- Updated fro new Debian upload

[gosa.git] / FAQ

This is the textual form of the GOsa FAQ. Online information with
comments is set up at Wiki: http://oss.gonicus.de/gosa/.

Q: When creating many users for one department, I need to fill some
   fields again and again. Is there a shortcut for that?

A: Just create a user template and pre-fill all values you need. You
   can use dynamic content, too: uid, sn and givenName will be replaced.
   i.E. an entry '/home/%uid' in homeDirectory will be replaced by the
   real uid of the user you're creating, %sn.%givenName@yourdomain.com
   creates proper email addresses, etc. Templates include group membership.


Q: Can GOsa execute commands after creating/editing/removing users,
   departments, etc.

A: Yes. Edit /etc/gosa/gosa.conf's menu section. Each plugin may have
   an entry "postremove", "postmodify" and "postcreate".  You can use
   ldap attributes as command line options.
   i.E. postcreate="/usr/bin/sudo /usr/local/sbin/ftp.setperms %uid '%givenName'"


Q: I'd like to  modify the look of GOsa to fit our CI. How can I create an
   own theme?

A: Themes are splitted into two parts. ihtml/ contains templates which
   generate the ui, html/ contains all parts that must be readable from
   clients. GOsa first looks for predefined files in the directory indirectly
   defined via the "theme" parameter in /etc/gosa/gosa.conf. If it can't
   find them here, it'll use the default one.

   So start over by copying html/themes/default to html/themes/yourtheme
   and ihtml/themes/default to ihtml/themes/yourtheme. Change gosa.conf to
   contain theme="yourtheme" in section main. Here are some files to edit:

   * login.tpl          -> login screen
   * framework.tpl      -> page contents
   * style.css          -> stylesheets used by GOsa

   In fact, the rest of the UI is not converted to smarty, yet. Please be
   patient.


Q: How can I let a person do administrative tasks under a specific department?

A: Create a group inside this department. Put all administrative people inside,
   go to the "ACL" tab and check all fields these users should be able to adminstrate.


Q: How can I permit users to change some of their own attributes?

A: Same like the point above, but this rule only works for users own attributes
   by checking the box on the acl page.


Q: What about applications?

A: GOsa can manage desktop applications in ldap. Create a group and put all users
   in there, which have common desktop settings. Go to the "Application" tab and
   add all applications common to this group. Applications can be created from the
   application plugin.
   The idea behind this feature is a script running on the terminal-servers/
   workstation which check for applications on login (or on a regular basis using
   timestamps). This one will create the corresponding icons on your KDE or GNOME
   desktop.


Q: What's this terminal stuff?

A: GOto is - similar to LTSP - a ldap based diskless client system. It is available
   from our projects page.


Q: I can't select any mailservers. What's wrong?

A: LDAP stores information about all your servers. The server plugin is not ready
   yet, so you've to adjust/add these entries using your favorite ldap tool.


Q: GOsa is not in my native language, can I translate it to my language?

A: Yes. Just go to the locale directory and copy the messages.po file somewhere
   else. Edit the copy and put your translations into the msgstr lines. To be
   included in next GOsa releases, you may want to send it to the GOsa maintainer.
   Finally you need to create a directory with your language code. (i.e. de for
   german) containing the LC_MESSAGES directory. Move your messages.po file there
   and run 'msgfmt messages.po' in that directory. That's it.

   You may need to restart apache, depending on your setup. On Debian, be sure
   to have your locale generated (dpkg-reconfigure locales) before.


Q: The online help doesn't exist in my language, can i translate it to my language?

A: Yes. Just go to the doc/guide/user/en directory and copy the lyx-source directory
   to a new directory in doc/guide/user/<your language>. You have to use the lyx
   program create the online help in your language. When you have finish just run
   ./gen_online_help from the gosa root directory to generate the online docs.
   

Q: Can I specify some kind of password policies?

A: You can place the keywords "pwminlen" and "pwdiffer" in the main section of your
   gosa.conf. "pwminlen" specifies how many characters a password must have to be
   accepted. "pwdiffer" contains the number of characters that must be different
   from the previous password.

   Note that these only affect passwords that are set by the user, not by the admins.


Q: I've to update passwords on external windows PDCs. Can I add a command to let
   synchronize these for me?

A: There's the possibility to add a password hook in gosa.conf's main section using
   the keyword "externalpwdhook". The specified command will be executed with 
   three parameters: /path/to/your/script username oldpassword newpassword

   So you can call i.e. smbpasswd to handle your password change on the PDC.


Q: What about templates for vacation messages?

A: Create a directory to keep a set of vacation messages which are readable by the
   user that runs your apache. In this example I'll use /etc/gosa/vacation for that.

   Put your vacation files in there containing a "DESC:some descriptive text" as the
   first line followed by the normal vacation text. You can use all attributes from
   the generic tab. I.e.:

   /etc/gosa/vacation/business.txt ------------------------------------------------->8
   DESC:Away from desk
   Hi, I'm currently away from my desk. You can contact me on
   my cell phone via %mobile.
   
   Greetings,
   %givenName %sn
   -----------------------------------------------------------------------------------

   Place the config option vacationdir="/etc/gosa/vacation" in the location found in
   gosa.conf and a template box is show in the vacation mail tab.


Q: How can I generate automatic ID's for user templates?

A: Add an entry describing your id policy in gosa.conf, location section:

   a) using attributes
      You can specify LDAP attributes (currently only sn and givenName) in braces {}
      and add a percent sign befor it. Optionally you can strip it down to a number
      of characters, specified in []. I.e.
      
        idgen="{%sn}-{%givenName[2-4]}"
        
      will generate an ID using the full surename, adding a dash, and adding at least
      the first two characters of givenName. If this ID is used, it'll use up to four
      characters. If no automatic generation is possible, a input box is shown.

   b) using automatic id's
      I.e. specifying
      
        idgen="acct{id:3}"

      will generate a three digits id with the next free entry appended to "acct".
      
        idgen="ext{id#3}"

      will generate a three digits random number appended to "ext".


Q: I'm migrating from the current LDAP, now GOsa does not allow uid's and group
   with upper/lower case and spaces. What can I do?

A: Include the strict="no" keyword in your gosa.conf's location section.
   WARNING: using strict="no" will cause problems with cyrus/postfix!!


Q: I'd like to place my users under ou=staff, not under ou=people. Can I change
   this?

A: Yes. You can change the people and group locations by adding the following
   statements to your location sections:

   people="ou=staff"
   groups="ou=crowds"

   After logging in again, people and groups are created in the configured places.
   As a side note, you can leave these strings blank for flat structures, too.


Q: I've problems with many objectClass violations/undefined attributes. Can GOsa
   check what's missing?

A: Yes. Move away your gosa.conf and go to the GOsa setup. Follow the steps till
   you can download the config. If you get up to this point, your schema is ok...


Q: I really don't want dn's containing the CN for user accounts because I don't
   want to support anonymous binds for uid resolution. Is it possible to have dn's
   containing the uid instead?

A: Yes. Placing the dnmode="uid" keyword in your gosa.conf's location section will
   solve your problem.


Q: Hey, I've installed GOsa, but it claims something about "SID and / or RIDBASE
   are missing in your configuration". What's wrong?

A: You've configured GOsa to use samba3, but your LDAP has no samba domain object
   inside. Either log into samba for the first time to let it create that object,
   or supply the sid and ridbase for your domain in your gosa.conf's location, i.e.:

   <location name=...>
             ...
             ridbase="1000"
             sid="0-815-4711" \>

   Remember to fill in your real domain sid which is retrievable by the command
   "net getlocalsid".


Q: We have massive performance problems with using samba as a member server.

A: This is a known issue. We're working around this by putting

   <location name=...>
        ...
        sambaidmapping="true"
        ... \>

    into the configuration. GOsa will write the additional objectClass sambaIdmapEntry
    to the group and user objects.


Q: I get 'The value specified as GID/UID number is too small' when forcing IDs. Why?

A: This is an additional security feature, so that no one can fall back to uid 0. The
   default minimum ID is 100. You can set it to every value you like by specifying

   <location name=...>
        ...
        minid="40"
        ... \>

   in your configuration. In this example 40 will be the smallest ID you can enter.


Q: I've saved my windows workstations in other locations like GOsa is doing it
   for decades. Is there a way to change this?

A: Yes. Use the winstation parameter in your location section: 

   <location name=...>
        ...
        winstations="ou=machineaccounts"
        ... \>


Q: GOsa doesn't seem to follow my referrals. What can I do?

A: Place the option 'recursive = "true"' inside your locations definition
   and you should be fine.


Q: I'd like to have TLS based LDAP connections from within GOsa. Is this possible?

A: Yes, add

   <location ...>
   ...
         tls="true"
   ... \>

   to the location section of GOsa. This switch affects LDAP connections for a single location only.
   

Q: Cyrus folder get created in the style user.username. I prefer the unix hirachy
   style user/username. Is it possible to change this?

A: Yes, add

   <main ...>
   ...
         cyrusunixstyle="true"
   ... \>

   to the main section of GOsa and the folders are created in unix style.


Q: I'd like to do special checks for several plugin parameters. How can I modify
   GOsa to take care of these checks?

A: No need to modify anything. Just add a hook the the plugin you'd like to
   check:

   check="/your/command/binary"

   This binary will get an ldif to STDIN for analysis and may write an error message
   to STDOUT. Note, that the supplied ldif may NOT be the original target ldif due
   to technical reasons.
   

Q: Is there a way to use ACL independet filtering when using administrative units?

A: Yes. Set STRICT_UNITS to "true" in your gosa.conf's location section.


Q: How can i active the account expiration code for the gosa interface?

A: Yes. Just set "account_expiration" to "true" in your gosa.conf's main section.


Q: What is the correct connection string for a Kolab server in GOsa?

A: Try {localhost:143/novalidate-cert}.


Q: Sieve is not working from GOsa - there are authentication problems
   with this service, IMAP/POP is working. What's wrong?

A: Verify that the paramater sasl_auto_transition: no is not
   present in your imap.conf


Q: Slapd does not start with kolab2.schema included. It claims that the
   definition of calFBURL is missing. What can I do?

A: For Kolab to work correctly you have to include the rfc2739.schema
   in your slapd.conf. Insert it before the kolab2.schema


Q: Is there a way to let GOsa automatically fill missing fields in the network
   configuration?

A: Sure. You can specify the "auto_network_hook" option and provide the contributed
   script "net-resolver.sh" in your gosa.conf. If this is configured, you're
   getting an additional button in each network dialog.


Q: New implementations of OpenLDAP seem to require {sasl} instead of {kerberos}
   in password hashes. GOsa writes the wrong string. What can I do?

A: You can set "krbsasl" to "true" in your gosa.conf's main section.


Q: Is there a way to add the personalTitle attribute the the users dn?

A: Just add this line into the location section of your gosa.conf.
   <location name=...
        include_personal_title="true"
   ...>


Q: I'd like to assign different uid bases for certain user/group objects.
   How can this be achieved?

A: Use the base_hook in your gosa.conf's location section to specify a script
   which handles the ID generation externaly. It get's called with the "dn"
   and the attribute to be ID'd. It should return an integer value.


Q: I'd like to use rfc2307bis compliant groups. Is this possible?

A: Yes - place the rfc2307bis="true" inside of the location section of
   your gosa.conf. Remember, that you can't create empty groups in this mode.


Q: Can GOsa show some vendor information for given MAC addresses?

A: Yes. Download http://standards.ieee.org/regauth/oui/oui.txt and place
   it in /etc/gosa/oui.txt.


Q: GOsa sessions expire too quick. Is there a way to change this?

A: Yes. Set "session_lifetime" to the number of seconds of inactivity. 7200
   (60x60x2) would be for two hours. Place this option inside the main
   section of your gosa.conf.
   

Q: Microsoft Internet Explorer <=6 paints strange blocks around images.
   What's up with this?

A: Use Firefox, Konqueror, Safari, Opera, IE >= 7, etc. IE is broken and
   I don't want to waste my time with working around this old crap. There's
   a quick hack, if you just put "ie_png_workaround='true'" inside the main
   section of your gosa.conf. This is a JavaScript based workaround and I've
   to place a WARNING here: it is damn slow if you've large lists to display.

   If you have much time, you can provide a seamless integration with MS
   filter css extension.


Q: Is there a way to let users change passwords without logging into GOsa?

A: Yes. Browse to "password.php". You can preset a couple of things i.e.:

   http://your.admin.server/password.php?uid=cajus&method=md5&directory=GONICUS+GmbH


Q: GOsa only shows 300 entries at a time. Is this normal?

A: There's a default sizelimit. You can set the "sizelimit" option in your
   gosa.conf's  location section to a higher value to get rid of it.


Q: Is it possible to see some kind of information about how many objects
   get shown in the list I'm currently looking at?

A: Just add "list_summary = 'true'" inside the main section of your gosa.conf.


Q: Is it possible to login with the users mail address too?

A: Yes, just add the following line to your gosa.conf:
   <location ...
        auth_mail="true"
   ...>


Q: I want to use cyrus for multiple mail domains, but GOsa uses the 'uid' attribute 
   for account names, how do I change this to 'mail'?

A: Just add/modify the following line to/in your gosa.conf:
   <location ...
    mail_uattrib="mail" 
   ...>

Q: When creating mail group with a Kolab server i got this error message 
   "Object class violation (invalid structural object class chain (posixGroup/kolabSharedFolder)"

A: In your kolab2.schema objectclass kolabSharedFolder change
   'SUP top STRUCTURAL' to 'SUP top AUXILIARY'