Hello list:
Below a summarised and expanded view on the remaining 7 LDAP issues. Please discard the earlier messages in the other thread, this is the current status:
- User-specific base_dn, bind_dn and password exist, and know to work
with other clients (iOS and jxplorer). Despite the name "Public", the bind_dn user has write access. Relevant main.inc.php and slapd.conf extracts are included at the end of this message. If useful, I can also provide access to the underlying OpenLDAP developmentserver.
- If cn and the concatenation givenName+sn are the same, the cn value
does not show up in the UI mask in the "name" field. As a result, when you edit that contact, the field cn is not populated by default in the UI and has to be manually added: Forgetting to do so will result in an error, as cn is mandatory. It appears that the program logic to hide cn based on existing attributes should be reviewed.
Independent of this, I believe that the thread "How are you using cn vs displayName?" [0] could be useful to determine the right approach for mapping givenName, sn, cn and displayName.
- Probably closely related to point 2): changing the content of the
field 'name' => 'cn' fails, i.e. the newly entered information is not stored.
Warning: ldap_mod_replace(): Modify: Naming violation in roundcubemail-0.7.2/program/include/rcube_ldap.php on line 1105
Changing cn using jxplorer 3.2.2 works as expected. How to reproduce:
- Change cn for a contact in jxplorer to "John Doe CN"
- Search for John Doe CN contact in RC
- "John Doe CN" shows up in the "name" field (in accordance with the
fieldmap below): 4) Editing the contact (any field, except cn itself) works perfectly. 5) Search again for same contact. 6) Change cn/name field to "John Doe CNUPDATED" 7) Saving will fail with a "Naming violation" error. From logs/ldap (level 8, which seems to give the same output as level 4 BTW):
[10-Apr-2012 01:51:21 +0200]: C: Replace [dn: cn=John Doe CN,ou=public,ou=rcabook,dc=domain,dc=tld]: Array ( [cn] => John Doe CNUPDATED [sn] => Doe [givenname] => John )
[10-Apr-2012 01:51:21 +0200]: S: Naming violation
From slapd with loglevel 23:
Apr 10 01:51:21 mail slapd[20444]: conn=1263 op=2 do_modify Apr 10 01:51:21 mail slapd[20444]: conn=1263 op=2 do_modify: dn (cn=John Doe CN,ou=public,ou=rcabook,dc=domain,dc=tld) Apr 10 01:51:21 mail slapd[20444]: >>> dnPrettyNormal: <cn=John Doe CN,ou=public,ou=rcabook,dc=domain,dc=tld> Apr 10 01:51:21 mail slapd[20444]: <<< dnPrettyNormal: <cn=John Doe CN,ou=public,ou=rcabook,dc=domain,dc=tld>, <cn=john doe cn,ou=public,ou=rcabook,dc=domain,dc=tld> Apr 10 01:51:21 mail slapd[20444]: conn=1263 op=2 modifications: Apr 10 01:51:21 mail slapd[20444]: #011replace: cn Apr 10 01:51:21 mail slapd[20444]: #011#011one value, length 18 Apr 10 01:51:21 mail slapd[20444]: #011replace: sn Apr 10 01:51:21 mail slapd[20444]: #011#011one value, length 16 Apr 10 01:51:21 mail slapd[20444]: #011replace: givenname Apr 10 01:51:21 mail slapd[20444]: #011#011one value, length 5 Apr 10 01:51:21 mail slapd[20444]: bdb_dn2entry("cn=john doe cn,ou=public,ou=rcabook,dc=domain,dc=tld") Apr 10 01:51:21 mail slapd[20444]: hdb_modify: cn=John Doe CN,ou=public,ou=rcabook,dc=domain,dc=tld Apr 10 01:51:21 mail slapd[20444]: bdb_dn2entry("cn=john doe cn,ou=public,ou=rcabook,dc=domain,dc=tld") Apr 10 01:51:21 mail slapd[20444]: bdb_modify_internal: 0x000004a7: cn=John Doe CN,ou=public,ou=rcabook,dc=domain,dc=tld Apr 10 01:51:21 mail slapd[20444]: bdb_modify_internal: replace cn Apr 10 01:51:21 mail slapd[20444]: bdb_modify_internal: replace sn Apr 10 01:51:21 mail slapd[20444]: bdb_modify_internal: replace givenName Apr 10 01:51:21 mail slapd[20444]: bdb_modify_internal: replace entryCSN Apr 10 01:51:21 mail slapd[20444]: bdb_modify_internal: replace modifiersName Apr 10 01:51:21 mail slapd[20444]: bdb_modify_internal: replace modifyTimestamp Apr 10 01:51:21 mail slapd[20444]: entry failed schema check: value of naming attribute 'cn' is not present in entry Apr 10 01:51:21 mail slapd[20444]: hdb_modify: modify failed (64) Apr 10 01:51:21 mail slapd[20444]: send_ldap_result: conn=1263 op=2 p=3 Apr 10 01:51:21 mail slapd[20444]: send_ldap_result: err=64 matched="" text="value of naming attribute 'cn' is not present in entry" Apr 10 01:51:21 mail slapd[20444]: send_ldap_response: msgid=3 tag=103 err=64
It appears that somehow cn is not set in the update request that is sent to the LDAP server: "Value of naming attribute 'cn' is not present in entry". Also: why are we replacing sn and givenName if only cn has changed?
- Adding groups under the LDAP directory fails:
[07-Apr-2012 22:40:47 +0200]: C: Connect [calendarserver:389] [Private] [07-Apr-2012 22:40:47 +0200]: S: OK [07-Apr-2012 22:40:47 +0200]: C: Bind [dn: cn=user@hostname.net,ou=private,ou=rcabook,dc=hostname,dc=tld] [pass: XXXXXXXXXXXXX] [07-Apr-2012 22:40:47 +0200]: S: OK [07-Apr-2012 22:40:47 +0200]: C: Add [dn: cn=Testgroup,cn=user@hostname.net,ou=private,ou=rcabook,dc=hostname,dc=tld]: Array ( [objectClass] => Array ( [0] => top [1] => groupOfNames )
[cn] => Testgroup
[] =>
)
[07-Apr-2012 22:40:47 +0200]: S: Undefined attribute type [07-Apr-2012 22:40:47 +0200]: C: Close
RESULT: Does NOT work, and we get a red error message "An error occured while saving." on top of the web page. Could this be because by default we are using the wrong object classes to create a subgroup?
- Problems with editing and deleting facsimileTelephoneNumber and
jpegPhoto fields
It turns out that 'phone:fax' => 'facsimileTelephoneNumber' works for adding and editing a fax number, but you will not be able to remove or clear an existing one, at least not with the current code:
Warning: ldap_mod_del(): Modify: Inappropriate matching in program/include/rcube_ldap.php on line 1082
This is actually the same issue as with the profile pictures, as you can see comparing
Apr 8 03:36:28 mail slapd[25146]: bdb_modify_internal: 18 modify/delete: jpegPhoto: no equality matching rule Apr 8 03:36:28 mail slapd[25146]: send_ldap_result: err=18 matched="" text="modify/delete: jpegPhoto: no equality matching rule"
and these entries:
Apr 8 04:07:02 mail slapd[25146]: bdb_modify_internal: 18 modify/delete: facsimileTelephoneNumber: no equality matching rule Apr 8 04:07:02 mail slapd[25146]: send_ldap_result: err=18 matched="" text="modify/delete: facsimileTelephoneNumber: no equality matching rule"
Perhaps we could add two special cases for replacing/removing facsimileTelephoneNumber and jpegPhoto? I managed to find some information on this issue [1, 2, 3] that might help solve it.
- rcmimportreplace ('Replace the entire address book' when importing a
VCF file) does not work for LDAP. The newly imported card is simply added to the existing cards, rather than replacing them all.
- manager, assistant and department fields do not work: manager and
assistant don't show up and cannot be added via "Add field..." at all, while department can be added, but upon saving the new entry the field gets emptied immediately (it appears before submission of the form).
Thank you very much for managing to get to the end of this message ;-)
Achim
[0] http://osdir.com/ml/ldap.umich/2006-01/msg00049.html [1] http://www.openldap.org/lists/openldap-technical/200907/msg00083.html [2] http://www.openldap.org/lists/openldap-software/200812/msg00040.html [3] http://www.openldap.org/lists/openldap-bugs/200304/msg00008.html
************** configuration files ************** (If useful, I can also provide access to the underlying OpenLDAP developmentserver!)
$rcmail_config['ldap_public'] = array ();
$rcmail_config['ldap_public']['public'] = array( 'name' => 'Public', 'hosts' => array('calendar.domain.tld'), 'port' => 389, 'ldap_version' => 3, // using LDAPv3 # BUGBUG this is important, otherwise the bind_pass is not populated! 'user_specific' => true, 'base_dn' => 'ou=public,ou=rcabook,dc=domain,dc=tld', 'bind_dn' => 'cn=%fu,ou=private,ou=rcabook,dc=domain,dc=tld', 'bind_pass' => '', // the user login password is used 'filter' => '(objectClass=inetOrgPerson)', 'writable' => true, 'LDAP_Object_Classes' => array('top', 'inetOrgPerson'), 'LDAP_rdn' => 'mail', 'required_fields' => array('cn', 'sn', 'mail', 'givenName'), // mapping of contact fields to directory attributes 'fieldmap' => array( // Roundcube => LDAPA 'prefix' => 'title', 'name' => 'cn', 'surname' => 'sn', 'firstname' => 'givenName', 'email:work' => 'mail', 'phone:home' => 'homePhone', 'phone:work' => 'telephoneNumber', 'phone:mobile' => 'mobile', 'phone:fax' => 'facsimileTelephoneNumber', 'photo' => 'jpegPhoto', 'website' => 'labeledURI', 'street' => 'street', 'zipcode' => 'postalCode', 'locality' => 'l', 'region' => 'st', // does not exist in inetOrgPerson // 'country' => 'c', 'organization' => 'o', // Notes tab 'notes' => 'description', // Personal information tab 'manager' => 'manager', 'assistant' => 'secretary', 'department' => 'departmentNumber', ), 'search_fields' => array('mail', 'cn', 'sn', 'givenName'), // fields to search in 'sort' => 'cn', // The field to sort the listing by. 'scope' => 'sub', // search mode: sub|base|list 'fuzzy_search' => true, // server allows wildcard search 'vlv' => false, // Enable Virtual List View to more efficiently fetch paginated data (if server supports it) 'numsub_filter' => '(objectClass=organizationalUnit)', // with VLV, we also use numSubOrdinates to query the total number of records. Set this filter to get all numSubOrdinates attributes for counting 'sizelimit' => '0', // Enables you to limit the count of entries fetched. Setting this to 0 means no limit. 'timelimit' => '0', // Sets the number of seconds how long is spend on the search. Setting this to 0 means no limit. 'groups' => array( 'base_dn' => '', // in this Howto, the same base_dn as for the contacts is used 'filter' => '(objectClass=groupOfNames)', 'object_classes' => array("top", "groupOfNames"), ), );
$rcmail_config['autocomplete_addressbooks'] = array('sql','public');
$rcmail_config['address_template'] = '{street}<br/>{locality} {zipcode}<br/>{region}';
From sladp.conf:
# Grant the admin and rcuser access to the whole addressbook # Also grant it to every other LDAP user
access to dn.subtree="ou=rcabook,dc=domain,dc=tld" by dn="cn=admin,dc=domain,dc=tld" write by dn="cn=rcuser,ou=rcabook,dc=domain,dc=tld" write by users write