[horde] passing authentication information

Tony Earnshaw tonni at billy.demon.nl
Sat Jan 11 07:31:38 PST 2003


lør, 2003-01-11 kl. 07:15 skrev Daniel Wittenberg:
> I've been trying to track down some information I don't completely
> understand.  THis is turba specific, but I figured the information comes
> from horde so I thought I'd post.  I pasically want to have turba
> authenticate to ldap as whomever is logged in, so I can control their
> access via LDAP ACL's.  So, I put this in the turba sources.php:

> 'bind_dn' => 'cn='.Auth::getAuth().'ou=people,o=The Starken
> Group,c=US',        
> 'bind_password' => Auth::getCredential('password'),

> I can connect via ldap and search with my ID from the commandline
> (ldapsearch/add/etc), but from Turba I can't.  Is there something I've
> missed?  I haven't quite understand how this works from what I've read
> so far...help?

Think you've probably misunderstood the whole correlation between PHP
and LDAP.

1: Auth::getAuth() is a function in the PHP Horde class Auth. It checks
for the authenticity of a user by checking an authorization backend
(e.g. the LDAP cn - could also be a uid - and userPassword) with which
he logged in. For example, an IMAP-authenticated (pam_ldap-based) login
might check for cn and userPassword based on LDAP ACLs. dn="cn
john,ou=people,o=The Starken" would authenticate as that, using his
userPassword (the ACL rule "by anonymous auth").

2: The cn or uid which he used to log in does not equate to the dn
'cn='.Auth::getAuth().'ou=people,o=The Starken (why the dot before
"Auth", by the way?), which is a literal and is not interpreted at that
point. What happens is, that the PHP script uses the Auth::getAuth
function to establish the dn that originally logged in, and only then
does it call the built in PHP ldap functions to bind and authenticate as
the original dn.

If this doesn't make sense to you, try and write your own PHP routine to
bind and authenticate to your LDAP server. There are examples enough in
the PHP documentation (PHP4, at least) and books from Wrox, O'Reilly and
others cover it in detail, with practical examples. It's good fun and
good practice too.

Best,

Tony

-- 

Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:		tonni at billy.demon.nl
www:		http://www.billy.demon.nl





More information about the horde mailing list