[horde] passing authentication information
eculp at encontacto.net
eculp at encontacto.net
Sat Jan 11 07:50:01 PST 2003
Quoting Tony Earnshaw <tonni at billy.demon.nl>:
| lør, 2003-01-11 kl. 07:15 skrev Daniel Wittenberg:
| > I've been trying to track down some information I don't completely
| > understand. THis is turba specific, but I figured the information comes
| > from horde so I thought I'd post. I pasically want to have turba
| > authenticate to ldap as whomever is logged in, so I can control their
| > access via LDAP ACL's. So, I put this in the turba sources.php:
|
| > 'bind_dn' => 'cn='.Auth::getAuth().'ou=people,o=The Starken
| > Group,c=US',
| > 'bind_password' => Auth::getCredential('password'),
|
| > I can connect via ldap and search with my ID from the commandline
| > (ldapsearch/add/etc), but from Turba I can't. Is there something I've
| > missed? I haven't quite understand how this works from what I've read
| > so far...help?
|
| Think you've probably misunderstood the whole correlation between PHP
| and LDAP.
|
| 1: Auth::getAuth() is a function in the PHP Horde class Auth. It checks
| for the authenticity of a user by checking an authorization backend
| (e.g. the LDAP cn - could also be a uid - and userPassword) with which
| he logged in. For example, an IMAP-authenticated (pam_ldap-based) login
| might check for cn and userPassword based on LDAP ACLs. dn="cn
| john,ou=people,o=The Starken" would authenticate as that, using his
| userPassword (the ACL rule "by anonymous auth").
|
| 2: The cn or uid which he used to log in does not equate to the dn
| 'cn='.Auth::getAuth().'ou=people,o=The Starken (why the dot before
| "Auth", by the way?), which is a literal and is not interpreted at that
| point. What happens is, that the PHP script uses the Auth::getAuth
| function to establish the dn that originally logged in, and only then
| does it call the built in PHP ldap functions to bind and authenticate as
| the original dn.
|
| If this doesn't make sense to you, try and write your own PHP routine to
| bind and authenticate to your LDAP server. There are examples enough in
| the PHP documentation (PHP4, at least) and books from Wrox, O'Reilly and
| others cover it in detail, with practical examples. It's good fun and
| good practice too.
Daniel and Tony,
While the above could be true, the flexibility of both horde and ldap can make
it false. In my case I use 'mail=' . Auth::GetAuth() ... because I use
the vhosts hook to login with the uid + @domain.com setting Auth::GetAuth()
to the email address. Many folks simply login with the gid that is/can be
the cn attribute. You might want to do some testing here, I disagree with
your "literal and is not interpreted" statement, if I'm understanding it
correctly as well as the statement about the dot. I do suffer somewhat
from dyslexia, it gets me in trouble often:-), so if I didn't understand
I apologize.
Hope you both have a great weekend and Daniel you are able to get this
going. I think you are about there. Don't forget to check the logs
and add debuging if need be.
ed
-------------------------------------------------
More information about the horde
mailing list