OpenLDAP and Mozilla Messenger
aaron at justaaron.com
Sun Feb 8 07:06:12 PST 2004
"Thomas T. Veldhouse" <veldy at veldy.net> wrote:
> Does anybody know of a "GOOD" HOWTO to get Mozilla Messenger and
> OpenLDAP (2.2) to work well together [for addressbooks]?
> I have been searching for doco all day and I have downloaded schema and
> entered configurations to no avail.
I don't know of a good doc that covers specifically this, but ...
Every ldap-enabled mail client seems to use their own ldap schema. I am
sort of aware that mozilla's schema might be available somewhere on
mozilla.org, but I've never personally looked for it. Note that mozilla
does not write to an ldap directory, it only reads from it.
If you are in control of the directory, you have lots of options. If
you want mozilla to show you "any directory," then you have to hope that
the directory was implemented with attributes that mozilla expects.
That's a fair hope, since mozilla's notion of a person is derived from a
commonly used objectclass, inetOrgPerson. But depending on your
directory's specific schema, mozilla may or may not see all of what
you're interested in. Mozilla gives you some room to play, using bind
dn, base dn and search filters.
If the directory is yours and you will be implementing your own schema,
one thing you can do is to fully populate a mozilla address card, then
export the addressbook as ldif, and you'll see the objectclasses and
attributes that mozilla uses/expects. Do this in a new addressbook with
one entry so you don't have to look at a bunch of other entries. Here's
one that I did, using Mozilla 1.6:
dn: cn=First Last,mail=email at krelm.com
cn: First Last
mail: email at krelm.com
mozillaSecondEmail: additionalEmail at krelm.com
telephoneNumber: work 555-1111
homePhone: home 555-2222
facsimileTelephoneNumber: fax 555-3333
pager: pager 555-4444
mobile: mobile 555-5555
homePostalAddress: 123 myhomeaddress st
mozillaHomePostalAddress2: apt 111
postalAddress: 456 myworkaddress st
mozillaPostalAddress2: apt 222
description: This is a note
Things to note:
- mozilla addressbook entries are objectclass: mozillaAbPersonObsolete
- mozillaAbPersonObsolete appears to be derived from inetOrgPerson
- Most, but not all of mozilla's extra attributes have "mozilla"
prepended to the attribute name. The following are also mozilla
specific, even though they don't say "mozilla":
- the distinguished name is dn: cn=First Last,mail=email at krelm.com,
in other words cn=...,mail=... but this is not critical, you can have
any directory organization you like and the entries can still be seen by
mozilla as long as they are of the right objectclass and/or have the
- cn is composed of givenName and sn, *unless* in the ab entry
you specifically filled in Display Name. This is an export issue only;
remember that moz only reads, doesn't write directories.
I have found that as long as what you have in your directory has the
attributes that mozilla is looking for, they "should" show up in the
addressbook. Note that I say "should." After having done this limited
experiment, and for other reasons related to the work I'm doing, I
decided to just be happy with a name and email address showing up in
addressbook from my directory, and all the other attributes being
managed and viewed by the app I'm working on. So I haven't
painstakingly verified that if I have a mozillaHomePostalAddress2
attribute in my unique local schema, for example, that it shows up in
Bottom line: you should be able to use mozilla's schema in your
directory if you can find it at their site, or just reverse engineer it
from the above or your own experiment and reproduce it in your local
setup, if what you want is mozilla's exact view of a person.
But, mozilla doesn't write to ldap directories, so you will have to
write or find an app that allows you to add entries. Depending on your
user population and your requirements for directory security (and
coherence :) you could use one of the php admin tools, and either
restrict access to your self and admins, or open it up to your user
population. Openldap's ACL's could/should be used to restrict each
user's write-access to their own entry, but then they can't add new
entries for their *own* contacts, unless you also give each of them
their own organization units under which their contacts go.
When you set up a directory in addressbook to view your ldap directory,
and then select that addressbook, you wont' see anything in the contact
list. Put a single * in the "Name or Email contains" text field,
and you'll see all your inetOrgPersons listed. Put a single @ in
there instead, and you'll see all entries that have an email address. Etc.
Edit/Properties has a search filter on the Advanced tab. This will not
affect what you see in the addressbook entry list, but it does affect
what gets automatically filled in for the To: field when you're
composing a message. The General tab has fields for Base DN and Bind
DN, so with those three things you have some room to play around with
what gets seen/used.
Tools to write to a directory:
- gq. Everyone seems to like this one. It's a standalone app.
- phpldapadmin. This is what I use. Requires php and apache to run.
easy to configure, but does require some configuration beyond what gq
- there are a few addressbook-like applications, which I haven't tried.
Here's one, rolodap, but I don't know if it's active or not. It
appears to have some association with mozilla's project site, mozdev.org.
aaron at justaaron.com
More information about the freebsd-questions