Re: Qmailadmin and qmail-ldap - is it possible?

["sato x" <gladiol4@gmail.com>]

Hi Bjorn,

Thanx for your reply. I've read the README.acl in doc directory and
made some changes last week. First, I use organization layout instead
of domain layout, but I think it will bring no differences at all. I've
created an ldif file 
 





dn: dc=domainku,dc=com
changetype: modify
add: objectClass,administrator
objectClass: phpQLAdminBranch
administrator: uid=sato,ou=Users,dc=domainku,dc=com

and modified the ldap server accordingly. I've modified the ACL in slapd.conf either 

   access to attr=userPassword,sambaLMPassword,sambaNTPassword,mobile,mailQuotaSize
        by dnattr=administrator write
        by dn="uid=sato,ou=Users,dc=domainku,dc=com" write
        by self write
        by anonymous auth
        by * none

access to dn="dc=domainku,dc=com"
        by dnattr=administrator write
        by dn="uid=sato,ou=Users,dc=domainku,dc=com" write
        by * read

access to *
        by * read

Now I could log onto phpqladmin with username sato and get
the Advanced mode activated, yet I couldn't change the users attributes
(mailQuotaSize, etc). Maybe it was caused by the "not recursive" nature
of the configuration. I'm going to configure the Users and Groups
branch now. Thank you for the information.

Best regards,

sato

On 3/30/07, Bjorn Snijders <bjorn.snijders@wiggly.nl> wrote:

Hi Sato,

Sorry for my delayed response, but I think there are some things you
should check or refer to, to get your phpQLAdmin working.

First of all you don't need the control-patch to get phpQLAdmin working
with ezmlm or qmail-ldap in general, however phpQLAdmin is capable in
managing qmail-ldap/control for you, even with some automation when
creating new virtual domains. (Nowadays Turbo Frederiksson (maintainer of
phpQLAdmin) even intergrates bind and apache for virtual domains
adminstration like virtualmin/webmin). So no worries there for you. In
case you gonna be using the control patch, leave and update a copy of your
rcpthost files in the control dir of qmail to prevent your MTA becoming an
openrelay in case connection to the LDAP server fails.

Well, now some checks to make sure phpQLAdmin is capable to interact with
your LDAPserver.

- Does your layout compare to the suggested ones in the README file? (I
think you are using domain layout)
- you need to load following schemas in your LDAP server (slapd.conf).
(copy them from phpQLAdmin schemas dir to LDAPservers schemas dir)

        - core.schema
        - cosine.schema
        - inetorgperson.schema
        - nis.schema
        - qmail.schema
        - (qmailControl.schema) ## if you use control patch
        - turbo.schema
        - rfc2377.schema
        - phpQLAdmin.schema

        As you can read in the README there are some schema issues: (take care of
this if you don't use control-patch)

        Schema issues
        ~~~~~~~~~~~~~
        There is a couple of problems with the phpQLAdminBranch objectclass.
        One is is the 'defaultDomain' attribute. It exists in both the
        qmailControl.schema distributed with the QmailLDAP/Controls patch and
        in the phpQLAdmin.schema distributed with phpQLAdmin. If you don't use
        the QmailLDAP/Controls patch, you will have to uncomment the attribute
        from the phpQLAdmin.schema before you restart your LDAP server. The
        attribute is defined on lines 299 to 303 in the phpQLAdmin.schema, so
        remove the leading dashes (#) on those lines.

- Now for debugging I think it is the best to disable all ACL/ACI. You can
enable these when you got phpQLAdmin working.

- From README file:     The next step in the modification of the existing
database for use
                        with phpQLAdmin is the inclusion of the 'userReference' and
'administrator'
                        attributes in the base object ('dc=com' or 'c=SE' in the above
examples).
                        If you're using ACI's, you must make the 'userReference' attribute
                        publicly readable...
                        The 'administrator' attribute should contain the full DN of your
                        object. Once the first/initial administrator (you!) is entered, you
                        can add more via the GUI.

        In your case dc=domainku,dc=com you should add these attributes to dc=com
and not to dc=domainku,dc=com!!!! (requires a new ldif to create the
dc=com          object and its attributes. Now you have an administrator for your
top branche, and when logging in with this adminstrators DN you will have
access to               advanced mode and futher configuration.

        As you can read in the README file cn=Manager... is of no use for logging
into phpQLAdmin since no password is stored in the actual LDAP directory.

Well, I hope this makes some things more clear, and if you need an example
checkout the demo directory in you phpQLAdmin installation. Try to get
these working first before integrating LDAPserver monitoring or
LDAPcontrol. Since you can login for a normal qmailuser account the first
check is ok for you. If you have more questions, feel free to fire them to
me.

Regards,

Bjorn