UserPreferences

Access Control Lists for OpenLDAP

ACLs for using OX with OpenLDAP

These are minimal Access Control Lists (ACLs) for OpenLDAP sufficient for OX deployment (and only OX deployment -- for Samba, PAM, etc. you will have to read the relevant docs and add parameters specific for those as well). You will most certainly want to adapt this to your local needs, at the least you'll need to change the BaseDN. For more info on Access Control see the [WWW]OpenLDAP Admin Guide or the [WWW]OpenLDAP FAQ-O-Matic.

ACLs for OpenLDAP 2.2

access to dn.base=""
        by * read
access to dn.base="cn=Subschema"
        by * read

# protect the userPassword attribute
access to attrs=userPassword
        by self write
        by anonymous auth
        by * none

# global address book
access to dn.subtree="o=AddressBook,ou=OxObjects,dc=example,dc=org"
  by group.exact="cn=AddressAdmins,o=AddressBook,ou=OxObjects,dc=example,dc=org" write
  by users read

# personal address book
access to dn.regex="^ou=addr,(uid=([^,]+),ou=Users,ou=OxObjects,dc=example,dc=org)$" attrs=children
  by dn.exact,expand="$1" write
access to dn.regex="^uid=([^,]+),ou=addr,(uid=([^,]+),ou=Users,ou=OxObjects,dc=example,dc=org)$" attrs=entry,@inetOrgPerson,@OXUserObject
  by dn.exact,expand="$2" write

# default rule allowing users full access to their own entries
# but limited to attributes in the listed objectclasses (again: this is an example)
access to attrs=@inetOrgPerson,@OXUserObject
        by self write
        by users read

ACLs for OpenLDAP 2.1

For version 2.1.x all of the above should work except for the personal address book, where the by lines need to be changed slightly: 
# personal address book for 2.1
access to dn.regex="^ou=addr,(uid=([^,]+),ou=Users,ou=OxObjects,dc=example,dc=org)$" attrs=children
  by dn.regex="$1" write
access to dn.regex="^uid=([^,]+),ou=addr,(uid=([^,]+),ou=Users,ou=OxObjects,dc=example,dc=org)$" attrs=entry,@inetOrgPerson,@OXUserObject
  by dn.regex="$2" write
Note that you really should not be using OpenLDAP 2.1 anymore. Even 2.2 is being phased out right now!

Additional comments

The above ACL statements do not work for mail notification as the mail notification process binds anonymously to the LDAP server and searches for several attributes in ou=Users,ou=OxObjects,dc=example,dc=org (i.e. mail, mailDomain, preferredLanguage, maybe some more). As a result of missing access rights to those attributes you'll see error messages similar to this in your groupware.log file: 

May 31 10:45:45 yobe.org openexchange: Attribute "preferredLanguage" not set in user "roman", using "GMT"!
May 31 10:45:45 yobe.org openexchange: Attribute "mail" not set in user "roman", using "GMT"!
May 31 10:45:45 yobe.org openexchange: Attribute "mailDomain" not set in User "uid=mailadmin,ou=Users,ou=OxObjects"!
May 31 10:45:45 yobe.org openexchange: Attribute "preferredLanguage" not set in user "roman", using "GMT"!
May 31 10:45:45 yobe.org openexchange: Attribute "mail" not set in user "roman", using "GMT"!
May 31 10:45:45 yobe.org openexchange: Attribute "mailDomain" not set in User "uid=mailadmin,ou=Users,ou=OxObjects"!
May 31 10:45:45 yobe.org openexchange: ERROR: MailHandle/run: Unable to send message. Please check StackTrace below for additional information
s:
javax.mail.SendFailedException: Invalid Addresses;
  nested exception is:
        class com.sun.mail.smtp.SMTPAddressFailedException: 450 <roman@null>: Sender address rejected: Domain not found

        at com.sun.mail.smtp.SMTPTransport.rcptTo(SMTPTransport.java:1130)
        at com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:525)
        at javax.mail.Transport.send0(Transport.java:151)
        at javax.mail.Transport.send(Transport.java:102)
        at com.openexchange.tools.MailHandle.sendThreadedMessage(MailHandle.java:588)
        at com.openexchange.tools.MailHandle.run(MailHandle.java:484)
        at java.lang.Thread.run(Thread.java:595)

One solution would be to allow read access to those attributes for anonymous bindings -- thereby giving all email addresses of all users to the whole world without any restriction (read: you do not want this). 

access to * attr=uid,objectClass,entry,imapServer,mailDomain,smtpServer,mail,preferredLanguage filter=(objectClass=OXUserObject)
        by self write
        by * read

A better solution would be the creation of a proxy user that is used by all OX processes that have to access the ldap directory. Control to the directory could be much more secure as no anonymous read access has to be allowed at all. This could be implemented with SASL or simple binds and would require very few changes.

As alternative to the above solution with full read access to anybody, you can try the read access only for the OX-Server, for example "localhost": 

# default rule allowing users full access to these attributes
access to *
    attrs=oxdayviewinterval,oxdayviewendtime,oxdayviewstarttime,oxappointmentdays,preferredLanguage,oxtaskdays
    by self write
    by peername.ip=127.0.0.1 read

# allow read access to everything else by everyone else coming from that 'peer'.
# the notation given ('ip'-style peername) requires OpenLAP 2.2 or higher.
access to *
        by peername.ip=127.0.0.1 read