[turba] LDAP Driver
Edwin Culp
eculp@encontacto.net
Wed, 19 Jun 2002 19:17:49 -0700
Quoting Lee <lee@disinfo.com>:
| Hey Ed,
| I think I have this mostly working. I seem to be stuck on the openldap
| access
| directives for each person's personal address book. Im doing virtually the
| same thing as you are, where you put the user's address book entries under
| their node. Im having problems figuring out how to tell openldap to grant
| write access to a user for his/her address book entries under his/her node
| though.
|
| i.e. ou=users,dc=org,dc=com
| uid=joeblow,ou=users,dc=org,dc=com
| ou=addressbook,uid=joeblow,ou=users,dc=org,dc=com
| cn=Mary,ou=addressbook,uid=joeblow,ou=users,dc=org,dc=com
| cn=Joe,ou=addressbook,uid=joeblow,ou=users,dc=org,dc=com
|
| cn=Larry,ou=addressbook,uid=joeblow,ou=users,dc=org,dc=com
Have you tried something like the following?
access to attr=userPassword
by self write
by anonymous auth
by * none
access to dn="uid=.+,ou=users,dc=org,dc=com"
by self write
by anonymous auth
by * read
access to dn="ou=addressbook,(uid=.+),ou=users,dc=org,dc=com"
by dn="$1,ou=users,dc=org,dc=com" write
by anonymous auth
I wrote this from your tree structure so I could have missed something
like an additional read for other folks but it should give you an idea.
There are many other options and ways to do it.
Have you seen that Chuck added a sources.php example very similar to the one
I sent you and you are following into a "example/howto/scripts for personal
LDAP address books". I think that is great! Hopefully it will make it
easier for more folks to use horde/imp/ldap. If the following works,
it would be great to add it to the new howto, changing the structure to
coincide.
Hope this helps,
ed
P.S. BTW, this structure based on uid will limit your having virtual
domains and virtual users. If you had a uid=lee at varias domains,
how would you distinguish between them? Of course if you don't plan
to have virtual domains, no problem.
|
| How do I get openldap to let "dn=uid=joeblow,ou=users,dc=org,dc=com" add,
| modify, and remove entries in the subtree below
| ou=addressbook,uid=joeblow,ou=users,dc=org,dc=com without having to add an
| accesscontrol directive for every single user?
|
| Thanks,
| Lee
|
| Quoting Edwin Culp <eculp@encontacto.net>:
|
| > Quoting Lee <lee@disinfo.com>:
| >
| > | This is perfect, thanks a million, I'm going to give this a try.
| > |
| > | One more question though. Do you happen to know off the top of your head
| > | what I would have to change in IMP if I decided to make an AUXILIARY
| > | class copy of the hordePrefs objectclass (all the same attributes, just
| > | AUX instead of derived from person - I have oids, so this wont be a
| > | problem)? Doing this would allow me to add the neccesary attributes
| > | (impPrefs, turbaPrefs etc...) to our existing ldap user accounts,
| > | without having to make the hordePrefs objectclass a child of these
| > | account.
| >
| > hordePrefs isn't an objectclass, AFAIK, hordePerson is but
| > I must really be slow today. How would your choice of objectclass
| > directly effect IMP?
| >
| > ed
| >
| > |
| > | BTW, isnt it considered good ldap schema style to make application
| > | specific attributes part of AUX objectclasses anyway (hint hint imp
| > | developers :)
| > |
| > | Thanks again,
| > | Lee
| > |
| > |
| > | -----Original Message-----
| > | From: Edwin Culp [mailto:eculp@encontacto.net]
| > | Sent: Wednesday, June 12, 2002 8:00 PM
| > | To: Lee
| > | Cc: turba@lists.horde.org
| > | Subject: RE: [turba] LDAP Driver
| > |
| > | Quoting Lee <lee@disinfo.com>:
| > |
| > | | Has anyone implemented a per user address book for turba using ldap? I
| > | | see a default shared address book in sources.php, but nothing for per
| > | | user (private) ldap.
| > | |
| > | | Thanks,
| > | | Lee
| > | Lee,
| > |
| > | I do it with my ldap directory structure and
| > | horde/turba/config/sources.php
| > | configuration.
| > |
| > | My ldap tree for this is
| > | o=my.org
| > | ou=people,o=my.org
| > | mail=name@my.org,ou=people,o=my.org /* This builds my corp.
| > | addrBook.*/
| > | ou=addressbook,o=my.org
| > | mail=name@my.org,ou=addressbook,o=my.org
| > | mail=aPersonInMyAddressBook@theirDomain.com,mail=name@my.org,\
| > | ou=addressbook,o=my.org /*This is the personal addressbook.*/
| > |
| > | I have two definitions in sources.php on for the corporate addressbook
| > | and the other for the personal addressbook. This works for me for
| > | virtual users and domains. I've probably made it too complicated so
| > | feedback/suggestions for simplification, improvements, scalability,
| > | etc. would be appreciated.
| > |
| > | My sources.php should be self explanatory. It basically configures
| > | itself
| > | based on the url.
| > |
| > | I hope this helps,
| > |
| > | ed
| > |
| > | --------------------------sources.php Follows -----------------------
| > | <?php
| > |
| > | /* Sources.php */
| > |
| > | $vdomain = strtolower(preg_replace('|^mail\.|i', '',
| > | $_SERVER['HTTP_HOST']));
| > | $usermail=Auth::getAuth();
| > | $uid = preg_replace('|@.*|i', '', $usermail);
| > | $pass=Auth::getCredential('password');
| > |
| > | /* PRIVATE ADDRESS BOOK */
| > |
| > | $cfgSources['private'] = array(
| > | 'title' => 'Personal directory for ' . $uid,
| > | 'type' => 'ldap',
| > | 'params' => array(
| > | 'server' => 'localhost',
| > | 'port' => 389,
| > | 'root' => 'mail=' . $usermail . ',ou=addressbook,o=my.org',
| > |
| > | /* BIND AS USER NOT AS ROOT */
| > |
| > | 'bind_dn' => 'mail=' . $usermail . ',ou=people,o=my.org',
| > | 'bind_password' => $pass,
| > | 'dn' => array('mail'),
| > | 'objectclass' => array( 'hordePerson'),
| > | 'filter' => ''
| > | ),
| > | 'map' => array(
| > | '__key' => 'dn',
| > | 'name' => 'cn',
| > | 'email' => 'mail',
| > | 'alias' => 'givenname'
| > | ),
| > | 'search' => array(
| > | 'name',
| > | 'email',
| > | 'alias'
| > | ),
| > |
| > | 'strict' => array(
| > | 'dn'
| > | ),
| > |
| > | 'public' => true,
| > | 'readonly' => false,
| > | 'admin' => array(),
| > | 'export' => true
| > | );
| > |
| > | /* Corporate/Domain Address Book */
| > |
| > | $cfgSources['corporate'] = array(
| > | 'title' => 'Our ' . $vdomain . ' Directory',
| > | 'type' => 'ldap',
| > | 'params' => array(
| > | 'server' => 'localhost',
| > | 'port' => 389,
| > | 'root' => 'ou=people,o=worldinternet.org',
| > |
| > | /* BIND AS USER NOT AS ROOT */
| > |
| > | 'bind_dn' => 'mail=' . $usermail . ',ou=people,o=my.org',
| > | 'bind_password' => $pass,
| > | 'dn' => array('cn'),
| > | 'objectclass' => array( 'hordePerson'),
| > | 'filter' => ''
| > | ),
| > | 'map' => array(
| > | '__key' => 'dn',
| > | 'name' => 'cn',
| > | 'email' => 'mail',
| > | 'sirname' => 'sn',
| > | 'title' => 'title',
| > | 'company' => 'o',
| > | 'businesscategory' => 'businesscategory',
| > | 'companyaddress' => 'postaladdress',
| > | 'zip' => 'postalcode',
| > | 'workphone' => 'telephonenumber',
| > | 'fax' => 'facsimiletelephonenumber',
| > | 'homeaddress' => 'homepostaladdress',
| > | 'city' => 'l',
| > | 'state' => 'st',
| > | 'homephone' => 'homephone',
| > | 'cellphone' => 'mobile',
| > | 'alias' => 'givenname',
| > | 'notes' => 'description',
| > | 'pgpPublicKey' => 'object_pgppublickey'
| > | ),
| > | 'search' => array(
| > | 'name',
| > | 'email',
| > | 'company',
| > | 'alias',
| > | 'sirname',
| > | 'homephone',
| > | 'workphone',
| > | 'cellphone',
| > | 'homeaddress'
| > | ),
| > | 'public' => true,
| > | 'readonly' => false,
| > | 'admin' => array('eculp@' . $vdomain ),
| > | 'export' => true
| > | );
| > |
| > | Hope this helps,
| > |
| > | ed
| >
| >
| > --
| >
| >
--