Hi Bjorn,
Thanx for your reply. I've read the README.acl in doc directory and made
some changes last week. First, I use organization layout instead of domain
layout, but I think it will bring no differences at all. I've created an
ldif file
dn: dc=domainku,dc=com
changetype: modify
add: objectClass,administrator
objectClass: phpQLAdminBranch
administrator: uid=sato,ou=Users,dc=domainku,dc=com
and modified the ldap server accordingly. I've modified the ACL in
slapd.conf either
access to
attr=userPassword,sambaLMPassword,sambaNTPassword,mobile,mailQuotaSize
by dnattr=administrator write
by dn="uid=sato,ou=Users,dc=domainku,dc=com" write
by self write
by anonymous auth
by * none
access to dn="dc=domainku,dc=com"
by dnattr=administrator write
by dn="uid=sato,ou=Users,dc=domainku,dc=com" write
by * read
access to *
by * read
Now I could log onto phpqladmin with username sato and get the Advanced mode
activated, yet I couldn't change the users attributes (mailQuotaSize, etc).
Maybe it was caused by the "not recursive" nature of the configuration. I'm
going to configure the Users and Groups branch now. Thank you for the
information.
Best regards,
sato
On 3/30/07, Bjorn Snijders <[EMAIL PROTECTED]> wrote:
Hi Sato,
Sorry for my delayed response, but I think there are some things you
should check or refer to, to get your phpQLAdmin working.
First of all you don't need the control-patch to get phpQLAdmin working
with ezmlm or qmail-ldap in general, however phpQLAdmin is capable in
managing qmail-ldap/control for you, even with some automation when
creating new virtual domains. (Nowadays Turbo Frederiksson (maintainer of
phpQLAdmin) even intergrates bind and apache for virtual domains
adminstration like virtualmin/webmin). So no worries there for you. In
case you gonna be using the control patch, leave and update a copy of your
rcpthost files in the control dir of qmail to prevent your MTA becoming an
openrelay in case connection to the LDAP server fails.
Well, now some checks to make sure phpQLAdmin is capable to interact with
your LDAPserver.
- Does your layout compare to the suggested ones in the README file? (I
think you are using domain layout)
- you need to load following schemas in your LDAP server (slapd.conf).
(copy them from phpQLAdmin schemas dir to LDAPservers schemas dir)
- core.schema
- cosine.schema
- inetorgperson.schema
- nis.schema
- qmail.schema
- (qmailControl.schema) ## if you use control patch
- turbo.schema
- rfc2377.schema
- phpQLAdmin.schema
As you can read in the README there are some schema issues: (take
care of
this if you don't use control-patch)
Schema issues
~~~~~~~~~~~~~
There is a couple of problems with the phpQLAdminBranch
objectclass.
One is is the 'defaultDomain' attribute. It exists in both the
qmailControl.schema distributed with the QmailLDAP/Controls patch
and
in the phpQLAdmin.schema distributed with phpQLAdmin. If you don't
use
the QmailLDAP/Controls patch, you will have to uncomment the
attribute
from the phpQLAdmin.schema before you restart your LDAP server.
The
attribute is defined on lines 299 to 303 in the phpQLAdmin.schema,
so
remove the leading dashes (#) on those lines.
- Now for debugging I think it is the best to disable all ACL/ACI. You can
enable these when you got phpQLAdmin working.
- From README file: The next step in the modification of the existing
database for use
with phpQLAdmin is the inclusion of the
'userReference' and
'administrator'
attributes in the base object ('dc=com' or 'c=SE'
in the above
examples).
If you're using ACI's, you must make the
'userReference' attribute
publicly readable...
The 'administrator' attribute should contain the
full DN of your
object. Once the first/initial administrator
(you!) is entered, you
can add more via the GUI.
In your case dc=domainku,dc=com you should add these attributes to
dc=com
and not to dc=domainku,dc=com!!!! (requires a new ldif to create the
dc=com object and its attributes. Now you have an administrator
for your
top branche, and when logging in with this adminstrators DN you will have
access to advanced mode and futher configuration.
As you can read in the README file cn=Manager... is of no use for
logging
into phpQLAdmin since no password is stored in the actual LDAP directory.
Well, I hope this makes some things more clear, and if you need an example
checkout the demo directory in you phpQLAdmin installation. Try to get
these working first before integrating LDAPserver monitoring or
LDAPcontrol. Since you can login for a normal qmailuser account the first
check is ok for you. If you have more questions, feel free to fire them to
me.
Regards,
Bjorn
