[horde] connecting to LDAP

Michael Eichenberger michael.eichenberger at stepping-stone.ch
Wed Sep 21 05:14:21 PDT 2005


Hi Silver

>Right now, for authenticating users, Horde connects to LDAP with username 
>'cn=horde,ou=systemaccounts,dc=example,dc=dom' and password 'mypassword'.
>
>But I want it to connect with username and password that are somehow derived 
>from username and password provided by user currently logging in.
>
>For an instance, if I'm logging in with username 'silver at ultrasoft.ee' and 
>password 'silverpassword', I'd expect Horde to connect with 
>'cn=silver,cn=ultrasoft.ee,dc=hosting,dc=example,dc=dom' and password 
>'silverpassword'.
>  
>
vi config/conf.php

$conf['auth']['params']['hostspec'] = 'ldaps://ldapm.example.ch:636';
$conf['auth']['params']['basedn'] = 'ou=mail,ou=service,o=example,c=ch';
// With the following two entries, we can force Horde to authenticate 
with the users credentials
$conf['auth']['params']['binddn'] = NULL;
$conf['auth']['params']['password'] = NULL;
$conf['auth']['params']['version'] = '3';
$conf['auth']['params']['uid'] = 'mail';
$conf['auth']['params']['objectclass'] = array('JammMailAccount');
$conf['auth']['params']['filter_type'] = 'objectclass';
$conf['auth']['driver'] = 'ldap';

With this, you tell the ldap driver to do a subsearch on the SubTree 
'ou=mail,ou=service,o=example,c=ch'

In this case, the user can bind with 
'mail=user at example.ch,jvd=example.ch,ou=mail,ou=service,o=example,c=ch' :-)

I guess, this is what you need?

To make the Horde Preferences domain.tld independant, I had to change 
the lib/Horde/Prefs/ldap.php driver according to the following bugfix 
(search for fetchdn):

http://cvs.horde.org/co.php/framework/Prefs/Prefs/ldap.php?r=1.94

And the setup would look like this in the config/conf.php file (mail and 
preferences are in different backends):

$conf['prefs']['params']['hostspec'] = 'ldaps://ldapm.example.ch:636';
$conf['prefs']['params']['version'] = '3';
$conf['prefs']['params']['basedn'] = 'ou=webtop,ou=service,o=example,c=ch';
$conf['prefs']['params']['fetchdn'] = true;
$conf['prefs']['params']['uid'] = 'ou';
$conf['prefs']['driver'] = 'ldap';

Regards, Michael


>In this way the user that is currently logging in couldn't read any 
>information besides his own (even if he tried, due to some security hole or 
>smth) because he's not given enough rights in LDAP-server. And I should't be 
>afraid of exposing my configuration file.
>
>I hope my wish is more clear now :)
>
>PS. I didn't find such hook from hooks.php either.
>
>Silver
>
>  
>
>>Quoting Silver Salonen <silver at ultrasoft.ee>:
>>
>>    
>>
>>>Hi.
>>>
>>>I've set up Horde to authenticate users from LDAP. The only thing I'm
>>>currently worrying about a little is that Horde connects to LDAP with 
>>>      
>>>
>static
>  
>
>>>username and password.
>>>
>>>I've given all users access to their entries:
>>>access to *
>>>	by self write
>>>	by anonymous auth
>>>	by * none
>>>
>>>I think it would be more secure if I didn't have to give some special user
>>>special access-rights and Horde connected to LDAP with username and 
>>>      
>>>
>password
>  
>
>>>provided by user trying to log in.
>>>      
>>>
>>I assume that by "special user" you are talking about binding with your 
>>rootdn?
>>if so, no, it isn't necessary.  Be sure and browse through:
>>  horde/config/hooks.php.dist
>>If you are referring to the horde admin user, it only uses ldap for 
>>authentification like all other users and requires an entry in 
>>horde/config/conf.php like:
>>  $conf['auth']['admins'] = array('<silver at ultrasoft.ee>');
>>in your horde/config/conf.php assuming that you are using mail for ldap 
>>auth if not it is your user name.
>>
>>Hope that helps,
>>
>>ed
>>
>>    
>>
>>>Is it possible?
>>>
>>>Thanks in advance,
>>>Silver
>>>      
>>>

-- 
visit: http://www.example.ch
--
e-mail: michael.eichenberger at example.ch
mobile: +41 76 392 36 23
icq: 238901781



More information about the horde mailing list