Timothy Murphy wrote: > I should have said that I'm hoping to maintain my address book > with phpLDAPadmin, which as far as I can see more or less forces one > to choose a standard schema. > > I guess the solution in my case is to get edit the LDIF > created by kaddressbook, and then keep the address book on my LDAP server. Sorry to reply to my own message, but I'm finding the use of openldap with kmail is still baffling me. I've set up an LDAP Address Book, and access it using phpLDAPadmin. I really like this setup, which meets all my requirements, and is very easy to use - adding new entries or editing old entries over the web is as simple as one could wish for. My only remaining problem is that I have not been able to access this address book through kmail/kaddressbook. When I go to KAddressBook=>Settings=>Configure KAddressBook and click on LDAP Lookup=>Add Host, I give my DN as "dc=www,dc=xyz,dc=com". If I choose Security: No and Authentication: Anonymous and click on Query Server, it appears to be accepted. A small window flashes up and disappears in a fraction of a second. The only thing I can read on it is "0%" (I think). If I change to Security: TLS then I get the error "LDAP server returned the error: Not Supported". If I change to Security: SSL I get a similar but different error. If I return to Security: No and choose Authentication: Simple I am asked for User and Password. I'm not sure what User is meant but as far as I can see whatever I give is accepted. (I try "Manager" which is the openldap "user" I specified when setting up the LDAP directory, with or without the password I gave then, and I also give my own username on the server, with and without the password; in all cases the entry seems to be accepted.) But if I now check the host I have given, and click on Apply and OK, I find nothing in the Address Book Browser - KaddressBook window which comes up. If I go to Tools=>Search for Addresses in Directory - KAddressBook and enter anything in the Search box, eg for Name, I get the error "LDAP server returned the error: Invalid DN syntax Additional info: invalid DN The LDAP URL was: ldap://www.xyz.com:389". I've written out my experience above at some length largely for my own records, but if anyone has successfully accessed an address book on their openldap directory, I should be very grateful to learn their method. I might say that I am still awaiting the Gerald Carter book, but I guess in any case that this is a KMail issue rather than anything to do with LDAP. Any advice or suggestions gratefully received. (I'd be happy to give my true hostname if anyone is willing to try my LDAP server with their kmail.)

On Tue, 2008-04-29 at 20:45 -0700, Craig White wrote: > > If there had been a single example given in this case > > it would have been obvious what the program was looking for. > > One example is worth a thousand words. > ---- > the issue with kaddressbook is the same issue with all ldap > clients...once you understand how ldap works, setting up a client like > kaddressbook is no big deal. Basically, everything is a client to LDAP > whether it's postfix/sendmail/cyrus/kaddressbook/evolution/etc. There > really is no functional difference because they all use LDAP protocol > to > access and get what they need. > > What you are calling a lack of documentation suggests that you expect > all the various LDAP client programs to tell you how LDAP works. It's not unreasonable to ask for an example. The average user has zero interest in finding out how LDAP works, and a lot of interest in getting his contacts working.

On Wed, 2008-04-30 at 15:27 -0430, Patrick O'Callaghan wrote: > On Wed, 2008-04-30 at 12:39 -0700, Craig White wrote: > > On Wed, 2008-04-30 at 14:53 -0430, Patrick O'Callaghan wrote: > > > On Tue, 2008-04-29 at 22:19 -0700, Craig White wrote: > > > > On Tue, 2008-04-29 at 23:49 -0430, Patrick O'Callaghan wrote: > > > > > On Tue, 2008-04-29 at 20:45 -0700, Craig White wrote: > > > > > > > If there had been a single example given in this case > > > > > > > it would have been obvious what the program was looking for. > > > > > > > One example is worth a thousand words. > > > > > > ---- > > > > > > the issue with kaddressbook is the same issue with all ldap > > > > > > clients...once you understand how ldap works, setting up a client like > > > > > > kaddressbook is no big deal. Basically, everything is a client to LDAP > > > > > > whether it's postfix/sendmail/cyrus/kaddressbook/evolution/etc. There > > > > > > really is no functional difference because they all use LDAP protocol > > > > > > to > > > > > > access and get what they need. > > > > > > > > > > > > What you are calling a lack of documentation suggests that you expect > > > > > > all the various LDAP client programs to tell you how LDAP works. > > > > > > > > > > It's not unreasonable to ask for an example. The average user has zero > > > > > interest in finding out how LDAP works, and a lot of interest in getting > > > > > his contacts working. > > > > ---- > > > > Yes - it actually is unreasonable since there is no standard way of > > > > setting up LDAP address books. > > > > > > > > Since we seem to keep having this discussion...let me restate so we are > > > > clear. > > > > > > > > There simply is no standard for LDAP address books. > > > > > > > > There simply is no standard way to set anything up in LDAP...it's an > > > > erector set. > > > > > > I understand that perfectly well. However the question was not "how do I > > > set up a general-purpose address book" but "how do I set up an > > > address-book that Kmail will accept" and my suggestion of an example was > > > also specific to Kmail. Clearly the OP solved the problem by setting up > > > his address book in a certain way. Why can't what way be documented as > > > an example in the Kmail documentation (*not* the LDAP documentation)? > > ---- > > What is the difference between a 'general-purpose address book' and a > > 'specific-purpose Kmail address book' that uses an LDAP backend? > > > > I would submit that there is no difference but that they are one and the > > same. > > The OP's system didn't work with one configuration, and now does work > with a different configuration (apparently the trick is to have a field > "DN: Address Book" as part of the record). What is the problem with > simply stating this in the Kmail docs? Maybe the field has to be there > for every other address-book application out there, maybe not, but the > fact that it's a general recommendation doesn't take away from it also > being a specific recommendation. ---- No - you misunderstood him

It is not possible to have a 'DN: Address Book' All you need is suitable 'ou' with ACL permissions to access that 'ou' and if that 'ou' were called 'People_I_Want_to_SPAM', Kaddressbook would be happy with that too. Of course, that gets into the nuts and bolts of LDAP. Having an 'ou' called 'Address Book' or 'AddressBook' has no meaning to Kaddressbook unless Kaddressbook is configured to use the DN like... ou=AddressBook,dc=xyz,dc=com but if that DN doesn't exist in your LDAP DSA, it simply wouldn't work.

On Wed, 2008-05-07 at 12:40 +0800, Ed Greshko wrote: > Ric Moore wrote: > > On Sun, 2008-05-04 at 20:13 -0700, Craig White wrote: > >> If you want to keep spinning your wheels and playing Alexander > >> Portnoy, be my guest. > > > > Who's he?? Ric > > > > Try using google. I thought I'd jerk Craig around a bit, much more fun! :) Ric

On Wed, 2008-05-07 at 00:34 -0400, Ric Moore wrote: > On Sun, 2008-05-04 at 20:13 -0700, Craig White wrote: > > If you want to keep spinning your wheels and playing Alexander > > Portnoy, be my guest. > > Who's he?? Ric ---- online Cliff Notes... http://en.wikipedia.org/wiki/Portnoy%27s_Complaint

On Sun, 2008-05-04 at 20:13 -0700, Craig White wrote: > If you want to keep spinning your wheels and playing Alexander > Portnoy, be my guest. Who's he?? Ric

On Sun, 2008-05-04 at 20:13 -0700, Craig White wrote: > If you want to keep spinning your wheels and playing Alexander > Portnoy, be my guest. Who's he?? Ric

Craig White wrote: > No - you misunderstood him > > It is not possible to have a 'DN: Address Book' No, it is you who misunderstand. I was _asked_ for the DN, and the only response that worked was "Address Book". Bizarrely, I just checked, and now any response works - presumably the DN (or RDN) has been stored somewhere. > All you need is suitable 'ou' with ACL permissions to access that 'ou' > and if that 'ou' were called 'People_I_Want_to_SPAM', Kaddressbook would > be happy with that too. Of course, that gets into the nuts and bolts of > LDAP. Having an 'ou' called 'Address Book' or 'AddressBook' has no > meaning to Kaddressbook unless Kaddressbook is configured to use the DN > like... > ou=AddressBook,dc=xyz,dc=com KAddressBook had already asked for my host. The only sense I can make of it is that KAddressBook constructed the DN from this, together with "Address Book", which I gave in response to "DN". Incidentally, the reason I did this was that I was following the yolinux tutorial at <http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP.html>;. You are invited to access their LDAP server, and I found that I could indeed see their address book in my KAddressBook when I gave Host: ldap.yo-linux.com , DN: o=stooges . This was following their general instructions, which read (in part): * Name: YoLinux Demo * Hostname: ldap.yo-linux.com * Base DN: o=stooges

Timothy Murphy wrote: > When I go to KAddressBook=>Settings=>Configure KAddressBook > and click on LDAP Lookup=>Add Host, > I give my DN as "dc=www,dc=xyz,dc=com". I found in the end that what was wanted here was the first part of the DN, in my case "DN: Address Book". After giving that, I was able to access my LDAP address book from KMail. I do feel that the KAddressBook and KMail documentation - in particular the Handbooks - are badly written. If there had been a single example given in this case it would have been obvious what the program was looking for. One example is worth a thousand words. This is all with Security: No . To complete my homework, I'm trying to make sense of openldap + TLS. But in the meantime I can live without that. Hopefully Gerald Carter when he arrives will throw some light on this. But thanks to all for their help. I must write out what I have learned, although I found "setting up an LDAP-server for use with kaddressbook" at <http://www.hoernerfranzracing.de/kde/ldap.html> very useful.

Craig White wrote: > The whole point is that an LDAP client is an LDAP client and it makes no > difference whether you use Kaddressbook, evolution or the ldapsearch > command line interface to access your LDAP server. My main complaint about KAddressBook + LDAP is that the LDIF file created by KAddressBook from an existing address book is completely unusable as is. Most of the attributes it uses are not defined in the objectClass (organizationalPerson) it specifies, and I doubt if there is any LDAP server that will accept the DN values it produces. It really is unforgivably bad. For example, if you have an address with more than 1 line, the first line is given as the value of "homepostaladdress" while the second line is taken as "mozillahomepostaladdress2" and the third line as "mozillahomecountryname". As there is a complete lack of documentation on this point, it is natural to assume that KAddressBook requires an LDAP directory along the lines of the one it produces. In fact, as you suggest, it seems to accept any reasonable LDAP directory.

Craig White wrote: >> > When I go to KAddressBook=>Settings=>Configure KAddressBook >> > and click on LDAP Lookup=>Add Host, >> > I give my DN as "dc=www,dc=xyz,dc=com". >> >> I found in the end that what was wanted here >> was the first part of the DN, in my case "DN: Address Book". >> After giving that, I was able to access my LDAP address book >> from KMail. > What you are calling a lack of documentation suggests that you expect > all the various LDAP client programs to tell you how LDAP works. I don't think that's fair. What I am complaining about in this case (I have many complaints ...) is the LDAP Lookup page in KAddressBook/KMail . You are asked to give the DN, but what is actually wanted is the first part of the DN, not the DN proper. But it is quite possible that I misunderstand what is meant by DN. I assume that it means the unique identifier in each LDAP entry, in which case it is inaccurate to describe the first part of this ("Address Book" in my case) as the "DN".

> > When I go to KAddressBook=>Settings=>Configure KAddressBook > > and click on LDAP Lookup=>Add Host, > > I give my DN as "dc=www,dc=xyz,dc=com". > > I found in the end that what was wanted here > was the first part of the DN, in my case "DN: Address Book". > After giving that, I was able to access my LDAP address book > from KMail.

What you are calling a lack of documentation suggests that you expect all the various LDAP client programs to tell you how LDAP works.

> This is all with Security: No . > To complete my homework, I'm trying to make sense of openldap + TLS.

The way I do it is: 1 - set up my own CA 2 - generate and sign various client certs for applications 3 - assign the client certs to each various application (like slapd.conf)

> What I am complaining about in this case (I have many complaints ...) > is the LDAP Lookup page in KAddressBook/KMail . > You are asked to give the DN, > but what is actually wanted is the first part of the DN, not the DN > proper. But it is quite possible that I misunderstand what is meant by > DN. I assume that it means the unique identifier in each LDAP entry, > in which case it is inaccurate to describe the first part of this > ("Address Book" in my case) as the "DN". ---- no - you will find this fully explained at the start of the LDAP book. DN is the full, unique 'Distinguished Name' RDN is the portion you are thinking of (ie 'cn=craig') Kaddressbook apparently is accurate in their description but your knowledge is lacking.

On Wed, 2008-04-30 at 14:53 -0430, Patrick O'Callaghan wrote: > On Tue, 2008-04-29 at 22:19 -0700, Craig White wrote: > > On Tue, 2008-04-29 at 23:49 -0430, Patrick O'Callaghan wrote: > > > On Tue, 2008-04-29 at 20:45 -0700, Craig White wrote: > > > > > If there had been a single example given in this case > > > > > it would have been obvious what the program was looking for. > > > > > One example is worth a thousand words. > > > > ---- > > > > the issue with kaddressbook is the same issue with all ldap > > > > clients...once you understand how ldap works, setting up a client like > > > > kaddressbook is no big deal. Basically, everything is a client to LDAP > > > > whether it's postfix/sendmail/cyrus/kaddressbook/evolution/etc. There > > > > really is no functional difference because they all use LDAP protocol > > > > to > > > > access and get what they need. > > > > > > > > What you are calling a lack of documentation suggests that you expect > > > > all the various LDAP client programs to tell you how LDAP works. > > > > > > It's not unreasonable to ask for an example. The average user has zero > > > interest in finding out how LDAP works, and a lot of interest in getting > > > his contacts working. > > ---- > > Yes - it actually is unreasonable since there is no standard way of > > setting up LDAP address books. > > > > Since we seem to keep having this discussion...let me restate so we are > > clear. > > > > There simply is no standard for LDAP address books. > > > > There simply is no standard way to set anything up in LDAP...it's an > > erector set. > > I understand that perfectly well. However the question was not "how do I > set up a general-purpose address book" but "how do I set up an > address-book that Kmail will accept" and my suggestion of an example was > also specific to Kmail. Clearly the OP solved the problem by setting up > his address book in a certain way. Why can't what way be documented as > an example in the Kmail documentation (*not* the LDAP documentation)? ---- What is the difference between a 'general-purpose address book' and a 'specific-purpose Kmail address book' that uses an LDAP backend? I would submit that there is no difference but that they are one and the same.

On Tue, 2008-04-29 at 23:49 -0430, Patrick O'Callaghan wrote: > On Tue, 2008-04-29 at 20:45 -0700, Craig White wrote: > > > If there had been a single example given in this case > > > it would have been obvious what the program was looking for. > > > One example is worth a thousand words. > > ---- > > the issue with kaddressbook is the same issue with all ldap > > clients...once you understand how ldap works, setting up a client like > > kaddressbook is no big deal. Basically, everything is a client to LDAP > > whether it's postfix/sendmail/cyrus/kaddressbook/evolution/etc. There > > really is no functional difference because they all use LDAP protocol > > to > > access and get what they need. > > > > What you are calling a lack of documentation suggests that you expect > > all the various LDAP client programs to tell you how LDAP works. > > It's not unreasonable to ask for an example. The average user has zero > interest in finding out how LDAP works, and a lot of interest in getting > his contacts working. ---- Yes - it actually is unreasonable since there is no standard way of setting up LDAP address books. Since we seem to keep having this discussion...let me restate so we are clear. There simply is no standard for LDAP address books. There simply is no standard way to set anything up in LDAP...it's an erector set.

When I go to KAddressBook=>Settings=>Configure KAddressBook and click on LDAP Lookup=>Add Host, I give my DN as "dc=www,dc=xyz,dc=com".

On Fri, 2008-04-25 at 22:40 +0100, Timothy Murphy wrote: > Craig White wrote: > > >> >> I should have said that I'm hoping to maintain my address book > >> >> with phpLDAPadmin, which as far as I can see more or less forces one > >> >> to choose a standard schema. > > >> > I honestly don't know what a standard schema is...I know what schema's > >> > I tend to set up but in reality, it really doesn't matter as long as > >> > the schema you set up makes sense to you. > > As far as I could see - I haven't experimented with it much - > phpLDAPadmin creates half-a-dozen top-level entries, > and if you try to create an entry under any of them > you have to choose one of a number of offered schemas. > That is what I meant by a "standard" schema. ---- those are 'templates' ---- > I do find the language of LDAP unattractive. > Assuming the idea is to create a tree-like structure > (like the Unix file-system) > the way of expressing it seems strange. > But I'm getting the book by Gerald Carter you mention, > and maybe that will change my mind. ---- well, it might be unattractive but it's entirely versatile, which I suppose is part of it's unattractiveness. I think what most people struggle with is not the language but rather the extremely rigid rule sets. If LDAP wasn't thoroughly useful, it wouldn't be so widely used. It is part and parcel of Microsoft Active Directory as well as all sorts of UNIX/Linux setups. It can handle not only address books, but authentication, DNS, mail routing, various application preferences, binary blobs like pictures, etc. It's overkill for a shared address book until you try to find another shared address book solution.

Craig White wrote: >> >> I should have said that I'm hoping to maintain my address book >> >> with phpLDAPadmin, which as far as I can see more or less forces one >> >> to choose a standard schema. >> > I honestly don't know what a standard schema is...I know what schema's >> > I tend to set up but in reality, it really doesn't matter as long as >> > the schema you set up makes sense to you. As far as I could see - I haven't experimented with it much - phpLDAPadmin creates half-a-dozen top-level entries, and if you try to create an entry under any of them you have to choose one of a number of offered schemas. That is what I meant by a "standard" schema.

I do find the language of LDAP unattractive. Assuming the idea is to create a tree-like structure (like the Unix file-system) the way of expressing it seems strange. But I'm getting the book by Gerald Carter you mention, and maybe that will change my mind.

Craig White wrote: > On Thu, 2008-04-24 at 23:39 +0100, Timothy Murphy wrote: >> Craig White wrote: >> >>> To be honest though, I am quite sure that openldap.org has a simple >>> address book setup in their - yep... >>> >>> http://www.openldap.org/faq/data/cache/1005.html >> I had actually seen that, but didn't find it all that lucid. >> >> I should have said that I'm hoping to maintain my address book >> with phpLDAPadmin, which as far as I can see more or less forces one >> to choose a standard schema. >> >> I guess the solution in my case is to get edit the LDIF >> created by kaddressbook, and then keep the address book on my LDAP server. >> >>> but more importantly...buy the damn book and spend the $20...it will >>> learn ya good. >> I've added it to my amazon wish list. >> >> Thanks for all the help. > ---- > I honestly don't know what a standard schema is...I know what schema's I > tend to set up but in reality, it really doesn't matter as long as the > schema you set up makes sense to you. > > phpldapadmin is agnostic to setup...like any other ldap client, you > merely tell it what the basedn is and you take it from there. > > The problem is that people sit back and wait for some gui tool to set > things up for them but the gui tools don't make sense until you > understand ldap. > > The reason that I love the Gerald Carter book (LDAP System > Administration) is that he gives it to you in really basic > spoonfuls...three hours and you get it. Bing! Be forewarned though...the > book is old and uses ldbm database but that's essentially obsolete and > now the suggested way is to use bdb but ldbm is good enough to start. It's not that old (copyright 2003) and he mentions bdb and in fact states that bdb is preferred over ldbm (chapter 3, middle of page 34).

Craig White wrote: > To be honest though, I am quite sure that openldap.org has a simple > address book setup in their - yep... > > http://www.openldap.org/faq/data/cache/1005.html I had actually seen that, but didn't find it all that lucid. I should have said that I'm hoping to maintain my address book with phpLDAPadmin, which as far as I can see more or less forces one to choose a standard schema. I guess the solution in my case is to get edit the LDIF created by kaddressbook, and then keep the address book on my LDAP server. > but more importantly...buy the damn book and spend the $20...it will > learn ya good. I've added it to my amazon wish list. Thanks for all the help.

On Wed, 2008-04-23 at 14:35 -0700, Craig White wrote: > On Wed, 2008-04-23 at 22:09 +0100, Timothy Murphy wrote: > > Craig White wrote: > > > > >> Is anyone successfully using openldap to maintain an address book? > > > ---- > > > sure - lots of them > > > > I've seen many discussions of this, > > but never seen an actual example of an ldap address book > > working with KDE kontact/kaddressbook. > ---- > the client (in your Kaddressbook/Kontact) is probably the meaningless > part because OpenLDAP provides LDAPv3 services to any LDAPv3 client (v2 > is possible too but not allowed by default). > ---- > > > > >> As far as I can see, if you save kaddressbook data in LDIF format, > > >> the resulting file has to be extensively modified > > >> before it becomes acceptable to openldap. > > >> > > >> Eg the DN of a typical entry in the LDIF file reads > > >> dn: cn=Andrew Ryan,mail=aryan27(a)tcd.ie > > >> which openldap certainly will not like. > > > ---- > > > it's not openldap that *wouldn't like this* - it's that there is nothing > > > that says that an ldif file that program X creates in an 'export' > > > operation will match up to the restrictions imposed by your LDAP > > > setup...which is generally the case. > > > > I'm no expert in openldap, > > but I don't see why kaddressbook doesn't use the LDAP DN > > specified in the KAddressBook->LDAP Lookup > > when creating the LDIF. > > > > Or at least it could ask you what DNs you want to use. > ---- > I suppose that you could put in an RFE > ---- > > > > > all you need to do is to figure out a way to edit (sed/awk/perl/?) this > > > ldif in a way that matches your setup so that you can import these > > > things without a problem. > > > > > > for example... > > > while this isn't likely to work... > > > dn: cn=Andrew Ryan,mail=aryan27(a)tcd.ie > > > this could conceivably work... > > > dn: cn=Andrew > > > Ryan,mail=aryan27(a)tcd.ie,ou=AddressBook,dc=gayleard,dc=org > > > > That's more or less exactly what I do. > > But I don't think it should be necessary. > ---- > LDAP does...it's entirely rigid about this too. > ---- > > > > >> What puzzles me about this is that the issue must be one > > >> which occurs to many people. > > >> How is one meant to keep a "global" address book under Fedora? > > > > > Well, since Kmail is a 'write' capapble LDAP client, it is possible to > > > simply create an empty LDAP 'organizationalUnit' for an address book and > > > add entries directly via Kaddressbook. This of course insists that you > > > comport with specific rules such as entries that absolutely require an > > > 'sn' attribute (last name), etc. > > > > Is it possible to do that? > > Could you be a bit more specific please? > > I thought one needed to include the host > > (ou=People,dc=www,dc=xyz,dc=com in my case)? > ---- > OK, say you have slapd.conf > and in the database section, you have... > > database bdb > suffix "dc=www,dc=xyz,dc=com" > > and in your ACL's, you have something like > > access to dn.subtree="dc=www,dc=xyz,dc=com" > by * write > access to dn.subtree="ou=People,dc=www,dc=xyz,dc=com" > by * write > access to dn.subtree="ou=AddressBook,ou=People,dc=www,dc=xyz,dc=com" > by * write > > you're pretty much good to go. > > Now, import a simple little ldif that creates the AddressBook ou > > dn: ou=People,dc=www,dc=xyz,dc=com > objectClass: organizationalUnit > ou: People > > dn: ou=AddressBook,ou=People,dc=www,dc=xyz,dc=com > objectClass: organizationalUnit > ou: AddressBook > > import it and you're good to go > > Why do I get the feeling that you never bought the Gerald Carter book I > told you to buy? Thanks Craig! You just saved me twenty bucks! <cackles> Ric

> Is anyone successfully using openldap to maintain an address book? ---- sure - lots of them

> As far as I can see, if you save kaddressbook data in LDIF format, > the resulting file has to be extensively modified > before it becomes acceptable to openldap. > > Eg the DN of a typical entry in the LDIF file reads > dn: cn=Andrew Ryan,mail=aryan27(a)tcd.ie > which openldap certainly will not like. ---- it's not openldap that *wouldn't like this* - it's that there is nothing that says that an ldif file that program X creates in an 'export' operation will match up to the restrictions imposed by your LDAP setup...which is generally the case.

all you need to do is to figure out a way to edit (sed/awk/perl/?) this ldif in a way that matches your setup so that you can import these things without a problem. for example... while this isn't likely to work... dn: cn=Andrew Ryan,mail=aryan27(a)tcd.ie this could conceivably work... dn: cn=Andrew Ryan,mail=aryan27(a)tcd.ie,ou=AddressBook,dc=gayleard,dc=org

> What puzzles me about this is that the issue must be one > which occurs to many people. > How is one meant to keep a "global" address book under Fedora?

Well, since Kmail is a 'write' capapble LDAP client, it is possible to simply create an empty LDAP 'organizationalUnit' for an address book and add entries directly via Kaddressbook. This of course insists that you comport with specific rules such as entries that absolutely require an 'sn' attribute (last name), etc.