Re: [Freeipa-users] Primary mail address possible ?
Hi, OK got it working by changing the mailadres to u...@domain.tld Actually no IPA question, but you might know, my email is not delivered in one file /var/mail/uid instead of the maildir format it should do. At least it arrives well! Thanks 2014-11-22 2:23 GMT+01:00 Matt . : > Hi that wasn't quite clear from me, yes I can login thanks for that! > > But now I get an error on the associated domain: > > postmap: dict_ldap_connect: Cached connection handle for LDAP source > /etc/postfix/ldap/mydestination.cf > postmap: dict_ldap_lookup: /etc/postfix/ldap/mydestination.cf: > Searching with filter (&(associatedDomain=u...@domain.tld)) > postmap: dict_ldap_get_values[1]: Search found 0 match(es) > postmap: dict_ldap_get_values[1]: Leaving dict_ldap_get_values > postmap: dict_ldap_lookup: Search returned nothing > postmap: dict_ldap_close: Closed connection handle for LDAP source > /etc/postfix/ldap/mydestination.cf > > But when I do a postmap check on this cf with domain.tld that gives a > match, as it should... > > So that might need some modification ? > > 2014-11-22 2:14 GMT+01:00 Dmitri Pal : >> On 11/21/2014 07:57 PM, Matt . wrote: >>> >>> I need to say, saslauth caches it, didn't restart that one actually as >>> it's kinda late! >> >> >> So when you restarted did it work or still no luck? >> >> >>> >>> 2014-11-22 1:55 GMT+01:00 Matt . : HI, Yes and that doesn't let me login... that's the issue. 2014-11-22 1:45 GMT+01:00 Dmitri Pal : > > On 11/21/2014 07:12 PM, Matt . wrote: >> >> HI Dimitri, >> >> Thanks, but it seems following the kolab devs that if kolab cannot >> determine the base dn, the other two do not matter. >> >> So what would you change exactly ? > > > I assume you use IPA as an LDAP server. > In the Kolab config I would change > > 'email' => 'mail', > > to > > 'email' => 'uid', > > > In IPA I would use "name" in the uid and name@domain in email (as IPA > creates) by default. > and then try to log into Kolab using name. > > So for me it would look like this: > > In ipa: > uid: dpal > mail: d...@mydomain.com > > >> There might be need changed more. >> >> I hope we can get this fixed ! >> >> Thanks, >> >> Matt >> >> 2014-11-22 0:51 GMT+01:00 Dmitri Pal : >>> >>> On 11/21/2014 06:42 PM, Matt . wrote: Hi Dimitri, All I can say about that is that it's configured and uses ldap this this added to ldap: [root@kolab roundcubemail]# ldapsearch -x -h localhost -D "cn=Directory Manager" -w Welcome2KolabSystems -b "cn=kolab,cn=config" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # kolab, config dn: cn=kolab,cn=config objectClass: top objectClass: extensibleobject cn: kolab # example.org, kolab, config dn: associateddomain=example.org,cn=kolab,cn=config objectClass: top objectClass: domainrelatedobject objectClass: inetdomain associatedDomain: example.org associatedDomain: dc=internal,dc=local inetDomainBaseDN: dc=internal,dc=local # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 kolab_auth.inc.php >>> // The id of the LDAP address book (which refers to the rcmail_config['ldap_public']) // or complete addressbook definition array. $config['kolab_auth_addressbook'] = Array( 'name' => 'Kolab Auth', 'hosts' => Array('172.16.xx.xx'), 'port' => 389, 'use_tls' => false, 'user_specific' => false, 'base_dn' => 'cn=accounts,dc=domain,dc=local', 'bind_dn' => 'uid=admin,cn=users,cn=accounts,dc=domain,dc=local', 'bind_pass' => 'xx', 'writable' => false, 'ldap_version' => 3, // using LDAPv3 'fieldmap' => Array( 'name' => 'displayname', 'email' => 'mail', >>> >>> >>> Here you can use uid instead of mail. >>> Then user will be able to login into Kolab with a simple name instead >>> of >>> the >>> longer
Re: [Freeipa-users] Primary mail address possible ?
Hi that wasn't quite clear from me, yes I can login thanks for that! But now I get an error on the associated domain: postmap: dict_ldap_connect: Cached connection handle for LDAP source /etc/postfix/ldap/mydestination.cf postmap: dict_ldap_lookup: /etc/postfix/ldap/mydestination.cf: Searching with filter (&(associatedDomain=u...@domain.tld)) postmap: dict_ldap_get_values[1]: Search found 0 match(es) postmap: dict_ldap_get_values[1]: Leaving dict_ldap_get_values postmap: dict_ldap_lookup: Search returned nothing postmap: dict_ldap_close: Closed connection handle for LDAP source /etc/postfix/ldap/mydestination.cf But when I do a postmap check on this cf with domain.tld that gives a match, as it should... So that might need some modification ? 2014-11-22 2:14 GMT+01:00 Dmitri Pal : > On 11/21/2014 07:57 PM, Matt . wrote: >> >> I need to say, saslauth caches it, didn't restart that one actually as >> it's kinda late! > > > So when you restarted did it work or still no luck? > > >> >> 2014-11-22 1:55 GMT+01:00 Matt . : >>> >>> HI, >>> >>> Yes and that doesn't let me login... that's the issue. >>> >>> 2014-11-22 1:45 GMT+01:00 Dmitri Pal : On 11/21/2014 07:12 PM, Matt . wrote: > > HI Dimitri, > > Thanks, but it seems following the kolab devs that if kolab cannot > determine the base dn, the other two do not matter. > > So what would you change exactly ? I assume you use IPA as an LDAP server. In the Kolab config I would change 'email' => 'mail', to 'email' => 'uid', In IPA I would use "name" in the uid and name@domain in email (as IPA creates) by default. and then try to log into Kolab using name. So for me it would look like this: In ipa: uid: dpal mail: d...@mydomain.com > There might be need changed more. > > I hope we can get this fixed ! > > Thanks, > > Matt > > 2014-11-22 0:51 GMT+01:00 Dmitri Pal : >> >> On 11/21/2014 06:42 PM, Matt . wrote: >>> >>> Hi Dimitri, >>> >>> All I can say about that is that it's configured and uses ldap this >>> this added to ldap: >>> >>> [root@kolab roundcubemail]# ldapsearch -x -h localhost -D >>> "cn=Directory Manager" -w Welcome2KolabSystems -b >>> "cn=kolab,cn=config" >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base with scope subtree >>> # filter: (objectclass=*) >>> # requesting: ALL >>> # >>> >>> # kolab, config >>> dn: cn=kolab,cn=config >>> objectClass: top >>> objectClass: extensibleobject >>> cn: kolab >>> >>> # example.org, kolab, config >>> dn: associateddomain=example.org,cn=kolab,cn=config >>> objectClass: top >>> objectClass: domainrelatedobject >>> objectClass: inetdomain >>> associatedDomain: example.org >>> associatedDomain: dc=internal,dc=local >>> inetDomainBaseDN: dc=internal,dc=local >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 3 >>> # numEntries: 2 >>> >>> >>> kolab_auth.inc.php >>> >>> >> >>>// The id of the LDAP address book (which refers to the >>> rcmail_config['ldap_public']) >>>// or complete addressbook definition array. >>>$config['kolab_auth_addressbook'] = Array( >>>'name' => 'Kolab Auth', >>>'hosts' => Array('172.16.xx.xx'), >>>'port' => 389, >>>'use_tls' => false, >>>'user_specific' => false, >>>'base_dn' => >>> 'cn=accounts,dc=domain,dc=local', >>>'bind_dn' => >>> 'uid=admin,cn=users,cn=accounts,dc=domain,dc=local', >>>'bind_pass' => 'xx', >>>'writable' => false, >>>'ldap_version' => 3, // using LDAPv3 >>>'fieldmap' => Array( >>>'name' => 'displayname', >>>'email' => 'mail', >> >> >> Here you can use uid instead of mail. >> Then user will be able to login into Kolab with a simple name instead >> of >> the >> longer mail. >> Then you would be able to put n...@domain.tld into the mail attribute. >> >> It seems that Kolab assumes that mail is a single valued attribute in >> the >> directory while in general it is not the case. >> So the best would be to use come other attribute for login. >> >> HTH. >> >>>'email:alias' => 'alias', >>>'role' => 'nsroledn',
Re: [Freeipa-users] Primary mail address possible ?
On 11/21/2014 07:57 PM, Matt . wrote: I need to say, saslauth caches it, didn't restart that one actually as it's kinda late! So when you restarted did it work or still no luck? 2014-11-22 1:55 GMT+01:00 Matt . : HI, Yes and that doesn't let me login... that's the issue. 2014-11-22 1:45 GMT+01:00 Dmitri Pal : On 11/21/2014 07:12 PM, Matt . wrote: HI Dimitri, Thanks, but it seems following the kolab devs that if kolab cannot determine the base dn, the other two do not matter. So what would you change exactly ? I assume you use IPA as an LDAP server. In the Kolab config I would change 'email' => 'mail', to 'email' => 'uid', In IPA I would use "name" in the uid and name@domain in email (as IPA creates) by default. and then try to log into Kolab using name. So for me it would look like this: In ipa: uid: dpal mail: d...@mydomain.com There might be need changed more. I hope we can get this fixed ! Thanks, Matt 2014-11-22 0:51 GMT+01:00 Dmitri Pal : On 11/21/2014 06:42 PM, Matt . wrote: Hi Dimitri, All I can say about that is that it's configured and uses ldap this this added to ldap: [root@kolab roundcubemail]# ldapsearch -x -h localhost -D "cn=Directory Manager" -w Welcome2KolabSystems -b "cn=kolab,cn=config" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # kolab, config dn: cn=kolab,cn=config objectClass: top objectClass: extensibleobject cn: kolab # example.org, kolab, config dn: associateddomain=example.org,cn=kolab,cn=config objectClass: top objectClass: domainrelatedobject objectClass: inetdomain associatedDomain: example.org associatedDomain: dc=internal,dc=local inetDomainBaseDN: dc=internal,dc=local # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 kolab_auth.inc.php 'Kolab Auth', 'hosts' => Array('172.16.xx.xx'), 'port' => 389, 'use_tls' => false, 'user_specific' => false, 'base_dn' => 'cn=accounts,dc=domain,dc=local', 'bind_dn' => 'uid=admin,cn=users,cn=accounts,dc=domain,dc=local', 'bind_pass' => 'xx', 'writable' => false, 'ldap_version' => 3, // using LDAPv3 'fieldmap' => Array( 'name' => 'displayname', 'email' => 'mail', Here you can use uid instead of mail. Then user will be able to login into Kolab with a simple name instead of the longer mail. Then you would be able to put n...@domain.tld into the mail attribute. It seems that Kolab assumes that mail is a single valued attribute in the directory while in general it is not the case. So the best would be to use come other attribute for login. HTH. 'email:alias' => 'alias', 'role' => 'nsroledn', ), 'sort' => 'displayname', 'scope' => 'sub', 'filter'=> '(objectClass=*)', 'fuzzy_search' => true, 'sizelimit' => '0', 'timelimit' => '0', 'groups'=> Array( 'base_dn' => 'cn=groups,dc=domain,dc=local', 'filter'=> '(|(objectclass=groupofuniquenames)(objectclass=groupofurls))', 'object_classes'=> Array('top', 'groupOfUniqueNames'), 'member_attr' => 'uniqueMember', ), ); // This will overwrite defined filter $config['kolab_auth_filter'] = '(&' . '(objectclass=inetuser)' . '(|(uid=%u)(mail=%fu)(alias=%fu)))'; // Use this fields (from fieldmap configuration) to get authentication ID $config['kolab_auth_login'] = 'email'; // Use this fields (from fieldmap configuration) for default identity $config['kolab_auth_name'] = 'name'; $config['kolab_auth_alias'] = 'alias'; $config['kolab_auth_email'] = 'email'; if (preg_match('/\/helpdesk-login\//', $_SERVER["REQUEST_URI"]) ) { // Login and password of the admin user. Enables "Login As" feature. $config['kolab_auth_admin_login']= 'admin'; $config['kolab_auth_admin_password'] = 'xx'; $config['kolab_auth_auditlog'] = true; } // Administrative role field (from fieldmap configuration) which must be filled with // specified value which adds privilege to login as another user. $config['kolab_auth_role'] = 'role'; $config['kolab_auth_role_value'] = 'cn=kolab-admin,dc=domain,dc=local'; // Administrative group name to which user
Re: [Freeipa-users] Primary mail address possible ?
I need to say, saslauth caches it, didn't restart that one actually as it's kinda late! 2014-11-22 1:55 GMT+01:00 Matt . : > HI, > > Yes and that doesn't let me login... that's the issue. > > 2014-11-22 1:45 GMT+01:00 Dmitri Pal : >> On 11/21/2014 07:12 PM, Matt . wrote: >>> >>> HI Dimitri, >>> >>> Thanks, but it seems following the kolab devs that if kolab cannot >>> determine the base dn, the other two do not matter. >>> >>> So what would you change exactly ? >> >> >> I assume you use IPA as an LDAP server. >> In the Kolab config I would change >> >> 'email' => 'mail', >> >> to >> >> 'email' => 'uid', >> >> >> In IPA I would use "name" in the uid and name@domain in email (as IPA >> creates) by default. >> and then try to log into Kolab using name. >> >> So for me it would look like this: >> >> In ipa: >> uid: dpal >> mail: d...@mydomain.com >> >> >>> >>> There might be need changed more. >>> >>> I hope we can get this fixed ! >>> >>> Thanks, >>> >>> Matt >>> >>> 2014-11-22 0:51 GMT+01:00 Dmitri Pal : On 11/21/2014 06:42 PM, Matt . wrote: > > Hi Dimitri, > > All I can say about that is that it's configured and uses ldap this > this added to ldap: > > [root@kolab roundcubemail]# ldapsearch -x -h localhost -D > "cn=Directory Manager" -w Welcome2KolabSystems -b "cn=kolab,cn=config" > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # kolab, config > dn: cn=kolab,cn=config > objectClass: top > objectClass: extensibleobject > cn: kolab > > # example.org, kolab, config > dn: associateddomain=example.org,cn=kolab,cn=config > objectClass: top > objectClass: domainrelatedobject > objectClass: inetdomain > associatedDomain: example.org > associatedDomain: dc=internal,dc=local > inetDomainBaseDN: dc=internal,dc=local > > # search result > search: 2 > result: 0 Success > > # numResponses: 3 > # numEntries: 2 > > > kolab_auth.inc.php > > > // The id of the LDAP address book (which refers to the > rcmail_config['ldap_public']) > // or complete addressbook definition array. > $config['kolab_auth_addressbook'] = Array( > 'name' => 'Kolab Auth', > 'hosts' => Array('172.16.xx.xx'), > 'port' => 389, > 'use_tls' => false, > 'user_specific' => false, > 'base_dn' => > 'cn=accounts,dc=domain,dc=local', > 'bind_dn' => > 'uid=admin,cn=users,cn=accounts,dc=domain,dc=local', > 'bind_pass' => 'xx', > 'writable' => false, > 'ldap_version' => 3, // using LDAPv3 > 'fieldmap' => Array( > 'name' => 'displayname', > 'email' => 'mail', Here you can use uid instead of mail. Then user will be able to login into Kolab with a simple name instead of the longer mail. Then you would be able to put n...@domain.tld into the mail attribute. It seems that Kolab assumes that mail is a single valued attribute in the directory while in general it is not the case. So the best would be to use come other attribute for login. HTH. > 'email:alias' => 'alias', > 'role' => 'nsroledn', > ), > 'sort' => 'displayname', > 'scope' => 'sub', > 'filter'=> '(objectClass=*)', > 'fuzzy_search' => true, > 'sizelimit' => '0', > 'timelimit' => '0', > 'groups'=> Array( > 'base_dn' => 'cn=groups,dc=domain,dc=local', > 'filter'=> > '(|(objectclass=groupofuniquenames)(objectclass=groupofurls))', > 'object_classes'=> Array('top', > 'groupOfUniqueNames'), > 'member_attr' => 'uniqueMember', > ), > ); > > > // This will overwrite defined filter > $config['kolab_auth_filter'] = '(&' . '(objectclass=inetuser)' . > '(|(uid=%u)(mail=%fu)(alias=%fu)))'; > > // Use this fields (from fieldmap configuration) to get > authentication ID > $config['kolab_auth_login'] = 'email'; > > // Use this fields (from fieldmap configuration) for defa
Re: [Freeipa-users] Primary mail address possible ?
HI, Yes and that doesn't let me login... that's the issue. 2014-11-22 1:45 GMT+01:00 Dmitri Pal : > On 11/21/2014 07:12 PM, Matt . wrote: >> >> HI Dimitri, >> >> Thanks, but it seems following the kolab devs that if kolab cannot >> determine the base dn, the other two do not matter. >> >> So what would you change exactly ? > > > I assume you use IPA as an LDAP server. > In the Kolab config I would change > > 'email' => 'mail', > > to > > 'email' => 'uid', > > > In IPA I would use "name" in the uid and name@domain in email (as IPA > creates) by default. > and then try to log into Kolab using name. > > So for me it would look like this: > > In ipa: > uid: dpal > mail: d...@mydomain.com > > >> >> There might be need changed more. >> >> I hope we can get this fixed ! >> >> Thanks, >> >> Matt >> >> 2014-11-22 0:51 GMT+01:00 Dmitri Pal : >>> >>> On 11/21/2014 06:42 PM, Matt . wrote: Hi Dimitri, All I can say about that is that it's configured and uses ldap this this added to ldap: [root@kolab roundcubemail]# ldapsearch -x -h localhost -D "cn=Directory Manager" -w Welcome2KolabSystems -b "cn=kolab,cn=config" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # kolab, config dn: cn=kolab,cn=config objectClass: top objectClass: extensibleobject cn: kolab # example.org, kolab, config dn: associateddomain=example.org,cn=kolab,cn=config objectClass: top objectClass: domainrelatedobject objectClass: inetdomain associatedDomain: example.org associatedDomain: dc=internal,dc=local inetDomainBaseDN: dc=internal,dc=local # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 kolab_auth.inc.php >>> // The id of the LDAP address book (which refers to the rcmail_config['ldap_public']) // or complete addressbook definition array. $config['kolab_auth_addressbook'] = Array( 'name' => 'Kolab Auth', 'hosts' => Array('172.16.xx.xx'), 'port' => 389, 'use_tls' => false, 'user_specific' => false, 'base_dn' => 'cn=accounts,dc=domain,dc=local', 'bind_dn' => 'uid=admin,cn=users,cn=accounts,dc=domain,dc=local', 'bind_pass' => 'xx', 'writable' => false, 'ldap_version' => 3, // using LDAPv3 'fieldmap' => Array( 'name' => 'displayname', 'email' => 'mail', >>> >>> >>> Here you can use uid instead of mail. >>> Then user will be able to login into Kolab with a simple name instead of >>> the >>> longer mail. >>> Then you would be able to put n...@domain.tld into the mail attribute. >>> >>> It seems that Kolab assumes that mail is a single valued attribute in the >>> directory while in general it is not the case. >>> So the best would be to use come other attribute for login. >>> >>> HTH. >>> 'email:alias' => 'alias', 'role' => 'nsroledn', ), 'sort' => 'displayname', 'scope' => 'sub', 'filter'=> '(objectClass=*)', 'fuzzy_search' => true, 'sizelimit' => '0', 'timelimit' => '0', 'groups'=> Array( 'base_dn' => 'cn=groups,dc=domain,dc=local', 'filter'=> '(|(objectclass=groupofuniquenames)(objectclass=groupofurls))', 'object_classes'=> Array('top', 'groupOfUniqueNames'), 'member_attr' => 'uniqueMember', ), ); // This will overwrite defined filter $config['kolab_auth_filter'] = '(&' . '(objectclass=inetuser)' . '(|(uid=%u)(mail=%fu)(alias=%fu)))'; // Use this fields (from fieldmap configuration) to get authentication ID $config['kolab_auth_login'] = 'email'; // Use this fields (from fieldmap configuration) for default identity $config['kolab_auth_name'] = 'name'; $config['kolab_auth_alias'] = 'alias'; $config['kolab_auth_email'] = 'email'; if (preg_match('/\/helpdesk-login\//', $_SERVER["REQUEST_URI"]) ) { // L
Re: [Freeipa-users] Primary mail address possible ?
On 11/21/2014 07:12 PM, Matt . wrote: HI Dimitri, Thanks, but it seems following the kolab devs that if kolab cannot determine the base dn, the other two do not matter. So what would you change exactly ? I assume you use IPA as an LDAP server. In the Kolab config I would change 'email' => 'mail', to 'email' => 'uid', In IPA I would use "name" in the uid and name@domain in email (as IPA creates) by default. and then try to log into Kolab using name. So for me it would look like this: In ipa: uid: dpal mail: d...@mydomain.com There might be need changed more. I hope we can get this fixed ! Thanks, Matt 2014-11-22 0:51 GMT+01:00 Dmitri Pal : On 11/21/2014 06:42 PM, Matt . wrote: Hi Dimitri, All I can say about that is that it's configured and uses ldap this this added to ldap: [root@kolab roundcubemail]# ldapsearch -x -h localhost -D "cn=Directory Manager" -w Welcome2KolabSystems -b "cn=kolab,cn=config" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # kolab, config dn: cn=kolab,cn=config objectClass: top objectClass: extensibleobject cn: kolab # example.org, kolab, config dn: associateddomain=example.org,cn=kolab,cn=config objectClass: top objectClass: domainrelatedobject objectClass: inetdomain associatedDomain: example.org associatedDomain: dc=internal,dc=local inetDomainBaseDN: dc=internal,dc=local # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 kolab_auth.inc.php 'Kolab Auth', 'hosts' => Array('172.16.xx.xx'), 'port' => 389, 'use_tls' => false, 'user_specific' => false, 'base_dn' => 'cn=accounts,dc=domain,dc=local', 'bind_dn' => 'uid=admin,cn=users,cn=accounts,dc=domain,dc=local', 'bind_pass' => 'xx', 'writable' => false, 'ldap_version' => 3, // using LDAPv3 'fieldmap' => Array( 'name' => 'displayname', 'email' => 'mail', Here you can use uid instead of mail. Then user will be able to login into Kolab with a simple name instead of the longer mail. Then you would be able to put n...@domain.tld into the mail attribute. It seems that Kolab assumes that mail is a single valued attribute in the directory while in general it is not the case. So the best would be to use come other attribute for login. HTH. 'email:alias' => 'alias', 'role' => 'nsroledn', ), 'sort' => 'displayname', 'scope' => 'sub', 'filter'=> '(objectClass=*)', 'fuzzy_search' => true, 'sizelimit' => '0', 'timelimit' => '0', 'groups'=> Array( 'base_dn' => 'cn=groups,dc=domain,dc=local', 'filter'=> '(|(objectclass=groupofuniquenames)(objectclass=groupofurls))', 'object_classes'=> Array('top', 'groupOfUniqueNames'), 'member_attr' => 'uniqueMember', ), ); // This will overwrite defined filter $config['kolab_auth_filter'] = '(&' . '(objectclass=inetuser)' . '(|(uid=%u)(mail=%fu)(alias=%fu)))'; // Use this fields (from fieldmap configuration) to get authentication ID $config['kolab_auth_login'] = 'email'; // Use this fields (from fieldmap configuration) for default identity $config['kolab_auth_name'] = 'name'; $config['kolab_auth_alias'] = 'alias'; $config['kolab_auth_email'] = 'email'; if (preg_match('/\/helpdesk-login\//', $_SERVER["REQUEST_URI"]) ) { // Login and password of the admin user. Enables "Login As" feature. $config['kolab_auth_admin_login']= 'admin'; $config['kolab_auth_admin_password'] = 'xx'; $config['kolab_auth_auditlog'] = true; } // Administrative role field (from fieldmap configuration) which must be filled with // specified value which adds privilege to login as another user. $config['kolab_auth_role'] = 'role'; $config['kolab_auth_role_value'] = 'cn=kolab-admin,dc=domain,dc=local'; // Administrative group name to which user must be assigned to // which adds privilege to login as another user. $config['kolab_auth_group'] = 'Kolab Helpdesk'; if (file_exists(RCUBE_CONFIG_DIR . '/' . $_SERVER["HTTP_HOST"] . '/' . basename(__FILE__))) { include_once(RCUBE_CONFIG_DIR . '/' . $_SERVER["HTTP_HOST"] . '/' . basename(__FILE__)); } ?> Does this help you some ?
Re: [Freeipa-users] Primary mail address possible ?
HI Dimitri, Thanks, but it seems following the kolab devs that if kolab cannot determine the base dn, the other two do not matter. So what would you change exactly ? There might be need changed more. I hope we can get this fixed ! Thanks, Matt 2014-11-22 0:51 GMT+01:00 Dmitri Pal : > On 11/21/2014 06:42 PM, Matt . wrote: >> >> Hi Dimitri, >> >> All I can say about that is that it's configured and uses ldap this >> this added to ldap: >> >> [root@kolab roundcubemail]# ldapsearch -x -h localhost -D >> "cn=Directory Manager" -w Welcome2KolabSystems -b "cn=kolab,cn=config" >> # extended LDIF >> # >> # LDAPv3 >> # base with scope subtree >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # kolab, config >> dn: cn=kolab,cn=config >> objectClass: top >> objectClass: extensibleobject >> cn: kolab >> >> # example.org, kolab, config >> dn: associateddomain=example.org,cn=kolab,cn=config >> objectClass: top >> objectClass: domainrelatedobject >> objectClass: inetdomain >> associatedDomain: example.org >> associatedDomain: dc=internal,dc=local >> inetDomainBaseDN: dc=internal,dc=local >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 3 >> # numEntries: 2 >> >> >> kolab_auth.inc.php >> >> > >> // The id of the LDAP address book (which refers to the >> rcmail_config['ldap_public']) >> // or complete addressbook definition array. >> $config['kolab_auth_addressbook'] = Array( >> 'name' => 'Kolab Auth', >> 'hosts' => Array('172.16.xx.xx'), >> 'port' => 389, >> 'use_tls' => false, >> 'user_specific' => false, >> 'base_dn' => 'cn=accounts,dc=domain,dc=local', >> 'bind_dn' => >> 'uid=admin,cn=users,cn=accounts,dc=domain,dc=local', >> 'bind_pass' => 'xx', >> 'writable' => false, >> 'ldap_version' => 3, // using LDAPv3 >> 'fieldmap' => Array( >> 'name' => 'displayname', >> 'email' => 'mail', > > > Here you can use uid instead of mail. > Then user will be able to login into Kolab with a simple name instead of the > longer mail. > Then you would be able to put n...@domain.tld into the mail attribute. > > It seems that Kolab assumes that mail is a single valued attribute in the > directory while in general it is not the case. > So the best would be to use come other attribute for login. > > HTH. > >> 'email:alias' => 'alias', >> 'role' => 'nsroledn', >> ), >> 'sort' => 'displayname', >> 'scope' => 'sub', >> 'filter'=> '(objectClass=*)', >> 'fuzzy_search' => true, >> 'sizelimit' => '0', >> 'timelimit' => '0', >> 'groups'=> Array( >> 'base_dn' => 'cn=groups,dc=domain,dc=local', >> 'filter'=> >> '(|(objectclass=groupofuniquenames)(objectclass=groupofurls))', >> 'object_classes'=> Array('top', >> 'groupOfUniqueNames'), >> 'member_attr' => 'uniqueMember', >> ), >> ); >> >> >> // This will overwrite defined filter >> $config['kolab_auth_filter'] = '(&' . '(objectclass=inetuser)' . >> '(|(uid=%u)(mail=%fu)(alias=%fu)))'; >> >> // Use this fields (from fieldmap configuration) to get >> authentication ID >> $config['kolab_auth_login'] = 'email'; >> >> // Use this fields (from fieldmap configuration) for default identity >> $config['kolab_auth_name'] = 'name'; >> $config['kolab_auth_alias'] = 'alias'; >> $config['kolab_auth_email'] = 'email'; >> >> if (preg_match('/\/helpdesk-login\//', $_SERVER["REQUEST_URI"]) ) { >> >> // Login and password of the admin user. Enables "Login As" >> feature. >> $config['kolab_auth_admin_login']= 'admin'; >> $config['kolab_auth_admin_password'] = 'xx'; >> >> $config['kolab_auth_auditlog'] = true; >> } >> >> // Administrative role field (from fieldmap configuration) which >> must be filled with >> // specified value which adds privilege to login as another user. >> $config['kolab_auth_role'] = 'role'; >> $config['kolab_auth_role_value'] = >> 'cn=kolab-admin,dc=domain,dc=local'; >> >> // Administrative group name to which user must be assigned to >> // which adds privilege to login as another user. >> $config['kolab_auth_group'] = 'Kolab Helpdesk'; >> >> if (file_exists(RCUBE_CONFIG_DIR . '/' . $_SERVER["HTTP_HOST"] . >> '/' . basename(__FILE__))) { >> include_once(RCUBE_CONFIG_DIR . '
Re: [Freeipa-users] Primary mail address possible ?
On 11/21/2014 06:42 PM, Matt . wrote: Hi Dimitri, All I can say about that is that it's configured and uses ldap this this added to ldap: [root@kolab roundcubemail]# ldapsearch -x -h localhost -D "cn=Directory Manager" -w Welcome2KolabSystems -b "cn=kolab,cn=config" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # kolab, config dn: cn=kolab,cn=config objectClass: top objectClass: extensibleobject cn: kolab # example.org, kolab, config dn: associateddomain=example.org,cn=kolab,cn=config objectClass: top objectClass: domainrelatedobject objectClass: inetdomain associatedDomain: example.org associatedDomain: dc=internal,dc=local inetDomainBaseDN: dc=internal,dc=local # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 kolab_auth.inc.php 'Kolab Auth', 'hosts' => Array('172.16.xx.xx'), 'port' => 389, 'use_tls' => false, 'user_specific' => false, 'base_dn' => 'cn=accounts,dc=domain,dc=local', 'bind_dn' => 'uid=admin,cn=users,cn=accounts,dc=domain,dc=local', 'bind_pass' => 'xx', 'writable' => false, 'ldap_version' => 3, // using LDAPv3 'fieldmap' => Array( 'name' => 'displayname', 'email' => 'mail', Here you can use uid instead of mail. Then user will be able to login into Kolab with a simple name instead of the longer mail. Then you would be able to put n...@domain.tld into the mail attribute. It seems that Kolab assumes that mail is a single valued attribute in the directory while in general it is not the case. So the best would be to use come other attribute for login. HTH. 'email:alias' => 'alias', 'role' => 'nsroledn', ), 'sort' => 'displayname', 'scope' => 'sub', 'filter'=> '(objectClass=*)', 'fuzzy_search' => true, 'sizelimit' => '0', 'timelimit' => '0', 'groups'=> Array( 'base_dn' => 'cn=groups,dc=domain,dc=local', 'filter'=> '(|(objectclass=groupofuniquenames)(objectclass=groupofurls))', 'object_classes'=> Array('top', 'groupOfUniqueNames'), 'member_attr' => 'uniqueMember', ), ); // This will overwrite defined filter $config['kolab_auth_filter'] = '(&' . '(objectclass=inetuser)' . '(|(uid=%u)(mail=%fu)(alias=%fu)))'; // Use this fields (from fieldmap configuration) to get authentication ID $config['kolab_auth_login'] = 'email'; // Use this fields (from fieldmap configuration) for default identity $config['kolab_auth_name'] = 'name'; $config['kolab_auth_alias'] = 'alias'; $config['kolab_auth_email'] = 'email'; if (preg_match('/\/helpdesk-login\//', $_SERVER["REQUEST_URI"]) ) { // Login and password of the admin user. Enables "Login As" feature. $config['kolab_auth_admin_login']= 'admin'; $config['kolab_auth_admin_password'] = 'xx'; $config['kolab_auth_auditlog'] = true; } // Administrative role field (from fieldmap configuration) which must be filled with // specified value which adds privilege to login as another user. $config['kolab_auth_role'] = 'role'; $config['kolab_auth_role_value'] = 'cn=kolab-admin,dc=domain,dc=local'; // Administrative group name to which user must be assigned to // which adds privilege to login as another user. $config['kolab_auth_group'] = 'Kolab Helpdesk'; if (file_exists(RCUBE_CONFIG_DIR . '/' . $_SERVER["HTTP_HOST"] . '/' . basename(__FILE__))) { include_once(RCUBE_CONFIG_DIR . '/' . $_SERVER["HTTP_HOST"] . '/' . basename(__FILE__)); } ?> Does this help you some ? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Primary mail address possible ?
Hi Dimitri, All I can say about that is that it's configured and uses ldap this this added to ldap: [root@kolab roundcubemail]# ldapsearch -x -h localhost -D "cn=Directory Manager" -w Welcome2KolabSystems -b "cn=kolab,cn=config" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # kolab, config dn: cn=kolab,cn=config objectClass: top objectClass: extensibleobject cn: kolab # example.org, kolab, config dn: associateddomain=example.org,cn=kolab,cn=config objectClass: top objectClass: domainrelatedobject objectClass: inetdomain associatedDomain: example.org associatedDomain: dc=internal,dc=local inetDomainBaseDN: dc=internal,dc=local # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 kolab_auth.inc.php 'Kolab Auth', 'hosts' => Array('172.16.xx.xx'), 'port' => 389, 'use_tls' => false, 'user_specific' => false, 'base_dn' => 'cn=accounts,dc=domain,dc=local', 'bind_dn' => 'uid=admin,cn=users,cn=accounts,dc=domain,dc=local', 'bind_pass' => 'xx', 'writable' => false, 'ldap_version' => 3, // using LDAPv3 'fieldmap' => Array( 'name' => 'displayname', 'email' => 'mail', 'email:alias' => 'alias', 'role' => 'nsroledn', ), 'sort' => 'displayname', 'scope' => 'sub', 'filter'=> '(objectClass=*)', 'fuzzy_search' => true, 'sizelimit' => '0', 'timelimit' => '0', 'groups'=> Array( 'base_dn' => 'cn=groups,dc=domain,dc=local', 'filter'=> '(|(objectclass=groupofuniquenames)(objectclass=groupofurls))', 'object_classes'=> Array('top', 'groupOfUniqueNames'), 'member_attr' => 'uniqueMember', ), ); // This will overwrite defined filter $config['kolab_auth_filter'] = '(&' . '(objectclass=inetuser)' . '(|(uid=%u)(mail=%fu)(alias=%fu)))'; // Use this fields (from fieldmap configuration) to get authentication ID $config['kolab_auth_login'] = 'email'; // Use this fields (from fieldmap configuration) for default identity $config['kolab_auth_name'] = 'name'; $config['kolab_auth_alias'] = 'alias'; $config['kolab_auth_email'] = 'email'; if (preg_match('/\/helpdesk-login\//', $_SERVER["REQUEST_URI"]) ) { // Login and password of the admin user. Enables "Login As" feature. $config['kolab_auth_admin_login']= 'admin'; $config['kolab_auth_admin_password'] = 'xx'; $config['kolab_auth_auditlog'] = true; } // Administrative role field (from fieldmap configuration) which must be filled with // specified value which adds privilege to login as another user. $config['kolab_auth_role'] = 'role'; $config['kolab_auth_role_value'] = 'cn=kolab-admin,dc=domain,dc=local'; // Administrative group name to which user must be assigned to // which adds privilege to login as another user. $config['kolab_auth_group'] = 'Kolab Helpdesk'; if (file_exists(RCUBE_CONFIG_DIR . '/' . $_SERVER["HTTP_HOST"] . '/' . basename(__FILE__))) { include_once(RCUBE_CONFIG_DIR . '/' . $_SERVER["HTTP_HOST"] . '/' . basename(__FILE__)); } ?> Does this help you some ? 2014-11-22 0:31 GMT+01:00 Dmitri Pal : > On 11/21/2014 06:04 PM, Matt . wrote: >> >> Hi Dimitri, >> >> What do you mean by how ? Can you be more specific what you want to know ? > > > How Kolab is connecting to IPA? > LDAP ? Kerberos? Direcly from Kolab? Using SSO? Using SSSD and Apache module > integration like this http://www.freeipa.org/page/Web_App_Authentication? > In some other way? > > What is the configuration? > > How the second mail addressed is supposed to be used? > What are the applications that need to see/access it? > How are they configured? LDAP? SSSD? > > > >> >> >> >> 2014-11-21 23:42 GMT+01:00 Dmitri Pal : >>> >>> On 11/20/2014 09:15 PM, Matt . wrote: Hi Guys, For authenticating a user in Kolab I need uid@sub.domain.local as emailaddress, but as my user needs also n...@domain.tld I need to add this as extra mail address. >>> >>> >>> User needs it where? >>> How Kolab integration is configured? >>> When I add this second email address I cannot login to Kolab anymore as it will use u...@domain.tld in the kolab logs. When I remove it it can login again. Removing uid@sub.domain.local and only having n...@domain.tld doesn't work either. Anyone an idea ho
Re: [Freeipa-users] Primary mail address possible ?
On 11/21/2014 06:04 PM, Matt . wrote: Hi Dimitri, What do you mean by how ? Can you be more specific what you want to know ? How Kolab is connecting to IPA? LDAP ? Kerberos? Direcly from Kolab? Using SSO? Using SSSD and Apache module integration like this http://www.freeipa.org/page/Web_App_Authentication? In some other way? What is the configuration? How the second mail addressed is supposed to be used? What are the applications that need to see/access it? How are they configured? LDAP? SSSD? 2014-11-21 23:42 GMT+01:00 Dmitri Pal : On 11/20/2014 09:15 PM, Matt . wrote: Hi Guys, For authenticating a user in Kolab I need uid@sub.domain.local as emailaddress, but as my user needs also n...@domain.tld I need to add this as extra mail address. User needs it where? How Kolab integration is configured? When I add this second email address I cannot login to Kolab anymore as it will use u...@domain.tld in the kolab logs. When I remove it it can login again. Removing uid@sub.domain.local and only having n...@domain.tld doesn't work either. Anyone an idea how I can set uid@sub.domain.local bind a primary ? Cheers, Matt -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Primary mail address possible ?
Hi Dimitri, What do you mean by how ? Can you be more specific what you want to know ? 2014-11-21 23:42 GMT+01:00 Dmitri Pal : > On 11/20/2014 09:15 PM, Matt . wrote: >> >> Hi Guys, >> >> For authenticating a user in Kolab I need uid@sub.domain.local as >> emailaddress, but as my user needs also n...@domain.tld I need to add >> this as extra mail address. > > > User needs it where? > How Kolab integration is configured? > >> >> When I add this second email address I cannot login to Kolab anymore >> as it will use u...@domain.tld in the kolab logs. When I remove it it >> can login again. >> >> Removing uid@sub.domain.local and only having n...@domain.tld doesn't >> work either. >> >> Anyone an idea how I can set uid@sub.domain.local bind a primary ? >> >> Cheers, >> >> Matt >> > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Primary mail address possible ?
On 11/20/2014 09:15 PM, Matt . wrote: Hi Guys, For authenticating a user in Kolab I need uid@sub.domain.local as emailaddress, but as my user needs also n...@domain.tld I need to add this as extra mail address. User needs it where? How Kolab integration is configured? When I add this second email address I cannot login to Kolab anymore as it will use u...@domain.tld in the kolab logs. When I remove it it can login again. Removing uid@sub.domain.local and only having n...@domain.tld doesn't work either. Anyone an idea how I can set uid@sub.domain.local bind a primary ? Cheers, Matt -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Primary mail address possible ?
Hi Guys, For authenticating a user in Kolab I need uid@sub.domain.local as emailaddress, but as my user needs also n...@domain.tld I need to add this as extra mail address. When I add this second email address I cannot login to Kolab anymore as it will use u...@domain.tld in the kolab logs. When I remove it it can login again. Removing uid@sub.domain.local and only having n...@domain.tld doesn't work either. Anyone an idea how I can set uid@sub.domain.local bind a primary ? Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project