[horde] Active Directory - Kronolith Calendar Group Permissions
Mike Peachey
mike.peachey at jennic.com
Fri Jan 18 12:07:17 UTC 2008
X-Relates-To: Kronolith
X-Relates-To: Active Directory
X-Relates-To: Group Permissions
Since I am using AD for LDAP authentication, I cannot set group
permissions on a calendar. The reason for this is that the "Select a
group to add:" combo box does not populate with the group data. I have
discovered, through a little debugging, that the cause for this is a
subtle difference between OpenLDAP and Active Directory and how member
information is stored.
By default, Kronolith is set-up to only list the groups of which the
current logged-in user is a member, so you would only see groups listed
that you are a member of, however in order to do this, it sets a filter
on the LDAP search of the form member=$username (or - more precisely
`($this->_params['memberuid'] . '=' . $user)`)
(HORDEROOT/lib/Horde/Group/ldapp.php).
This is fine for OpenLDAP which stores group members as usernames (I
think), but in AD they are stored as Full DNs e.g.: member=CN=Test
User,OU=Organisation,dc=Domain,dc=TLD.
There are two ways to solve this problem, one is simple, but the
consequences are unknown, the other is complex.
The complex, but perfect, solution would be to write into the code extra
AD support, and possibly a checkbox on the config page for "Are groups
in an AD server" that would, instead of searching for groups on a user
filter, search for memberOf within the current user.
The simpler solution is to simply remove the member filter so that the
combo box populates with all available groups. Permission-wise I like
this solution, as there is no reason why any individual user should not
be able to assign view rights for their calendar to a group they are not
a member of, in fact this may even be considered a desirable feature -
what I don't know is what effect this change may have on other parts of
the horde code.
So really, other than bringing this problem to the attention of others,
I am posting this to ask a qustion:
If I simply change the group search in the getGroupMemberships function
in lib/Group/ldap.php so that instead of filtering on the user, it
doesn't filter at all and returns all known groups - am I likely to
cause any undesirable changes to the function of anything else within
Kronolith or any other application in the Horde suite?
--
Kind Regards,
__________________________________________________
Mike Peachey, IT
Tel: +44 114 281 2655
Fax: +44 114 281 2951
Jennic Ltd, Furnival Street, Sheffield, S1 4QT, UK
Comp Reg No: 3191371 - Registered In England
http://www.jennic.com
__________________________________________________
More information about the horde
mailing list