[cvs] [Wiki] changed: NewLDAPHowTo

Ben Chavet ben at horde.org
Sun Jun 19 15:22:52 PDT 2005 

ben  Sun, 19 Jun 2005 15:22:52 -0700

Modified page: http://wiki.horde.org/NewLDAPHowTo
New Revision:  1.22
Change log:  update configuration instructions to reflect the current fields.

@@ -158,29 +158,85 @@
 ++ Horde Configuration
 
 +++ Authentication
 
-[[image ldap_horde_config.png]]
+[screenshot coming soon]
 
-* **The hostname of the LDAP server** - This is the address of your LDAP server.  If you have a master and one or more slave LDAP servers, you can provide failover here by entering all of your LDAP servers separated by a space.
+**The hostname of the LDAP server** - This is the address of your LDAP server.  If you have a master and one or more slave LDAP servers, you can provide failover here by entering all of your LDAP servers separated by a space.
 
-* **The base DN for the LDAP server** - This is the subtree that horde will search through to find user information.
+**The base DN for the LDAP server** - This is the subtree that horde will search through to find user information.
 
-* **The DN used to bind to the LDAP server** - Because our LDAP directory does not allow anonymous binding, we must provide the binding account here.  If your LDAP directory allows anonymous binding, this can be left blank.
+**The DN used to bind to the LDAP server** - Because our LDAP directory does not allow anonymous binding, we must provide the binding account here.  If your LDAP directory allows anonymous binding, this can be left blank.
 
-* **The password used to bind to the LDAP server** - The password associated with the binding account.  Leave this blank if binding anonymously.
+**The password used to bind to the LDAP server** - The password associated with the binding account.  Leave this blank if binding anonymously.
 
-* **LDAP Protocol Version** - This should almost always be //LDAPv3//.
+**LDAP Protocol Version** - This should almost always be //LDAPv3//.
 
-* **The username search key** - This is the field that stores the username.
+**Is this an AD server?** - Check this if you are querying an Active Directory server.
 
-* **How to specify a filter for the user lists** - Unless you have to use some fancy filters to find users, //One or more objectclass filters// should work fine here.
+**The username search key (set to samaccountname for AC)** - This is the field that stores the username.  If you're using Active Directory, set this field to //samaccountname//
 
-* **The objectclass filter used to search for users. Can be a single objectclass or a list** - This is simply a list of objectClass values that represent valid users.  
+**What objectclasses should a new user account be member of? These objectclasses should cover the cn,sn,userPassword attributes as well as the username search key** - Horde will use these objectclasses when creating a new account.  This value is unused if we enable the //authldap// hook.
 
-+++ User Management
+**How to specify a filter for the user lists** - Unless you have to use some fancy filters to find users, //One or more objectclass filters// should work fine here.
 
-In order to ensure proper user management, we have to put a {{_horde_hook_authldap}} function in {{horde/config/hooks.php}}.  There is an example function in {{horde/config/hooks.php.dist}} which we will use as a base for our function.  
+**The objectclass filter used to search for users. Can be a single objectclass or a list** - This is simply a list of objectClass values that represent valid users.  Any directory entry below the base DN that have **all** of the listed objectclasses are considered to be a valid user.
+
+**Enable the creating of accounts with expiring passwords? (Note: New users should have the shadowAccount objectclass)** - Horde supports expiring passwords.  If you select //yes// here, be sure that your user accounts have a shadowAccount objectclass.
+
++++ Groups
+
+[screenshot coming soon]
+
+**The hostname of the LDAP server** - This is the address of your LDAP server.  If you have a master and one or more slave LDAP servers, you can provide failover here by entering all of your LDAP servers separated by a space.
+
+**The base DN for the LDAP server** - This is the subtree that horde will search through to find user information.
+
+**The DN used to bind to the LDAP server** - Because our LDAP directory does not allow anonymous binding, we must provide the binding account here.  If your LDAP directory allows anonymous binding, this can be left blank.
+
+**The password used to bind to the LDAP server** - The password associated with the binding account.  Leave this blank if binding anonymously.
+
+**LDAP Protocol Version** - This should almost always be //LDAPv3//.
+
+**The group search key** - This is the field that stores the group name.
+
+**Group membership field** - This is the field that stores which users are in this group.
+
+**How to specify a filter for the group lists** - Unless you have to use some fancy filters to find groups, //One or more objectclass filters// should work fine here.
+
+**The objectclass filter used to search for groups. Can be a single objectclass or a list** - This is simply a list of objectClass values that represent valid groups.  Any directory entry below the base DN that have **all** of the listed objectclasses are considered to be a valid group.
+
++++ Preferences
+
+Storing Horde preferences in the LDAP directory adds a large number of attribute entries to every user DN.  If this is something you do not want, you should look into using some other preference backend.
+
+Be sure to include the horde schema as described above.
+
+[screenshot coming soon]
+
+**The hostname of the LDAP server** - This is the address of your LDAP server.  If you have a master and one or more slave LDAP servers, you can provide failover here by entering all of your LDAP servers separated by a space.
+
+**The port of the LDAP server** - This is the port that your LDAP server is listening on.  Most commonly, this will be 389.
+
+**LDAP Protocol Version** - This should almost always be //LDAPv3//.
+
+**The base DN for the LDAP server** - This is the subtree that horde will search through to find user preference information.
+
+**Should Horde bind as each user for that user's write operations?** - If selected, the preferences will be written by binding as the user saving their preferences.  This requires some modification to the LDAP directory permissions that we defined earlier.
+
+<code>
+TODO: define user permissions to read/write preferences.
+</code>
+
+**If not, provide the DN of the root (administrative) account to bind for write operations** - This is not actually asking for the LDAP root account, this is just the DN that horde uses to bind to the LDAP directory.  This account should have write priveleges, which we configured above.
+
+**The password of the root DN for bind authentication** - The password associated with the binding account.  Leave this blank if binding anonymously.
+
+**The username search key** - This is the field that stores the username.  This should be the same value as defined in the Authentication section.
+
++++ Hooks
+
+Horde can do some basic user management based on the objectclass values we gave it in the Authentication configuration.  However, in order to ensure that the LDAP entries are formed exactly how we want them, we must activate the {{_horde_hook_authldap}} function in {{horde/config/hooks.php}}.  There is an example function in {{horde/config/hooks.php.dist}} which we will use as a base for our function.  
 
 <code type="php">
 if (!function_exists('_horde_hook_authldap')) {
     function _horde_hook_authldap($userID, $credentials = null)
@@ -191,12 +247,10 @@
         } else {
             $entry['cn'] = $userID;
         }
         $entry['sn'] = $userID;
-        $entry['objectclass'][0] = 'top';
-        $entry['objectclass'][1] = 'uidobject';
-        $entry['objectclass'][2] = 'person';
-        $entry['objectclass'][3] = 'hordeperson';
+        $entry['objectclass'][0] = 'shadowaccount';
+        $entry['objectclass'][1] = 'inetorgperson';
         $entry['uid'] = $userID;
 
         // need to check for new users (password) and edited users (user_pass_2)
         if (isset($credentials) && isset($credentials['password'])) {
@@ -212,27 +266,6 @@
 This hook function also needs to be enabled in the horde configuration.
 
 [[image hook_authldap.png]]
 
-+++ Preferences
-
-Storing Horde preferences in the LDAP directory adds a large number of attribute entries to every user DN.  If this is something you do not want, you should look into using some other preference backend.
-
-To use LDAP to store Horde preferences, set the preference system to use LDAP as its backend.  The field values here are very simular to the Horde configuration.
-
-[[image ldap_pref_config.png]]
-
-* **The hostname of the LDAP server** - This is the address of your LDAP server.  If you have a master and one or more slave LDAP servers, you can provide failover here by entering all of your LDAP servers separated by a space.
-
-
-* **The port of the LDAP server** - This is the port that your LDAP server is listening on.  Most commonly, this will be 389.
-
-* **LDAP Protocol Version** - This should almost always be //LDAPv3//.
-
-* **The base DN for the LDAP server** - This is the subtree that horde will search through to find user preference information.
-
-* **The DN of the root (administrative) account to bind for write operations** - This is not actually asking for the LDAP root account, this is just the DN that horde uses to bind to the LDAP directory.  This account should have write priveleges, which we configured above.  If your LDAP directory allows anonymous binding, this can be left blank.
-
-* **The password of the root DN for bind authentication** - The password associated with the binding account.  Leave this blank if binding anonymously.
-
-* **The username search key** - This is the field that stores the username.
+TODO: Group Hooks

More information about the cvs mailing list