OpenLDAP and MemberOf in Zarafa

From Zarafa wiki

Jump to: navigation, search

With ADS you automatically have the MemberOf operational attribute. With OpenLDAP this is different and a default OpenLDAP installation doesn't have the MemberOf operational attribute. This results in the fact that WebAccess and Outlook do NOT show any members in the MemberOf tab of the addressbook:


The picture below shows an empty MemberOf list in the addressbook while this user is a member of "Group2":

Memberof missing.png


Contents

Configuring OpenLDAP

In OpenLDAP you can get the MemberOf operational attribute by loading the module "memberof.la". Add the following to the slapd.conf:

moduleload      memberof.la


The next thing to do is to create the "memberof" overlay. Add the following to the slapd.conf (after loading the module):

overlay memberof


Restart OpenLDAP after these changes.


Theoretically we now have the MemberOf operational attribute, however we will need to define our groups, as this overlay doesn't work on "posixGroup" entries. For this overlay to work correctly we will need to create "groupOfNames" entries within OpenLDAP.


Below is an ldif example of a "groupOfNames" entry:

dn: cn=Group2,ou=groups,dc=directory,dc=local
objectClass: zarafa-group
objectClass: top
objectClass: groupOfNames
member: cn=user1,ou=users,dc=directory,dc=local
member: cn=user2,ou=users,dc=directory,dc=local
cn: Group2
mail: group2@directory.local

NOTE: The "groupOfNames" objectclass doesn't allow the "posixGroup" account. Therefore you are not allowed to add the attribute "gidNumber" to the ldap record.


Configuring Zarafa

LDAP Configfile

Being not able to use "gidNumber" inside a "groupOfNames" we will need to change the "ldap_group_unique_attribute" in the ldap config of zarafa. In this example we will use the "cn" as unique group identifier. Whatever you choose here, remember that this is a UNIQUE identifier which means that it needs to be UNIQUE.

ldap_group_unique_attribute = cn


NOTE: Changing the "ldap_group_unique_attribute" means that ALL groups will be deleted and recreated by Zarafa.


Also in the ldap config of zarafa check the membership relations. In our example we changed the following:

ldap_groupmembers_attribute = member
ldap_groupmembers_attribute_type = dn


Check in the ldap config of zarafa that the "propmap" config file is being loaded:

!propmap /etc/zarafa/ldap.propmap.cfg


Propmap Configfile

In the propmap config file check if the memberof configuration is uncommented:

0x80081102 = memberOf


MTA

When you have configured your MTA to resolve group email addresses, please remember to check your MTA LDAP configuration.


Check WebAccess

After these changes, restart zarafa-server, login to the webaccess and check the properties of the user from the addressbook. You will now see that the MemberOf tab shows the correct information:

Memberof showing.png

Personal tools