Groups from FreeIPA

  • Hello

    Playing around to get to know kopano I’v reached quite far in using FreeIPA as LDAP source for user management.

    Now I have a small problem regarding group membership. In the example in the manual group membership is based on memberUid, but on in FreeIPA group membership is defined by the attribute member which contains a full dn

    dn: cn=somegroup,cn=groups,cn=accounts,dc=int,dc=vink-slott,dc=dk
    objectClass: ipausergroup
    objectClass: nestedgroup
    objectClass: nestedGroup
    objectClass: posixgroup
    objectClass: groupofnames
    objectClass: ipantgroupattrs
    objectClass: kopano-group
    objectClass: groupOfNames
    objectClass: ipaobject
    objectClass: top
    cn: somegroup
    description:: Bla bla bla
    gidNumber: *
    ipaNTSecurityIdentifier: *
    ipaUniqueID: *
    member: uid=klaus,cn=users,cn=accounts,dc=int,dc=vink-slott,dc=dk
    memberUid: klaus

    The last line (memberUid ) is added manually as a workaround - I cant figure out how to configure ldap.cfg to make kopano read members based on the member attribute.

  • Kopano

    Hello @MrManor ,

    inside of your ldap.cfg you can customise how groups should be resolved and how groupmembers are resolved. you should apply customisations in /etc/kopano/ldap.cfg and can find the default values below /usr/share/kopano.

    In your case you want to set:

    # Optional, default = member
    # Active directory: member
    # LDAP: memberUid
    ldap_groupmembers_attribute = member
    # Optional, default = text
    # Active directory: dn
    # LDAP: text
    ldap_groupmembers_attribute_type = dn

  • Thank you @fbartels

    I could have sworn I tried something like that yesterday, but I must have overlooked something. Today it works!

    Also thanks for the pointer to commented cfg files with default values. They will make my tinkering easier.

Log in to reply