[horde] ACL for Turba

Bill Day williamson.day at gmail.com
Sat Nov 8 19:07:33 UTC 2008 

Jan,

Thanks very much for your response.  I finally managed to get the
personal_ldap address book         working (properly, I think).  In
the hope that other Turba users may benefit, I am sharing my
configuration, but more experienced LDAP users may correct
redundancies and identify refinements.  As usual, no warranties, etc.

I am using Ubuntu 8.10, Intrepid Ibex.  Ubuntu has adopted OpenLDAP
2.4, which no longer uses a slapd.conf file.  The most helpful guide I
was able to find is the OpenLDAP Administrator's Guide, at
http://www.openldap.org/doc/admin24/access-control.html#Access%20Control%20via%20Dynamic%20Configuration.

Instead of the slapd.conf file, OpenLDAP's configuration is now
contained in the database itself under cn=config.  After a lot of
trial and error, I was able to figure out that the easiest way for me
to access cn=config was to log into phpldapadmin as
"cn=admin,cn=config" with my master OpenLDAP password.  Most other
tools did not seem to give me access to cn=config, but others'
experience may vary.  After clicking on cn=config in phpldapadmin,
your need to :"display children" and look for the table containing
"olcAccess".

For the configuration that I outlined in my initial post, the
ACL/olcAccess that ultimately worked for me was as follows:

olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=will
iamsonday,dc=local" write by anonymous auth by self write by * none

olcAccess: {1}to dn.regex="[+.]?ou=([^,]+),ou=Personal,ou=Contacts,dc=willia
msonday,dc=local$" by dn.exact,expand="uid=$1,ou=People,dc=williamsonday,dc
=local" write by dn="cn=admin,dc=williamsonday,dc=local" write

olcAccess: {2}to dn.regex="^ou=([^,]+),ou=Personal,ou=Contacts,dc=williamson
day,dc=local$" attrs=entry, at inetOrgPerson by dn.exact,expand="uid=$1,ou=Peo
ple,dc=williamsonday,dc=local" write by
dn="cn=admin,dc=williamsonday,dc=local" write

olcAccess: {3}to dn.regex="^ou=([^,]+),ou=Personal,ou=Contacts,dc=williamson
day,dc=local$" attrs=children by dn.exact,expand="uid=$1,ou=People,dc=willi
amsonday,dc=local" write by dn="cn=admin,dc=williamsonday,dc=local" write

olcAccess: {4}to dn.base="" by * read

olcAccess: {5}to * by dn="cn=admin,dc=williamsonday,dc=local" write by * read

As I have discovered, the biggest factor in getting the ACL's right
seems to be remembering that more specific ACL's must precede more
general ACL's, i.e. if OpenLDAP applies a read ACL to * before it
reaches my specific addressbook, my ACL giving a user write
permissions to the address book will be to no avail.  Pretty basic
stuff, but on this score I am a pretty basic kind of guy.

 One last thought for the many people who are more knowledgeable about
LDAP than I am.  It would be helpful if there were clearer directions
on how to incorporate schema into OpenLDAP into OpenLDAP 2.4 (other
than hoping they will be picked in a deprecated slapd.conf.)  I did
experiment a bit with trying to convert the horde.schema into a
horde.ldif, but OpenLDAP would not add it.  If anyone has any pointers
on how to do this efficiently, I would certainly be grateful.

A final word of appreciation for the Horde developers:  your work is
demonstrably superior and I really appreciate your providing us with
these great tools.

Sincerely,

Bill Day

On Sat, Nov 8, 2008 at 12:48 PM, Jan Schneider <jan at horde.org> wrote:
>
> Zitat von Bill Day <williamson.day at gmail.com>:
>
>> I have been able to configure personal_ldap in sources.php for Turba
>> successfully in the past, but for some reason I am having a devil of a time
>> writing ACL's for OpenLDAP 2.4 that will give an individual user write
>> access to his personal address book.  Although I have spent a fair bit of
>> time with the Administrator's Handbook on openldap.org and the Horde Wiki,
>> other documentation seems to be sparse and Mr. Google is not providing
>> helpful answers.  I have the following questions:
>>
>> 1) Is there additional documentation that I need to look at?
>
> None that I know of, but I'm not an LDAP guru.
>
>> 2) Is this list the appropriate place to ask for help?  If not, is there a
>> more appropriate list?
>
> The Turba list, which I Cc.
>
>> 3) There might also be a possibility that OpenLDAP is not reading all of my
>> schema from slapd.conf to the new configurate in cn=config in OpenLDAP 2.4.
>> Any advice or suggestions on how to get advice to test this alternate
>> hypothesis would be very much appreciated.
>
> Try asking about that on the OpenLDAP mailing list instead.
>
>> 4) Naturally, to the extent this is the appropriate forum, any help would be
>> gratefully received.
>>
>> Thanks,
>>
>> Bill
>>
>> Latest efforts:
>>
>> LDAP tree
>>
>> dc=williamsonday,dc=local
>>          cn=admin,dc=williamsonday,dc=local
>>          ou=People,dc=williamsonday,dc=local
>>
>> uid=billday,ou=People,dc=williamsonday,dc=local
>> (user)
>>          ou=Group,dc=williamsonday,dc=local
>>          ou=Contacts,dc=williamsonday,dc=local
>>                  ou=Shared,ou=Contacts,dc=williamsonday,dc=local
>>                  ou=Personal,ou=Contacts,dc=williamsonday,dc=local
>>
>> ou=billday,ou=Personal,ou=Contacts,dc=williamsonday,dc=local
>> (private address books)
>>
>>
>> access to
>> dn.regex="^ou=([^,]+),ou=Personal,ou=Contacts,dc=williamsonday,dc=local$"
>>     attrs=children
>>     by dn.regex="^uid=$1,ou=People,dc=williamsonday,dc=local$" write
>>     by * none
>>
>> access to
>> dn.regex="^ou=([^,]+),ou=Personal,ou=Contacts,dc=williamsonday,dc=local$"
>>     attrs=entry, at inetOrgPerson
>>     by dn.regex="^uid=$1,ou=People,dc=williamsonday,dc=local$" write
>>     by * none
>>
>> error is that parent does not have sufficient access
>> --
>> Bill Day
>> williamson.day at gmail.com
>> PGP Fingerprint: EE5D DE55 9EF1 E012 7417
>> A5F1 1D7D 0847 7785 1146
>> --
>> Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
>> Frequently Asked Questions: http://horde.org/faq/
>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>
>
>
>
> Jan.
>
> --
> Do you need professional PHP or Horde consulting?
> http://horde.org/consulting/
>
> --
> Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org



--
Bill Day
williamson.day at gmail.com
PGP Fingerprint: EE5D DE55 9EF1 E012 7417
A5F1 1D7D 0847 7785 1146

More information about the horde mailing list