[horde] Problem with enumerating users in LDAP Auth driver

[Kevin M. Myer]

Hello,

After a long hiatus from using Horde, I have deployed a test
environment and am configuring it for use in our company.  I am using
Horde Webmail 1.2.9, with Cyrus IMAP as the mail server and MS Active
Directory as the authentication service, and the source of our shared
address book.  In the Auth/LDAP driver code, we found where user
modifications were disabled, if using AD, and then I discovered the
existence of the msad driver, so we've been using that (a little
puzzled about the use of initials as the authID piece though!).  Since
we are using rfc2307 entries in AD, and the MS tools for working with
UNIX attributes don't work with inetOrgPerson types, and since we have
a mix of actual accounts and contacts that we store, we have been
adding entries to AD programatically for the past few years, so we
have some code we've written to do that in another PHP app and are
reusing some of that.  We extended the msad driver with a hook to add
our additional attributes and have been able to create users.

However, we still cannot enumerate users.  If I goto the Users screen,
no entries are returned.  I captured some packets and when I do a
search (or when the initial admin/users.php page is loaded), I see a
successful bind to the AD server, but no search is ever executed.  I
compared the Turba LDAP driver code and the Auth/LDAP driver code and
modified the Auth/LDAP driver code to be a bit more strict in
displaying errors, and was able to see that the $search function was
returning "Query failed: (-7) Bad search filter".  The search filter I
was using is:

&(sn=*)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))

The userAccountControl part is to exclude disabled accounts from
showing up in searches and the filter is what we use for Turba, our
Java based helpdesk system (to sync accounts from AD), and as the
authentication filter for Horde, and it works fine in all of those
areas, as well as from command-line searches.  However, in the
Auth/LDAP/listUsers function, it generates the bad search filter
error.  If i remove the userAccountControl piece, the results are
returned, but sans attributes, and then I think I hit a bug that I saw
was listed in WHUPS.  But I'm puzzled as to what I'm hitting that is
causing the filter to fail when trying to do the listUsers function.

Related to this, if we create a new user, we also want to setup a
mailbox for most users but there is a bit of a race condition that may
arise.  We initially looked at adding the IMAP create call in the
_horde_hook_authmsad call.  However, since that hook only builds the
entry, and the actual add occurs in the MSAD driver, its possible that
the following could occur:  MSAD driver is invoked to add user -> hook
is called to build entry -> mailbox is created in the hook code ->
entry is returned -> MSAD driver attempts to add entry and fails.
We're left with a mailbox but no user.  We'd prefer to keep our custom
code in hooks, so once solution we looked at was to add a few more
hooks to the user add/delete/change functions in MSAD (or LDAP, as the
same idea would hold there).  So now, our creation looks something
like: invoke addUser, call _horde_hook_authmsad to customize the
entry, add the user to AD, call a hook to execute code that creates
mailbox, etc.

Is there a better practice to follow than what I just described, when
it comes to doing additional tasks for managing user accounts?

Thanks,
Kevin