[Tickets #8269] Re: Tries to bind to LDAP as each user that has a gallery

bugs at horde.org bugs at horde.org
Sat May 16 05:27:34 UTC 2009 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/8269
------------------------------------------------------------------------------
  Ticket             | 8269
  Updated By         | simon at simonandkate.net
  Summary            | Tries to bind to LDAP as each user that has a gallery
  Queue              | Ansel
  Version            | 1.0
  Type               | Bug
  State              | Resolved
  Priority           | 1. Low
  Milestone          |
  Patch              |
  Owners             | Michael Rubinsky
------------------------------------------------------------------------------


simon at simonandkate.net (2009-05-16 01:27) wrote:

OK, I think I've figured this out...

Horde uses the setting $conf[prefs][params][writedn] (which it says is  
for "Bind to LDAP as which user when writing permissions to LDAP") to  
bind with to *read* users' HordePrefs when opening Ansel (for all  
Gallery owners), Wicked pages (for the page author) etc. Making that  
setting a DN with minimum read access to *all users* HordePrefs  
resolves these issues across all apps. Obviously if that user has only  
read access however you can't change any of your own prefs.

Setting it to a user with write access allows you to change your own  
prefs, but also gives you rights (albeit with no obvious ability) to  
change *any* users Prefs, not just read them.

Set it to either "Bind As Admin" (or "Use Search Credentials" with  
$conf[prefs][params][searchdn] set to a user with write access to all  
users' HordePrefs etc) and no more Error 53 on LDAP binds.


That doesn't seem right to me - this setting would appear to me to be  
for the purpose of *writing* one's own prefs, not for reading other  
users' prefs.

What I have done as a 'work-around' is use the  
cn=horde,ou=accounts,dc=simonandkate,dc=lan account that I have for  
groups management, it's got (in slapd.conf):

access to *
	attrs=@hordePerson
	by dn="cn=horde,ou=accounts,dc=simonandkate,dc=lan" write

So all these bugs that I have raised appear to me to come back to a  
Horde LDAP issue - with an LDAP backend it would appear that the  
$conf[prefs][params][writedn] parameter needs to have *all users*  
HordePerson attributes write access - using "Bind As User" in that  
setting will cause the failures logged in the bugs I have raised when  
trying to access another user's prefs.

I would much rather have it set to Bind As User, and have an  
additional setting that the Horde LDAP code uses to READ all users  
HordePrefs etc. Along the lines of a setting  
$conf[prefs][params][readdn] "User Horde uses to bind to LDAP to read  
other users' preferences".

Over to you PHP / LDAP gurus... :)

Simon

More information about the bugs mailing list