[horde] Problem with enumerating users in LDAP Auth driver

Jan Schneider jan at horde.org
Fri Mar 4 09:31:49 UTC 2011 

Zitat von "Kevin M. Myer" <kmmyer at gmail.com>:

> Hello,
>
> After a long hiatus from using Horde, I have deployed a test
> environment and am configuring it for use in our company.  I am using
> Horde Webmail 1.2.9, with Cyrus IMAP as the mail server and MS Active
> Directory as the authentication service, and the source of our shared
> address book.  In the Auth/LDAP driver code, we found where user
> modifications were disabled, if using AD, and then I discovered the
> existence of the msad driver, so we've been using that (a little
> puzzled about the use of initials as the authID piece though!).  Since
> we are using rfc2307 entries in AD, and the MS tools for working with
> UNIX attributes don't work with inetOrgPerson types, and since we have
> a mix of actual accounts and contacts that we store, we have been
> adding entries to AD programatically for the past few years, so we
> have some code we've written to do that in another PHP app and are
> reusing some of that.  We extended the msad driver with a hook to add
> our additional attributes and have been able to create users.
>
> However, we still cannot enumerate users.  If I goto the Users screen,
> no entries are returned.  I captured some packets and when I do a
> search (or when the initial admin/users.php page is loaded), I see a
> successful bind to the AD server, but no search is ever executed.  I
> compared the Turba LDAP driver code and the Auth/LDAP driver code and
> modified the Auth/LDAP driver code to be a bit more strict in
> displaying errors, and was able to see that the $search function was
> returning "Query failed: (-7) Bad search filter".  The search filter I
> was using is:
>
> &(sn=*)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))
>
> The userAccountControl part is to exclude disabled accounts from
> showing up in searches and the filter is what we use for Turba, our
> Java based helpdesk system (to sync accounts from AD), and as the
> authentication filter for Horde, and it works fine in all of those
> areas, as well as from command-line searches.  However, in the
> Auth/LDAP/listUsers function, it generates the bad search filter
> error.  If i remove the userAccountControl piece, the results are
> returned, but sans attributes, and then I think I hit a bug that I saw
> was listed in WHUPS.  But I'm puzzled as to what I'm hitting that is
> causing the filter to fail when trying to do the listUsers function.

Is this *exactly* the value of $filter in the listUsers() method? It's  
passed unaltered to ldap_list() resp. ldap_search() there, so it's  
either PHP's ldap extension, or the LDAP server itself that chokes on  
the filter.

> Related to this, if we create a new user, we also want to setup a
> mailbox for most users but there is a bit of a race condition that may
> arise.  We initially looked at adding the IMAP create call in the
> _horde_hook_authmsad call.  However, since that hook only builds the
> entry, and the actual add occurs in the MSAD driver, its possible that
> the following could occur:  MSAD driver is invoked to add user -> hook
> is called to build entry -> mailbox is created in the hook code ->
> entry is returned -> MSAD driver attempts to add entry and fails.
> We're left with a mailbox but no user.  We'd prefer to keep our custom
> code in hooks, so once solution we looked at was to add a few more
> hooks to the user add/delete/change functions in MSAD (or LDAP, as the
> same idea would hold there).  So now, our creation looks something
> like: invoke addUser, call _horde_hook_authmsad to customize the
> entry, add the user to AD, call a hook to execute code that creates
> mailbox, etc.
>
> Is there a better practice to follow than what I just described, when
> it comes to doing additional tasks for managing user accounts?

IIRC you were using Cyrus, so I would suggest using the autocreate  
patch instead. Or a similar mechanism when using a different mail  
server.

Adding hooks into the user management process makes sense too though,  
but that should be done for the complete Auth framework then. And in  
Horde 4 of course.

Jan.

-- 
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/

More information about the horde mailing list