summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com>2012-05-11 13:44:09 (GMT)
committerJeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com>2012-05-11 13:44:09 (GMT)
commit4dd33f2b33572a6c2a10fdde91250030af76d327 (patch)
tree76df4e6a87566272d993270152451bebd30fff96
parentd86aa0b21ee9aedbf8694ddfbfade244f4c418bf (diff)
downloadkolab-docs-4dd33f2b33572a6c2a10fdde91250030af76d327.tar.gz
Include verbiage on accounts created and for what purpose they must or should exist
-rwxr-xr-xInstallation_Guide/en-US/Kolab_Server_Configuration.xml98
1 files changed, 98 insertions, 0 deletions
diff --git a/Installation_Guide/en-US/Kolab_Server_Configuration.xml b/Installation_Guide/en-US/Kolab_Server_Configuration.xml
index 5ad0e19..73c6406 100755
--- a/Installation_Guide/en-US/Kolab_Server_Configuration.xml
+++ b/Installation_Guide/en-US/Kolab_Server_Configuration.xml
@@ -74,6 +74,104 @@
<para>
When run against an existing configuration file that is not <filename>/etc/kolab/kolab.conf</filename> (but, for example, <filename>/etc/kolab/kolab-setup.conf</filename>), the setup process will take the existing configuration and set up a 389 Directory Server accordingly. This allows for greater flexibility in, among others, which root DN is used. You may discard the configuration file used for the setup afterwards, it contains no information of value other then for troubleshooting purposes, and it is not written to by the setup process.
</para>
+ <section id="sect-Community_Installation_Guide-LDAP_Component-Accounts_Created">
+ <title>Accounts Created</title>
+ <para>
+ The LDAP component setup creates 2 accounts in addition to the 2 accounts required to setup 389 Directory Server. The following is a summary of which accounts are set up and/or created, and what their purpose is.
+ </para>
+ <section id="sect-Community_Installation_Guide-Accounts_Created-The_Administrator_Account">
+ <title>The Administrator Account</title>
+ <para>
+ The administrator account is an account required to set up 389 Directory Server, and is used for day-to-day administration through the 389 Graphical Console interface.
+ </para>
+ <para>
+ Despite the fact Kolab Groupware includes a Web Administration Panel for day-to-day administration, it does not provide an interface to all possible options and features exposed with 389 Directory Server. For example, at the time of this writing, the Kolab Web Administration Panel does not have capabilities allowing the administration on Organizational Units (the Directory Information Tree structure), nor the administration of access control on entries or structures in the tree.
+ </para>
+
+ </section>
+
+ <section id="sect-Community_Installation_Guide-Accounts_Created-The_Directory_Manager_Account">
+ <title>The Directory Manager Account</title>
+ <para>
+ The Directory Manager account is an account required to set up 389 Directory Server, and is used for administration tasks beyond day-to-day administration. Such tasks include, for example, managing server databases for LDAP root DNs (separate databases for isolated Directory Information Trees), configuring replication and TLS/SSL.
+ </para>
+
+ </section>
+
+ <section id="sect-Community_Installation_Guide-Accounts_Created-The_Cyrus_Administrator_Account">
+ <title>The Cyrus Administrator Account</title>
+ <para>
+ In order to be able to manage mailboxes, Kolab Groupware requires the availability of an account that is a designated Cyrus IMAP administrator account.
+ </para>
+ <para>
+ As stated in the <filename>/etc/imapd.conf</filename> configuration file, the <emphasis>cyrus-admin</emphasis> user is a Cyrus IMAP administrator. The setup creates the corresponding LDAP user account with the password supplied during setup.
+ </para>
+ <para>
+ The location of the user account is in <literal>ou=Special Users</literal>, so that the entry does not appear in any Global Address Book on clients including Kontact and Roundcube.
+ </para>
+
+ </section>
+
+ <section id="sect-Community_Installation_Guide-Accounts_Created-The_Kolab_Service_Account">
+ <title>The Kolab Service Account</title>
+ <para>
+ The Kolab Service account is a dedicated account that services including Postfix, Roundcube and the Kolab Web Administration Panel use to bind to LDAP.
+ </para>
+ <para>
+ This enables Kolab Groupware to configure LDAP to not allow anonymous binds. Not allowing anonymous binds is important when the Kolab server is exposed to the internet, which so-called road-warrior users may require it to be.
+ </para>
+ <para>
+ The Kolab Service account is supposed to have access to search, read and compare entries throughout the entire Directory Information Tree. This includes, for example, a part of the tree that has been made 'invisible' to other users. Please see <xref linkend="exam-Community_Installation_Guide-The_Kolab_Service_Account-Restricting_Access_to_Parts_of_the_Directory_Information_Tree" /> for an example scenario.
+ </para>
+ <para>
+ Additionally, the Kolab Service account is granted search, read and compare rights on <literal>cn=kolab,cn=config</literal>, the location where domain name spaces serviced by the Kolab Groupware deployment are stored.
+ </para>
+ <example id="exam-Community_Installation_Guide-The_Kolab_Service_Account-Restricting_Access_to_Parts_of_the_Directory_Information_Tree">
+ <title>Restricting Access to Parts of the Directory Information Tree</title>
+ <para>
+ A Kolab Groupware environment set up for development, testing and demonstration purposes allows people to request accounts.
+ </para>
+ <para>
+ One account is issued to potential customer $x, while another is issued to potential customer $y.
+ </para>
+ <para>
+ Various Kolab Systems partners already have accounts that allow them to demonstrate Kolab Groupware to potential customers. Additional test accounts are issued to those potential customers as well.
+ </para>
+ <para>
+ No partner or customer is allowed to browse the global address book and recognize the names of all people that have been issued accounts, as this would disclose trade information and give unfair advantage.
+ </para>
+ <para>
+ To this end, each organizational entity is issued a private organizational unit, to which access is severly restricted, and accounts for people associated with this organizational entity are created in this part of the directory information tree.
+ </para>
+ <para>
+ Regardless of who is issued access to said organizational unit, the Kolab services including Postfix, Roundcube and the Kolab Web Administration Panel require access to these parts of the tree in order to;
+ </para>
+ <para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Find valid sender and recipient email addresses.
+ </para>
+
+ </listitem>
+ <listitem>
+ <para>
+ Upon login, search for the user entry corresponding with the login username supplied, so that a bind attempt with the supplied password can be attempted.
+ </para>
+
+ </listitem>
+
+ </itemizedlist>
+
+ </para>
+
+ </example>
+
+ </section>
+
+
+ </section>
+
</section>