[sork] passwd ldap feature, searching for userdn not required on some installs..

Geff boing at boing.com
Wed Dec 28 10:16:41 PST 2005 

Howdy,

I must say that's an interesting way to do it!  I would not have 
thought of setting the admin to the user.  That seems kinda messy to 
me.  There may be assumptions made that an admin is well .. you know an 
admin.

I must also comment that your ldap structure is also interesting.  Have 
you not considered something like:

mail=silver at ultrasoft.ee,dc=ultrasoft.ee,o=hosting

or

mail=silver at ultrasoft.ee,dc=ultrasoft,dc=ee,o=hosting

not that this is the list for ldap naming rants...

Geff

Quoting Silver Salonen <silver at ultrasoft.ee>:

> Hi.
>
> Have I understood you correctly if I say the patch helps Sork to bind to LDAP
> as the user trying to change his password?
>
> If it is so then why do you need the patch for this? You could just configure
> your backend in that way, couldn't you?
>
> My backend's config:
>
> $uid = Auth::getAuth();
> // users are divided by domain, ie. mail=silver at ultrasoft.ee, 
> cn=ultrasoft.ee,
> dc=hosting
> $basedn = 'cn=' . substr(strstr($uid, '@'), 1) . ',' . 'dc=hosting';
> $backends['ldap'] = array(
> 	...
> 	'driver' => 'ldap',
> 	'params' => array(
> 		'basedn' => $basedn,
> 		'uid' => 'mail',
> 		'realm' => $basedn,
> 		'admindn' => 'mail=' . $uid . ','. $basedn,
> 		'adminpw' => Auth::getCredential('password'),
> 		...
> 	)
> );
>
> Sorry, if I didn't understand you correctly :)
>
> Silver
>
>> Howdy,
>>
>> All.  This password / sork thing is an excellent module.  I would
>> suggest the following patch as an option for configuration of userdn.
>> So that passwd does not have to bind at all to search for the user.
>> And can just bind as the user to change their own password.
>>
>> Thoughts and rejection are welcome and expected as always. :)
>>
>> Something else I was thinking about was some way to have multiple
>> backends update with a single update somehow?  yes of course you get
>> into issues with rolling back if one fails, but it would be handy from
>> the user's perspective if the password policies matched and every
>> service was up.  The practical case is my OS password (via poppassd)
>> and LDAP (addressbook).  Any desire for such a patch?
>>
>> Thanks much for your time,
>>
>> Geff
>>
>> ----
>>
>> config param:
>>
>>         'userdn' => 'cn=' . Auth::getBareAuth() . ',ou=people,o=boing',
>>
>> "ou=people,o=boing" is my container for my user objects.  I guess this
>> could have been:
>>
>> 'userdn => 'cn=' . Auth::getBareAuth() . $params['basedn'];
>>
>> or something as such.
>>
>>
>>
> kusanagi:/var/www/virtuals/mail.boing.com/htdocs/horde/passwd/lib/Driver)diff
>> -c ldap.php*
>> *** ldap.php    Sat Dec 24 02:25:50 2005
>> --- ldap.php.dist       Sat Dec 24 01:52:51 2005
>> ***************
>> *** 206,215 ****
>>        */
>>       function _userDN($username, $old_password)
>>       {
>> !         if ($this->_params['userdn']) {
>> !             $userdn = $this->_params['userdn'];
>> !           return $userdn;
>> !       } else if ($GLOBALS['conf']['hooks']['userdn']) {
>>               $userdn = Horde::callHook('_passwd_hook_userdn',
>>                                         array(Auth::getAuth()));
>>           } else {
>> --- 206,212 ----
>>        */
>>       function _userDN($username, $old_password)
>>       {
>> !         if ($GLOBALS['conf']['hooks']['userdn']) {
>>               $userdn = Horde::callHook('_passwd_hook_userdn',
>>                                         array(Auth::getAuth()));
>>           } else {
> --
> Sork mailing list - Join the hunt: http://horde.org/bounties/#sork
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: sork-unsubscribe at lists.horde.org
>

More information about the sork mailing list