X-Git-Url: https://git.tokkee.org/?a=blobdiff_plain;f=gosa-core%2FFAQ;h=2b316b5068c5e27cde46e95d71b33acf94be2dfd;hb=77efc438709ef7e5ccb1e7cd41f865cb19403b7e;hp=41d4254ffb2795494fbeee21c30480b91bd49823;hpb=7a19c2b044c8f5ee6076f66ff470437576adb7c7;p=gosa.git diff --git a/gosa-core/FAQ b/gosa-core/FAQ index 41d4254ff..2b316b506 100644 --- a/gosa-core/FAQ +++ b/gosa-core/FAQ @@ -1,400 +1,648 @@ This is the textual form of the GOsa FAQ. Online information with -comments is set up at Wiki: http://oss.gonicus.de/gosa/. +comments is set up at Wiki: https://oss.gonicus.de/labs/gosa/wiki/documentation -Q: When creating many users for one department, I need to fill some - fields again and again. Is there a shortcut for that? -A: Just create a user template and pre-fill all values you need. You - can use dynamic content, too: uid, sn and givenName will be replaced. - i.E. an entry '/home/%uid' in homeDirectory will be replaced by the - real uid of the user you're creating, %sn.%givenName@yourdomain.com - creates proper email addresses, etc. Templates include group membership. +Q: When creating many users for one department, I need to fill + somefields again and again. Is there a shortcut for that? +A: Just create a user template and pre-fill all values you need. You + can use dynamic content, too: uid, sn and givenName will be replaced. + i.E. an entry '/home/{%uid}' in homeDirectory will be replaced by the + real uid of the user you're creating, {%sn[0-4]}.{%givenName}@yourdomain.com + creates proper email addresses, etc. Templates include group membership. -Q: Can GOsa execute commands after creating/editing/removing users, - departments, etc. + For more details visit: + https://oss.gonicus.de/labs/gosa/wiki/PluginInstallationUserTemplates -A: Yes. Edit /etc/gosa/gosa.conf's menu section. Each plugin may have - an entry "postremove", "postmodify" and "postcreate". You can use - ldap attributes as command line options. - i.E. postcreate="/usr/bin/sudo /usr/local/sbin/ftp.setperms %uid '%givenName'" +Q: I can see passwords in my logs and in my process list while executing + commands, such as postcreate/passwordHook/aso. -Q: I'd like to modify the look of GOsa to fit our CI. How can I create an - own theme? +A: The best way to execute scripts with sensitive data is to use envrionmental + variables in your scripts, like shown here: -A: Themes are splitted into two parts. ihtml/ contains templates which - generate the ui, html/ contains all parts that must be readable from - clients. GOsa first looks for predefined files in the directory indirectly - defined via the "theme" parameter in /etc/gosa/gosa.conf. If it can't - find them here, it'll use the default one. + An example snippet from the gosa.conf + + --- + login screen - * framework.tpl -> page contents - * style.css -> stylesheets used by GOsa - In fact, the rest of the UI is not converted to smarty, yet. Please be - patient. +Q: Can GOsa execute commands 'BEFORE' creating/editing/removing users,departments, etc. +A: Yes. Edit /etc/gosa/gosa.conf's menu section. + Each plugin may has an entry "preremove", "premodify" and "precreate". + You can use ldap attributes as command line options. -Q: How can I let a person do administrative tasks under a specific department? + i.E. + --- + precreate="/usr/bin/sudo /usr/local/sbin/ftp.setperms %uid %givenName" + --- -A: Create a group inside this department. Put all administrative people inside, - go to the "ACL" tab and check all fields these users should be able to adminstrate. +Q: Can GOsa execute commands 'AFTER' creating/editing/removing users,departments, etc. -Q: How can I permit users to change some of their own attributes? +A: Yes. Edit /etc/gosa/gosa.conf's menu section. + Each plugin may has an entry "postremove", "postmodify" and "postcreate". + You can use ldap attributes as command line options. -A: Same like the point above, but this rule only works for users own attributes - by checking the box on the acl page. + i.E. + --- + postcreate="/usr/bin/sudo /usr/local/sbin/ftp.setperms %uid %givenName" + --- -Q: What about applications? +Q: I'd like to modify the look of GOsa to fit our CI. How can I create anown theme? -A: GOsa can manage desktop applications in ldap. Create a group and put all users - in there, which have common desktop settings. Go to the "Application" tab and - add all applications common to this group. Applications can be created from the - application plugin. - The idea behind this feature is a script running on the terminal-servers/ - workstation which check for applications on login (or on a regular basis using - timestamps). This one will create the corresponding icons on your KDE or GNOME - desktop. +A: Themes are splitted into two parts. ihtml/ contains templates which + generate the ui, html/ contains all parts that must be readable from + clients. GOsa first looks for predefined files in the directory indirectly + defined via the "theme" parameter in /etc/gosa/gosa.conf. If it can't + find them here, it'll use the default one. + So start over by copying html/themes/default to html/themes/yourtheme + and ihtml/themes/default to ihtml/themes/yourtheme. Change gosa.conf to + contain theme="yourtheme" in section main. Here are some files to edit: -Q: What's this terminal stuff? + * login.tpl -> login screen + * framework.tpl -> page contents + * style.css -> stylesheets used by GOsa -A: GOto is - similar to LTSP - a ldap based diskless client system. It is available - from our projects page. +Q: How can I let a person do administrative tasks under a specific department? -Q: I can't select any mailservers. What's wrong? +A: GOsa 2.6 implements a flexible but complex ACL management, please have a look at + the following wiki page: https://oss.gonicus.de/labs/gosa/wiki/DocumentationWritingACLs2.6 + If you have still questions, please use the mailing list or the forum. -A: LDAP stores information about all your servers. The server plugin is not ready - yet, so you've to adjust/add these entries using your favorite ldap tool. +Q: What about applications? -Q: GOsa is not in my native language, can I translate it to my language? +A: GOsa can manage desktop applications in ldap. Create a group and put all users + in there, which have common desktop settings. Go to the "Application" tab and + add all applications common to this group. Applications can be created from the + application plugin. + The idea behind this feature is a script running on the terminal-servers/ + workstation which check for applications on login (or on a regular basis using + timestamps). This one will create the corresponding icons on your KDE or GNOME + desktop. -A: Yes. Just go to the locale directory and copy the messages.po file somewhere - else. Edit the copy and put your translations into the msgstr lines. To be - included in next GOsa releases, you may want to send it to the GOsa maintainer. - Finally you need to create a directory with your language code. (i.e. de for - german) containing the LC_MESSAGES directory. Move your messages.po file there - and run 'msgfmt messages.po' in that directory. That's it. - You may need to restart apache, depending on your setup. On Debian, be sure - to have your locale generated (dpkg-reconfigure locales) before. +Q: What's this terminal stuff? -Q: The online help doesn't exist in my language, can i translate it to my language? +A: GOto is - similar to LTSP - a ldap based diskless client system. It is available + from our projects page. -A: Yes. Just go to the doc/guide/user/en directory and copy the lyx-source directory - to a new directory in doc/guide/user/. You have to use the lyx - program create the online help in your language. When you have finish just run - ./gen_online_help from the gosa root directory to generate the online docs. - -Q: Can I specify some kind of password policies? -A: You can place the keywords "pwminlen" and "pwdiffer" in the main section of your - gosa.conf. "pwminlen" specifies how many characters a password must have to be - accepted. "pwdiffer" contains the number of characters that must be different - from the previous password. +Q: I can't select any mailservers. What's wrong? - Note that these only affect passwords that are set by the user, not by the admins. +A: It seems that a mail server is missing in your configuration. + Create a new server, go to the services tab and add a mailserver + service and/or the imap service. + For more details, please have a look at the FAQ and + https://oss.gonicus.de/labs/gosa/wiki/PluginInstallationMailMethods. -Q: I've to update passwords on external windows PDCs. Can I add a command to let - synchronize these for me? -A: There's the possibility to add a password hook in gosa.conf's main section using - the keyword "externalpwdhook". The specified command will be executed with - three parameters: /path/to/your/script username oldpassword newpassword +Q: Can I specify some kind of password policies? - So you can call i.e. smbpasswd to handle your password change on the PDC. +A: You can place the keywords "passwordMinLength" and "passwordMinDiffer" in the main + section of your gosa.conf. "passwordMinLength" specifies how many characters a + password must have to be accepted. "passwordMinDiffer" contains the number of + characters that must be different from the previous password. + Note that these only affect passwords that are set by the user, not by the admins. -Q: What about templates for vacation messages? -A: Create a directory to keep a set of vacation messages which are readable by the - user that runs your apache. In this example I'll use /etc/gosa/vacation for that. - Put your vacation files in there containing a "DESC:some descriptive text" as the - first line followed by the normal vacation text. You can use all attributes from - the generic tab. I.e.: +Q: I've to update passwords on external windows PDCs. Can I + add a command to letsynchronize these for me? - /etc/gosa/vacation/business.txt ------------------------------------------------->8 - DESC:Away from desk - Hi, I'm currently away from my desk. You can contact me on - my cell phone via %mobile. - - Greetings, - %givenName %sn - ----------------------------------------------------------------------------------- +A: There's the possibility to add a hooks in gosa.conf's plugin tags + using the "premodify/postmodify" keywords. The specified command + will be executed with these additional parameters: + * current_password + * new_password + * userPassword - Place the config option vacationdir="/etc/gosa/vacation" in the location found in - gosa.conf and a template box is show in the vacation mail tab. + --- + + --- + For further information about pre- and post hooks search for the premodify and postmodify statements. -Q: How can I generate automatic ID's for user templates? + So you can call i.e. smbpasswd to handle your password change on the PDC. -A: Add an entry describing your id policy in gosa.conf, location section: - a) using attributes - You can specify LDAP attributes (currently only sn and givenName) in braces {} - and add a percent sign befor it. Optionally you can strip it down to a number - of characters, specified in []. I.e. - - idgen="{%sn}-{%givenName[2-4]}" - - will generate an ID using the full surename, adding a dash, and adding at least - the first two characters of givenName. If this ID is used, it'll use up to four - characters. If no automatic generation is possible, a input box is shown. - b) using automatic id's - I.e. specifying - - idgen="acct{id:3}" +Q: What about templates for vacation messages? - will generate a three digits id with the next free entry appended to "acct". - - idgen="ext{id#3}" +A: Create a directory to keep a set of vacation messages which are readable by the + user that runs your apache. In this example I'll use /etc/gosa/vacation for that. - will generate a three digits random number appended to "ext". + Put your vacation files in there containing a "DESC:some descriptive text" as the + first line followed by the normal vacation text. You can use all attributes from + the generic tab. I.e.: + /etc/gosa/vacation/business.txt + --- + DESC:Away from desk + Hi, I'm currently away from my desk. You can contact me on + my cell phone via %mobile. -Q: I'm migrating from the current LDAP, now GOsa does not allow uid's and group - with upper/lower case and spaces. What can I do? + + Greetings, + %givenName %sn + --- + + Place the config option vacationTemplateDirectory="/etc/gosa/vacation" in the location found in + gosa.conf and a template box is show in the vacation mail tab. -A: Include the strict="no" keyword in your gosa.conf's location section. - WARNING: using strict="no" will cause problems with cyrus/postfix!! -Q: I'd like to place my users under ou=staff, not under ou=people. Can I change - this? +Q: How can I generate automatic ID's for user templates? -A: Yes. You can change the people and group locations by adding the following - statements to your location sections: +A: Add an entry describing your id policy in gosa.conf, location section: - people="ou=staff" - groups="ou=crowds" - After logging in again, people and groups are created in the configured places. - As a side note, you can leave these strings blank for flat structures, too. + 1) Using attributes + You can specify LDAP attributes (currently only sn and givenName) in braces {} + and add a percent sign befor it. Optionally you can strip it down to a number + of characters, specified in []. I.e. + --- + idGenerator="{%sn}-{%givenName[2-4]}" + --- -Q: I've problems with many objectClass violations/undefined attributes. Can GOsa - check what's missing? + will generate an ID using the full surename, adding a dash, and adding at least + the first two characters of givenName. If this ID is used, it'll use up to four + characters. If no automatic generation is possible, a input box is shown. -A: Yes. Move away your gosa.conf and go to the GOsa setup. Follow the steps till - you can download the config. If you get up to this point, your schema is ok... + 2) using automatic id's + I.e. specifying + --- + idGenerator="acct{id:3}" + --- -Q: I really don't want dn's containing the CN for user accounts because I don't - want to support anonymous binds for uid resolution. Is it possible to have dn's - containing the uid instead? + will generate a three digits id with the next free entry appended to "acct". -A: Yes. Placing the dnmode="uid" keyword in your gosa.conf's location section will - solve your problem. + --- + idGenerator="ext{id#3}" + --- + will generate a three digits random number appended to "ext". -Q: Hey, I've installed GOsa, but it claims something about "SID and / or RIDBASE - are missing in your configuration". What's wrong? -A: You've configured GOsa to use samba3, but your LDAP has no samba domain object - inside. Either log into samba for the first time to let it create that object, - or supply the sid and ridbase for your domain in your gosa.conf's location, i.e.: - - ... - ridbase="1000" - sid="0-815-4711" \> - Remember to fill in your real domain sid which is retrievable by the command - "net getlocalsid". +Q: I'm migrating from the current LDAP, now GOsa does not allow uid's + and groupwith upper/lower case and spaces. What can I do? +A: Include the strictNamingRules="no" keyword in your gosa.conf's location section. + + WARNING: using strictNamingRules="no" will cause problems with cyrus/postfix!! -Q: We have massive performance problems with using samba as a member server. -A: This is a known issue. We're working around this by putting - - ... - sambaidmapping="true" - ... \> +Q: I'd like to place my users under ou=staff, not under ou=people. Can I changethis? + + Yes. You can change the people and group locations by adding the following + statements to your location sections: + + --- + userRDN="ou=staff" + groupRDN="ou=crowds" + --- + + After logging in again, people and groups are created in the configured places. + As a side note, you can leave these strings blank for flat structures, too. + + + + +Q: I really don't want dn's containing the CN for user accounts because I don't + want to support anonymous binds for uid resolution. + Is it possible to have dn'scontaining the uid instead? + +A: Yes. Placing the accountPrimaryAttribute="uid" keyword in your gosa.conf's location + section will solve your problem. + + + + +Q: Hey, I've installed GOsa, but it claims something about "SID and / or RIDBASE + are missing in your configuration". What's wrong? + +A: You've configured GOsa to use samba3, but your LDAP has no samba domain object + inside. Either log into samba for the first time to let it create that object, + or supply the sid and ridbase for your domain in your gosa.conf's location, i.e.: + + --- + + ... + sambaRidBase="1000" + sambaSID="0-815-4711" \> + --- + + Remember to fill in your real domain sid which is retrievable by the command + "net getlocalsid". + + + +Q: We have massive performance problems with using samba as a member server. + +A: This is a known issue. We're working around this by putting + + --- + + ... + sambaIdMapping="true" + ... \> + --- into the configuration. GOsa will write the additional objectClass sambaIdmapEntry to the group and user objects. -Q: I get 'The value specified as GID/UID number is too small' when forcing IDs. Why? -A: This is an additional security feature, so that no one can fall back to uid 0. The - default minimum ID is 100. You can set it to every value you like by specifying +Q: I get 'The value specified as GID/UID number is too small' when forcing IDs. Why? + +A: This is an additional security feature, so that no one can fall back to uid 0. The + default minimum ID is 100. You can set it to every value you like by specifying + + --- + + ... + minId="40" + ... \> + --- + + in your configuration. In this example 40 will be the smallest ID you can enter. + + + +Q: Aahhrg. I've updated to a new version and my gosa.conf seems to be broken. + +A: Some parameters may have changed. Please move your gosa.conf away and re-run the setup. + + + + +Q: I've saved my windows workstations in other locations like GOsa is doing it + for decades. Is there a way to change this? + +A: Yes. Use the sambaMachineAccountRDN parameter in your location section: + + --- + + ... + sambaMachineAccountRDN="ou=machineaccounts" + ... \> + --- + + + +Q: I'd like to have TLS based LDAP connections from within GOsa. Is this possible? + +A: Yes, add + + --- + + ... + ldapTLS="true" + ... \> + --- + + to the location section of GOsa. This switch affects LDAP connections for a single location only. + + + +Q: Cyrus folder get created in the style user.username. I prefer the unix + hirachystyle user/username. Is it possible to change this? + +A: Yes, add + + + --- + services tab in GOsa 2.6. + + Here is an older, but maybe helpful solution for Cyrus-Imapd 2.1.5 on SuSE 9.0: + * Install the "cyrus-sasl-plain" rpm from the distro-cd (This packet contains "sasl2/libplain" library). + * Modify your /etc/imap.conf: + + --- + sasl_pwcheck_method: saslauthd + sasl_mech_list: plain login + --- + + * Modify your /etc/sysconfig/saslauthd: + + --- + SASLAUTHD_AUTHMECH=pam + --- + + +Q: Slapd does not start after adding or changing schema files to the slapd config. What can I do? + +A: Check the order of how slapd loads the schema files. + Order of schema loading matters, because some schemas depend on other + schemas being already loaded. For a working order of the schema files + look here: https://oss.gonicus.de/labs/gosa/wiki/InstallingLdap + + + +Q: Slapd does not start with kolab2.schema included. It claims that thedefinition of + calFBURL is missing. What can I do? + +A: For Kolab to work correctly you have to include the rfc2739.schema + in your slapd.conf. Insert it before the kolab2.schema + + + +Q: New implementations of OpenLDAP seem to require {sasl} instead of {kerberos} + in password hashes. GOsa writes the wrong string. What can I do? + +A: You can set "useSaslForKerberos" to "true" in your gosa.conf's main section. + + + +Q: Is there a way to add the personalTitle attribute the the users dn? + +A: Just add this line into the location section of your gosa.conf. + - - ... - minid="40" - ... \> + --- + - ... - winstations="ou=machineaccounts" - ... \> +A: Yes - place the rfc2307bis="true" inside of the location section of + your gosa.conf. Remember, that you can't create empty groups in this mode. -Q: GOsa doesn't seem to follow my referrals. What can I do? -A: Place the option 'recursive = "true"' inside your locations definition - and you should be fine. +Q: GOsa sessions expire too quick. Is there a way to change this? +A: Yes. Set "sessionLifetime" to the number of seconds of inactivity. 7200 + (60x60x2) would be for two hours. Place this option inside the main + section of your gosa.conf. -Q: I'd like to have TLS based LDAP connections from within GOsa. Is this possible? -A: Yes, add - - ... - tls="true" - ... \> +Q: Is there a way to let users change passwords without logging into GOsa? - to the location section of GOsa. This switch affects LDAP connections for a single location only. - +A: Yes. Browse to "password.php". You can preset a couple of things i.e.: -Q: Cyrus folder get created in the style user.username. I prefer the unix hirachy - style user/username. Is it possible to change this? + --- + http://your.admin.server/password.php?uid=cajus&method=md5&directory=GONICUS+GmbH + --- -A: Yes, add -
- ... - cyrusunixstyle="true" - ... \> - to the main section of GOsa and the folders are created in unix style. +Q: GOsa only shows 300 entries at a time. Is this normal? +A: There's a default sizelimit. You can set the "ldapSizelimit" option in your + gosa.conf's location section to a higher value to get rid of it. -Q: I'd like to do special checks for several plugin parameters. How can I modify - GOsa to take care of these checks? -A: No need to modify anything. Just add a hook the the plugin you'd like to - check: - check="/your/command/binary" +Q: I have problems with my ldap server when I open groups with a + huge amount of members, what can I do? - This binary will get an ldif to STDIN for analysis and may write an error message - to STDOUT. Note, that the supplied ldif may NOT be the original target ldif due - to technical reasons. - +A: You can set a nesting limit which ensures that the user names will not be + resolved if the amount of members reaches this limit. -Q: Is there a way to use ACL independet filtering when using administrative units? + --- + + --- -Q: What is the correct connection string for a Kolab server in GOsa? -A: Try {localhost:143/novalidate-cert}. +Q: I've shredded my access control and am not able to do anything from now on. + Is there a way to override the ACL? +A: Yes. Insert the following statement in the location section of your gosa.conf: -Q: Sieve is not working from GOsa - there are authentication problems - with this service, IMAP/POP is working. What's wrong? + --- + ignoreAcl="your user's dn" + --- -A: Verify that the paramater sasl_auto_transition: no is not - present in your imap.conf +Q: I can't logon as Administration, what is wrong? -Q: Slapd does not start with kolab2.schema included. It claims that the - definition of calFBURL is missing. What can I do? +A: It looks like you are missing an administrativ account. + In newer versions of GOsa you can simply re-run the setup and create + an admin account on the migration page. -A: For Kolab to work correctly you have to include the rfc2739.schema - in your slapd.conf. Insert it before the kolab2.schema + Additionally you can set ignoreACL in GOsa 2.6, just search the FAQ. -Q: New implementations of OpenLDAP seem to require {sasl} instead of {kerberos} - in password hashes. GOsa writes the wrong string. What can I do? -A: You can set "krbsasl" to "true" in your gosa.conf's main section. +Q: The Unix's user's shell list is empty (unconfigured) +A: Just copy or link your /etc/shell in /etc/gosa. -Q: Is there a way to add the personalTitle attribute the the users dn? -A: Just add this line into the location section of your gosa.conf. - +Q: After upgrading GOsa, the setup.php doesn't work or looks broken. -Q: I'd like to assign different uid bases for certain user/group objects. - How can this be achieved? +A: You should delete all files in /var/spool/gosa -A: Use the base_hook in your gosa.conf's location section to specify a script - which handles the ID generation externaly. It get's called with the "dn" - and the attribute to be ID'd. It should return an integer value. + --- + # cd /var/spool/gosa + # rm -rf * + --- -Q: I'd like to use rfc2307bis compliant groups. Is this possible? -A: Yes - place the rfc2307bis="true" inside of the location section of - your gosa.conf. Remember, that you can't create empty groups in this mode. +Q: After installing GOsa using an existing LDAP tree, my user accounts are not listed. +A: You need to add the following objectClasses to your accounts: -Q: Can GOsa show some vendor information for given MAC addresses? + --- + objectClass: person + objectClass: organizationalPerson + --- -A: Yes. Download http://standards.ieee.org/regauth/oui/oui.txt and place - it in /etc/gosa/oui.txt. + The setup will automatically migrate those accounts, see migration step in GOsa setup! -Q: GOsa sessions expire too quick. Is there a way to change this? +Q: Is it possible to login with the users mail address too? -A: Yes. Set "session_lifetime" to the number of seconds of inactivity. 7200 - (60x60x2) would be for two hours. Place this option inside the main - section of your gosa.conf. - +A: Yes, just add the following line to your gosa.conf: -Q: Microsoft Internet Explorer <=6 seems paints strange blocks around - images. + --- + = 7, etc. IE is broken and - I don't want to waste my time with working around this old crap. There's - a quick hack, if you just put "ie_png_workaround='true'" inside the main - section of your gosa.conf. This is a JavaScript based workaround and I've - to place a WARNING here, that it is damn slow if you've large lists to - display. + or for both, uid and mail: - If you have much time, you can provide a seamless integration with MS - filter css extension. + --- +