Hi,
I have some huge (for me, but I hope not for the experts in this list) problems:
First the server config: - openSuSE 10.3 (x86_64) - openldap openldap2-2.3.37-7.4 User administration, NFS and also Apache (for company intern information websites, not for "real" web) is running without problems and 5 clients (openSuSE 10.3 (x86_64 and i586), too), replication is not setup yet, but this is not the major problem.
1. Problem:
I added an central adressbook into the ldap- directory. It can be edited by KAdressBook and also used by Thunderbird from every Client, but for editing the ldap-root- Login is required (no good idea, I know and I like to change) and everyone can read the hole ldap- directory (have to be changed, too). I tried to give only users of group "adressbook_write" permission to edit entries in "ou=people"- part (adressbook) of ldap and users of "adressbook_read"- group the "read"- rights. Any other should not be allowed to read or write in "ou=people" or other parts of the ldap directory.
This is the section of slap.conf: ---------------------------------- access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to attrs=userPassword,userPKCS12 by self write by * auth
access to attrs=shadowLastChange by self write by * read
access to dn.base="ou=people,dc=LMV,dc=LMV" by group="cn=adressbook_read,dc=LMV,dc=LMV" read by group="cn=adressbook_write,dc=LMV,dc=LMV" write
access to * by * read -----------------------------------------
I tried it also without "dn.base=" in front of first line (access to..), but then user- auth. was disabled. What is wrong? Can I delete "access to * by * read", without disabling Login- capability ?
2. Problem:
KAddressBook can access (r/w, only by using root- access, simple auth.) the ldap- address book (ou=people). Reading is no problem, but by saving an new entry, KAddressBook shows the busy- symbol (mouse symbol) an the new entry is not shown in KAddressBook, but the entry is saved in ldap (it can be read/ edited by other applications; ldapbrowser or other). Whats the problem? KAddressBook, user read/write permissions? Or is it LDAP? To show the new entry in KAddressBook, the program has to be restarted. But KAddressBook is not crashed or frozen, the user can add new address or show/ edit old entries.
3. Problem:
Is any schema available, which can handle more (3 or more) email- addresses for every entry? I can not figure out, if the mozilla- schema ( german HowTo and schema taken from: http://www.pro-linux.de/t_office/openldap-adressbuch.html ) can handle more than one email- entry per person. Is this possible or is Thunderbird unable to read more than one email address from ldap? And if so, how can store all addresses from KAdressBook in LDAP (to share it with other KAddressBook- Clients)?
4. Auto- LogIn
Some Clients where used only by one person/ login. With local user management, openSuSE provides the option to login an standard user at boot. Is an automatic user login with ldap-users and ldap- user management possible?
5. file/ dir- modes
Is it possible to change the default file- mode (644) and dir- mode (755) in ldap user accounts for new generated files into file: 660 and dir: 770 ? So the group- members can edit files/ dirs generated by other users of same ldap managed group ?
Thanks