[horde] connecting to LDAP

Silver Salonen silver at ultrasoft.ee
Wed Sep 21 07:15:26 PDT 2005


Hi Michael!

That's almoust that! :D

The only thing is that I suppose the users won't be very happy if they had to 
log in with such a long username. Isn't it possible to parse username a 
little bit before sending it to LDAP?

But even with settings suggested by you I couldn't log in. Horde says: "Empty 
result."

I changed my config to:
$conf['auth']['params']['hostspec'] = 'localhost';
$conf['auth']['params']['basedn'] = 'dc=mail,dc=hosting,dc=example,dc=dom';
$conf['auth']['params']['binddn'] = NULL;
$conf['auth']['params']['password'] = NULL;
$conf['auth']['params']['version'] = '3';
$conf['auth']['params']['uid'] = 'mail';
$conf['auth']['params']['objectclass'] = array('courierMailAccount');
$conf['auth']['params']['filter_type'] = 'objectclass';
$conf['auth']['driver'] = 'ldap';

In LDAP I've got user:
mail=silver at ultrasoft.ee,cn=ultrasoft.ee,dc=mail,dc=hosting,dc=example,dc=dom

OpenLDAP debugging log:
Sep 21 17:03:38 mymachine slapd[95941]: conn=93 fd=15 ACCEPT from 
IP=127.0.0.1:57431 (IP=127.0.0.1:389)
Sep 21 17:03:38 mymachine slapd[95941]: conn=93 op=0 SRCH 
base="dc=mail,dc=hosting,dc=example,dc=dom" scope=2 deref=0 
filter="(mail=silver at ultrasoft.ee)"
Sep 21 17:03:38 mymachine slapd[95941]: conn=93 op=0 SRCH attr=mail
Sep 21 17:03:38 mymachine slapd[95941]: conn=93 op=0 SEARCH RESULT tag=101 
err=0 nentries=0 text=
Sep 21 17:03:38 mymachine slapd[95941]: conn=93 op=1 UNBIND
Sep 21 17:03:38 mymachine slapd[95941]: conn=93 fd=15 closed

As I understand, Horde actually doesn't try to bind into LDAP with such 
configuration. And so it doesn't get any info from LDAP.

And what did you mean by "making the Horde Preferences domain.tld 
independant"?

Silver

> Hi Silver
> 
> >Right now, for authenticating users, Horde connects to LDAP with username 
> >'cn=horde,ou=systemaccounts,dc=example,dc=dom' and password 'mypassword'.
> >
> >But I want it to connect with username and password that are somehow 
derived 
> >from username and password provided by user currently logging in.
> >
> >For an instance, if I'm logging in with username 'silver at ultrasoft.ee' and 
> >password 'silverpassword', I'd expect Horde to connect with 
> >'cn=silver,cn=ultrasoft.ee,dc=hosting,dc=example,dc=dom' and password 
> >'silverpassword'.
> >  
> >
> vi config/conf.php
> 
> $conf['auth']['params']['hostspec'] = 'ldaps://ldapm.example.ch:636';
> $conf['auth']['params']['basedn'] = 'ou=mail,ou=service,o=example,c=ch';
> // With the following two entries, we can force Horde to authenticate 
> with the users credentials
> $conf['auth']['params']['binddn'] = NULL;
> $conf['auth']['params']['password'] = NULL;
> $conf['auth']['params']['version'] = '3';
> $conf['auth']['params']['uid'] = 'mail';
> $conf['auth']['params']['objectclass'] = array('JammMailAccount');
> $conf['auth']['params']['filter_type'] = 'objectclass';
> $conf['auth']['driver'] = 'ldap';
> 
> With this, you tell the ldap driver to do a subsearch on the SubTree 
> 'ou=mail,ou=service,o=example,c=ch'
> 
> In this case, the user can bind with 
> 'mail=user at example.ch,jvd=example.ch,ou=mail,ou=service,o=example,c=ch' :-)
> 
> I guess, this is what you need?
> 
> To make the Horde Preferences domain.tld independant, I had to change 
> the lib/Horde/Prefs/ldap.php driver according to the following bugfix 
> (search for fetchdn):
> 
> http://cvs.horde.org/co.php/framework/Prefs/Prefs/ldap.php?r=1.94
> 
> And the setup would look like this in the config/conf.php file (mail and 
> preferences are in different backends):
> 
> $conf['prefs']['params']['hostspec'] = 'ldaps://ldapm.example.ch:636';
> $conf['prefs']['params']['version'] = '3';
> $conf['prefs']['params']['basedn'] = 'ou=webtop,ou=service,o=example,c=ch';
> $conf['prefs']['params']['fetchdn'] = true;
> $conf['prefs']['params']['uid'] = 'ou';
> $conf['prefs']['driver'] = 'ldap';
> 
> Regards, Michael
> 
> 
> >In this way the user that is currently logging in couldn't read any 
> >information besides his own (even if he tried, due to some security hole or 
> >smth) because he's not given enough rights in LDAP-server. And I should't 
be 
> >afraid of exposing my configuration file.
> >
> >I hope my wish is more clear now :)
> >
> >PS. I didn't find such hook from hooks.php either.
> >
> >Silver
> >
> >  
> >
> >>Quoting Silver Salonen <silver at ultrasoft.ee>:
> >>
> >>    
> >>
> >>>Hi.
> >>>
> >>>I've set up Horde to authenticate users from LDAP. The only thing I'm
> >>>currently worrying about a little is that Horde connects to LDAP with 
> >>>      
> >>>
> >static
> >  
> >
> >>>username and password.
> >>>
> >>>I've given all users access to their entries:
> >>>access to *
> >>>	by self write
> >>>	by anonymous auth
> >>>	by * none
> >>>
> >>>I think it would be more secure if I didn't have to give some special 
user
> >>>special access-rights and Horde connected to LDAP with username and 
> >>>      
> >>>
> >password
> >  
> >
> >>>provided by user trying to log in.
> >>>      
> >>>
> >>I assume that by "special user" you are talking about binding with your 
> >>rootdn?
> >>if so, no, it isn't necessary.  Be sure and browse through:
> >>  horde/config/hooks.php.dist
> >>If you are referring to the horde admin user, it only uses ldap for 
> >>authentification like all other users and requires an entry in 
> >>horde/config/conf.php like:
> >>  $conf['auth']['admins'] = array('<silver at ultrasoft.ee>');
> >>in your horde/config/conf.php assuming that you are using mail for ldap 
> >>auth if not it is your user name.
> >>
> >>Hope that helps,
> >>
> >>ed
> >>
> >>    
> >>
> >>>Is it possible?
> >>>
> >>>Thanks in advance,
> >>>Silver


More information about the horde mailing list