LDAP

From Tine 2.0 - Wiki


Tine uses the Zend Framework LDAP adapter, so a good place to refer to is the Zend LDAP documentation Adapter and here LDAP API.

Tine 2.0 differs between Authentication only and Account storage (can be read only). If you choose to store your accounts in LDAP, values between LDAP and SQL-DB will be synced on login. By default each user/group's entryUUID (LDAP) corresponds with account_id/id within SQL-DB (to migrate an existing installation to LDAP storage you have to change Tine 2.0's ids manually to entryUUID).

LDAP Settings

This works for OpenLDAP. For authorizing against an ADS, check the documentation mentioned above.

The "Initial Admin User" you have to specify during setup, will be the tine-administrator, you can not use your LDAP admin. Unless you already have such an extraadminaccount, you have to create this account.

Recommended objectClass for users: posixAccount (and shadowAccount, if users are allowed to change their passwords / attribute "shadowLastChange"); but you need a structural objectClass too: InetOrgPerson (use "uid" as RDN, because tine will save all accounts with this RDN, looks nicer).

For using LDAP as accountstorage, you need to create your groups too; objectClass: posixGroup

minimal LDAP prerequirements should look like this:

  • ou=user,dc=abc,dc=de
    • uid=admin (posixAccount,shadowAccount,InetOrgPerson)
  • ou=groups,dc=abc,dc=de
    • cn=administrators (posixGroup)
      • memberuid=admin
    • cn=users (posixGroup)

Take care, that the gidNumber, uidNumber and Groupnames you specify in your LDAP match these in your tinesetup!



Here's an example of a working configuration

Ldap.jpg

as UUID attribute for accounts/groups: stay with the standard "entryUUID".