I've been messing with LDAP for the past couple of days, and following various online tutorials on how to create an addressbook for Thunderbird in openldap. Sure, this isn't too difficult, and I have it working as a proof of concept. I can use phpldapadmin to create new entries in my addressbook, and these will show up in Thunderbird's addressbook.
I've also spent the day reading most of the openldap admin guide (250 pages), which eventually I noticed is missing section E, where I'm sure something simple like this would appear.
However, now I want to organise the addresses into groups. eg, say we have the following staff: John Smith works in the head office and is the CEO Ann Johnson works in the head office and is a general admin person Mary Brown works in the branch office and is the state manager Jane Martin works in the branch office and is a general admin person
I want everybody to be listed in a People group... I want all four people listed in a Staff group... I want John Smith and Mary Brown in a Managers group I want John Smith and Ann Johnson in a Head Office group I want Mary Brown and Jane Martin in a Branch Office group
So, I could do this like this: dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: My Organization dc: example
dn: ou=People,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: People description: All the people
dn: ou=Staff,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: Staff
dn: cn=John Smith+mail=jsmith@example.com,ou=People,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: mozillaAbPersonAlpha givenName: John sn: Smith cn: John Smitih mail: jsmith@example.com
etc for other people
Then I can configure the groups like this:
dn: cn=Managers,dc=example,dc=com cn: Managers of example.com objectclass: groupofNames member: cn=John Smith+mail=jsmith@example.com,ou=People,dc=example,dc=com member: cn=Mary Brown+mail=mbrown@example.com,ou=People,dc=example,dc=com
However, thunderbird doesn't seem to have any smart way to show this group... So, I thought, maybe I could duplicate the "People" and put complete addressbook records into the Managers ou, but then it complains that the same CN already exists, besides the fact that this just seems like a kludge, and not a very "nice" way to achieve this.
PS, the context is to try and replace MS Outlook with Mozilla Thunderbird. With email in IMAP4, that works well. I can share the calendar from thunderbird to iphones/android phones with http://calendarserver.org/. Now I'm just trying to resolve the "shared contacts" issue, which is currently solved by copying (at login) a pst file from a share to the local users profile, and having that configured to open in outlook (add pst data file). I'd prefer to replace all that with ldap, since thunderbird supports ldap for an addressbook, and it would then update immediately (instead of after next login). Also, long term it would be useful to use ldap for other web based login authentication, squid proxy auth, and/or even windows authentication, but, one step/problem at a time.
Thank you for any advise or suggestions, or pointers to documentation.
Regards, Adam
OUs are not groups. OUs are organizational units. For groups, consider creating entities with the ObjectClass groupOfNames, part of RFC 2256 (section 7.10) and included in OpenLDAP’s core schema. This requires the attribute “member”, which accepts a list of DNs as group members.
There’s other solutions (posixGroup from the NIS schema, for example), but that’s the low-hanging fruit approach.
On Jul 8, 2014, at 12:28 AM, Adam Goryachev mailinglists@websitemanagers.com.au wrote:
I've been messing with LDAP for the past couple of days, and following various online tutorials on how to create an addressbook for Thunderbird in openldap. Sure, this isn't too difficult, and I have it working as a proof of concept. I can use phpldapadmin to create new entries in my addressbook, and these will show up in Thunderbird's addressbook.
I've also spent the day reading most of the openldap admin guide (250 pages), which eventually I noticed is missing section E, where I'm sure something simple like this would appear.
However, now I want to organise the addresses into groups. eg, say we have the following staff: John Smith works in the head office and is the CEO Ann Johnson works in the head office and is a general admin person Mary Brown works in the branch office and is the state manager Jane Martin works in the branch office and is a general admin person
I want everybody to be listed in a People group... I want all four people listed in a Staff group... I want John Smith and Mary Brown in a Managers group I want John Smith and Ann Johnson in a Head Office group I want Mary Brown and Jane Martin in a Branch Office group
So, I could do this like this: dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: My Organization dc: example
dn: ou=People,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: People description: All the people
dn: ou=Staff,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: Staff
dn: cn=John Smith+mail=jsmith@example.com,ou=People,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: mozillaAbPersonAlpha givenName: John sn: Smith cn: John Smitih mail: jsmith@example.com
etc for other people
Then I can configure the groups like this:
dn: cn=Managers,dc=example,dc=com cn: Managers of example.com objectclass: groupofNames member: cn=John Smith+mail=jsmith@example.com,ou=People,dc=example,dc=com member: cn=Mary Brown+mail=mbrown@example.com,ou=People,dc=example,dc=com
However, thunderbird doesn't seem to have any smart way to show this group... So, I thought, maybe I could duplicate the "People" and put complete addressbook records into the Managers ou, but then it complains that the same CN already exists, besides the fact that this just seems like a kludge, and not a very "nice" way to achieve this.
PS, the context is to try and replace MS Outlook with Mozilla Thunderbird. With email in IMAP4, that works well. I can share the calendar from thunderbird to iphones/android phones with http://calendarserver.org/. Now I'm just trying to resolve the "shared contacts" issue, which is currently solved by copying (at login) a pst file from a share to the local users profile, and having that configured to open in outlook (add pst data file). I'd prefer to replace all that with ldap, since thunderbird supports ldap for an addressbook, and it would then update immediately (instead of after next login). Also, long term it would be useful to use ldap for other web based login authentication, squid proxy auth, and/or even windows authentication, but, one step/problem at a time.
Thank you for any advise or suggestions, or pointers to documentation.
Regards, Adam
-- Adam Goryachev Website Managers www.websitemanagers.com.au
On 08/07/2014 05:28, Adam Goryachev wrote:
I've been messing with LDAP for the past couple of days, and following various online tutorials on how to create an addressbook for Thunderbird in openldap.
[...]
However, thunderbird doesn't seem to have any smart way to show this group...
I think you'll find that Thunderbird's address book has no concept of groups at all. But you could use an attribute like employeeType (from the inetOrgPerson objectClass) instead, and TB can make use of that.
Have a dig around in TB's about:config editor and look at all the 'attrmap' options - you'll find that all the fields in a TB address book entry can be mapped to LDAP attributes however you see fit. Unfortunately they can't be mapped to search filters, so you can't really do anything useful with memberOf.
Liam Gretton wrote:
On 08/07/2014 05:28, Adam Goryachev wrote:
I've been messing with LDAP for the past couple of days, and following various online tutorials on how to create an addressbook for Thunderbird in openldap.
[...]
However, thunderbird doesn't seem to have any smart way to show this group...
I think you'll find that Thunderbird's address book has no concept of groups at all.
It has lists. But AFAIK it does not know a LDAP schema for lists (which means expanding addresses for all group members).
But you could use an attribute like employeeType (from the inetOrgPerson objectClass) instead, and TB can make use of that.
Have a dig around in TB's about:config editor and look at all the 'attrmap' options - you'll find that all the fields in a TB address book entry can be mapped to LDAP attributes however you see fit. Unfortunately they can't be mapped to search filters, so you can't really do anything useful with memberOf.
I can't see how this all is useful for Thunderbird recognizing any kind of group entry as list.
If you have a central IT infrastructure I'd rather add simple entries with 'mail' attribute and let the MTA expand the addresses. Caveat is that the MUA (Thunderbird) won't know all recipient addresses and therefore can't e.g. use e-mail encryption with PGP or S/MIME.
Ciao, Michael.
I'm not sure I completely understand what you are suggesting. It is definitely a centrally administered system, and the address book is managed by IT only.
Could I have a simple "person" record which is named Managers, and contains multiple email addresses, such that Thunderbird would automatically send an email to every email address listed for the contact?
Actually, I don't think that would work since Thunderbird should assume you only want to send the email to one email address for the contact. Maybe a single email field with comma separated email addresses all in the one field...
Any other suggestions would be greatly received, I'll try some more options tomorrow.
Sorry for top posting, sent from my mobile.
On 8 July 2014 6:10:24 PM AEST, "Michael Ströder" michael@stroeder.com wrote:
Liam Gretton wrote:
On 08/07/2014 05:28, Adam Goryachev wrote:
I've been messing with LDAP for the past couple of days, and
following
various online tutorials on how to create an addressbook for
Thunderbird
in openldap.
[...]
However, thunderbird doesn't seem to have any smart way to show this
group...
I think you'll find that Thunderbird's address book has no concept of groups at all.
It has lists. But AFAIK it does not know a LDAP schema for lists (which means expanding addresses for all group members).
But you could use an attribute like employeeType (from the inetOrgPerson objectClass) instead, and TB can make use of that.
Have a dig around in TB's about:config editor and look at all the 'attrmap' options - you'll find that all the fields in a TB address
book
entry can be mapped to LDAP attributes however you see fit. Unfortunately they can't be mapped to search filters, so you can't really do anything useful with memberOf.
I can't see how this all is useful for Thunderbird recognizing any kind of group entry as list.
If you have a central IT infrastructure I'd rather add simple entries with 'mail' attribute and let the MTA expand the addresses. Caveat is that the MUA (Thunderbird) won't know all recipient addresses and therefore can't e.g. use e-mail encryption with PGP or S/MIME.
Ciao, Michael.
On 08/07/14 21:47, Adam Goryachev wrote:
I'm not sure I completely understand what you are suggesting. It is definitely a centrally administered system, and the address book is managed by IT only.
Could I have a simple "person" record which is named Managers, and contains multiple email addresses, such that Thunderbird would automatically send an email to every email address listed for the contact?
Nope, thunderbird only displays the first value, so this doesn't work
Actually, I don't think that would work since Thunderbird should assume you only want to send the email to one email address for the contact. Maybe a single email field with comma separated email addresses all in the one field...
Also no, thunderbird helpfully "escapes" value so that the mail server will only try to deliver to the single address, I've removed the config now, but it was something like: John Smith ""<user@domain.com,user2@domain.com,user3@domain.com>"
I didn't think it would work, so didn't actually send an email.
I've now thought it might work to just set the "organization" value to the users branch, which should at least allow a user to view the addressbook, and select all the users in the branch, and then send an email. The other option is to allow the user to "search" for the branch, and then select all the users. None of these actually provide an ideal solution from a usability point of view though.
So, does anyone even use ldap for a email address book (with any email client)? How do you use that/make it work?
Thanks again for your suggestions, I will look into sogo at some stage, but my current readings suggested it was not a stable platform to try to use daily in a company environment... Even though carddav would work nicely on the mobiles.
Regards, Adam
Adam,
Adam Goryachev schrieb (09.07.2014 06:46 Uhr):
I've now thought it might work to just set the "organization" value to the users branch, which should at least allow a user to view the addressbook, and select all the users in the branch, and then send an email. The other option is to allow the user to "search" for the branch, and then select all the users. None of these actually provide an ideal solution from a usability point of view though.
So, does anyone even use ldap for a email address book (with any email client)? How do you use that/make it work?
If you do not need to look up the members of a group, it just works with Thunderbird. Single Person addresses are just inetOrgPerson objects, which is fine. Goups are groupOfNames objects with a additional self created "groupaddon" object class, which adds SUP top AUXILIARY MAY ( mail $ displayName $ sn ) With that the group shows like a normal address book entry, you cannot see the members. We pre-created a additional address book "groups" in Thunderbird which by filter does only show the groups, so that they can easily be found. And we defined a special naming schema for group mail addresses as well.
Thanks again for your suggestions, I will look into sogo at some stage, but my current readings suggested it was not a stable platform to try to use daily in a company environment... Even though carddav would work nicely on the mobiles.
Why should SOGo not be production ready? I doubt that.
Marc
On 09-07-14 06:46, Adam Goryachev wrote: [snip]
So, does anyone even use ldap for a email address book (with any email client)? How do you use that/make it work?
I use Zarafa & Z-Push and use the addressbook of Zarafa's WebApp webclient or the one in Thunderbird. I use those addressbooks in a basic way (no groups, lists, etc). I made them work by configuring Zarafa so it uses OpenLDAP and in Thunderbird I use the Z-Sync add-on which syncs with Z-Push. It's been quite stable for me for the past years. On my GSM I use the Touchdown client. All communications are via TLS/SSL with client cert auth enforced.
Thanks again for your suggestions, I will look into sogo at some stage, but my current readings suggested it was not a stable platform to try to use daily in a company environment... Even though carddav would work nicely on the mobiles.
AFAIK SoGo is production ready as are Zarafa and Zimbra and AFAIK they all support LDAP. Worth a look.
HTH, Patrick
Adam,
Adam Goryachev schrieb (08.07.2014 06:28 Uhr):
PS, the context is to try and replace MS Outlook with Mozilla Thunderbird. With email in IMAP4, that works well. I can share the calendar from thunderbird to iphones/android phones with http://calendarserver.org/. Now I'm just trying to resolve the "shared contacts" issue, which is currently solved by copying (at login) a pst file from a share to the local users profile, and having that configured to open in outlook (add pst data file). I'd prefer to replace all that with ldap, since thunderbird supports ldap for an addressbook, and it would then update immediately (instead of after next login). Also, long term it would be useful to use ldap for other web based login authentication, squid proxy auth, and/or even windows authentication, but, one step/problem at a time.
Good move! Think about using something like SOGo instead of the mentioned calendar server. As mentioned before Thunderbird and groups in LDAP is a mess. I'm not sure right now, if SOGo can display LDAP groups as address book groups better, but you can use openldap as authentication source and manage the address groups in the shareable CardDAV address books. Maybe this works with calendarsever as well. But the Thunderbird integration of SOGo is the best I've seen so far. You may check it out.
Marc
openldap-technical@openldap.org
-
Adam Goryachev -
Liam Gretton -
Marc Patermann -
Michael Ströder -
Patrick Laimbock -
Ron Scott-Adams