounts,%(base_dn)s
base_dn = dc=jovenclub,dc=cu
bind_pw = nos4a287
group_base_dn = ou=Groups,%(base_dn)s
domain_name_attribute = associateddomain
sharedfolder_filter = (objectclass=kolabsharedfolder)
supported_controls = 0,2,3
domain_filter = (&(associatedDomain=*))
group_scope = sub
bind_dn = cn=Directory Manager
ldap_uri = ldap://192.168.20.19:389
resource_base_dn = ou=Resources,%(base_dn)s
domain_rootdn_attribute = inetdomainbasedn
kolab_group_filter = 
(|(objectclass=kolabgroupofuniquenames)(objectclass=kolabgroupofurls))
quota_attribute = mailquota
service_bind_dn = uid=kolab-service,cn=sysaccounts,cn=etc,dc=jovenclub,dc=cu
sharedfolder_base_dn = ou=Shared Folders,%(base_dn)s
resource_filter = (|%(group_filter)s(objectclass=kolabsharedfolder))
domain_base_dn = cn=kolab,cn=config
auth_attributes = mail, alias, uid
user_base_dn = cn=users,cn=accounts,%(base_dn)s
service_bind_pw = ***********
user_filter = (objectclass=inetorgperson)
user_scope = sub

as you may see some changes are required y my case i want to use the 
user created by FreeIPA  keep the groups for Kolab management to prevent 
FreeIPA and Kolab groups to mix also Share Folder amount other ldap 
structures most be made manually. Regards

 ________________________________________________________________
 XII Edicion del Evento Nacional de Informatica para Jovenes. INFOCLUB.
 Abril. 2015. Ver www.jovenclub.cu
 ________________________________________________________________


-- 
Este mensaje ha sido analizado por MailScanner
en busca de virus y otros contenidos peligrosos,
y se considera que está limpio.



More information about the users mailing list