[horde] Horde 3.1.1 not obeying LDAP groups for permissions.

Robert Sink sinkr at cbl.umces.edu
Wed May 31 18:58:17 PDT 2006 

Hello--

I'm running an OpenLDAP backend where I am getting my group
information from.  This works, however one thing I notice when going
to Administration->Groups I am getting the full LDAP entry like so,
after clicking on the group name as correctly populated.

uid=user,ou=People,dc=domain,dc=com

...Instead of just the userID

A typical group declaration LDIF is like so:

dn: cn=ComputerCenter,dc=domain,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: ComputerCenter
uniqueMember: uid=somebody,ou=People,dc=domain,dc=com
description: People who work in the computer center.

The pertinent snippet of Horde's config looks like so:

$conf['group']['params']['hostspec'] = 'my.ldap.server';
$conf['group']['params']['basedn'] = 'dc=domain,dc=com';
$conf['group']['params']['binddn'] = 'cn=Manager,dc=domain,dc=com';
$conf['group']['params']['password'] = 'MYPASSWORD';
$conf['group']['params']['version'] = '3';
$conf['group']['params']['gid'] = 'cn';
$conf['group']['params']['memberuid'] = 'uniqueMember';
$conf['group']['params']['newgroup_objectclass'] = array('top','groupOfUniqueNames');
$conf['group']['params']['objectclass'] = array('groupOfUniqueNames');
$conf['group']['params']['filter_type'] = 'objectclass';
$conf['group']['driver'] = 'ldap';

My primary LDAP authentication config looks like so:

$conf['auth']['admins'] = array('some', 'admin', 'names');
$conf['auth']['checkip'] = true;
$conf['auth']['checkbrowser'] = true;
$conf['auth']['alternate_login'] = false;
$conf['auth']['redirect_on_logout'] = false;
$conf['auth']['params']['hostspec'] = 'my.ldap.server';
$conf['auth']['params']['basedn'] = 'ou=People,dc=domain.com';
$conf['auth']['params']['version'] = '3';
$conf['auth']['params']['ad'] = false;
$conf['auth']['params']['uid'] = 'uid';
$conf['auth']['params']['encryption'] = 'REMOVED';
$conf['auth']['params']['newuser_objectclass'] = array('top',
'person', 'posixAccount', 'shadowAccount', 'inetLocalMailRecipient', 'organizationalPerson', 'inetOrgPerson');
$conf['auth']['params']['objectclass'] = array('shadowAccount');
$conf['auth']['params']['filter_type'] = 'objectclass';
$conf['auth']['params']['minage'] = '5';
$conf['auth']['params']['maxage'] = '180';
$conf['auth']['params']['warnage'] = '14';
$conf['auth']['params']['password_expiration'] = 'yes';
$conf['auth']['driver'] = 'ldap';

If I switch to a SQL-based groups classification and create
test groups that coincide with what I've already populated in
Permissions, the permission system works correctly, but if I switch
back to the LDAP, the permission definitions are ignored and it's a
free-for-all.

I've done some debugging with Zend Performance Suite & Zend Studio
with a breakpoint circa line 514 of lib/Horde/Group/ldap.php, I see
that $group gets populated such that it should match, but there is
some disconnect somewhere I cannot discern.

Any ideas on where else I should look?

More information about the horde mailing list