[turba] Feature Request

Edwin Culp eculp@encontacto.net
Sat, 17 Aug 2002 11:41:55 -0700
Previous message: [turba] Feature Request
Next message: [turba] Feature Request
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Quoting "Derek J. Balling" <dredd@megacity.org>:

 | 
 | We give our employees access to read the company LDAP server to get 
 | employee-directory info. Is there any way, using Turba, to grant them 
 | limited rights to update the LDAP server? (e.g., to update their 
 | cel-phone number, office #, etc.)
 | 
 | Obviously I don't want them able to delete their own entry, or to muck 
 | about with other folks' entries.

I do this through ldap acl's.  I have something like the following 
on my server.  This will have to be adapted to your directory structure.
I have set this up for virtual users by structuring the addressbook entries
as: 
     mail=youradressbookentry@somedomain.com,mail=useremail@yourdomain.com, \
     ou=addressbook,o=megacity.org
based on the above and your user dn that would be:
     mail=useremail@yourdomain.com,ou=people,ou=megacity.org
you may be able to user acl's like:

access  to      attr=userPassword
        by      self    write
        by      anonymous       auth
        by      *       none

access  to      dn="(mail=.+,ou=people,o=megacity.org)"  
        by      self    write
        by      anonymous       auth
        by      *       read

access  to      dn="(mail=.+),ou=addressbook,o=megacity.org"
        by      dn="$1,ou=people,o=megacity.org"   write
        by      dn="mail=.*,ou=people,o=megacity.org"      read
        by      anonymous       auth

This is probably far too complex and I'm sure there is a much simpler
way to do it but this is working for me.  It allows seperation of 
dredd@megacity.org and dredd@anothercity.org.

For this to work I have the following, sort of dynamic, configuration in
horde/turba/config/sources.php.  This will not work as is because of an
additional object class that I have defined below as megacitykey that I
think can be safely eliminated, if I remember correctly.  There is an
issue with changing password because of not being able to do an anonymous
bind to get the dn but you have the options of allowing anonymous binds
or making a few minor modifications to the password code which I decided
was the best solution in my case.

<?php
/*  horde/turba/config/sources.php   */
$vdomain = strtolower(preg_replace('|^mail\.|i', '', $_SERVER['HTTP_HOST']));
$usermail=Auth::getAuth();
$uid = preg_replace('|@.*|i', '', $usermail);
$pass=Auth::getCredential('password');

/*         PRIVATE ADDRESS BOOK      */

$cfgSources['private'] = array(
    'title' => 'Personal directory for ' . $uid,
    'type' => 'ldap',
    'params' => array(
        'server' => 'localhost',
        'port' => 389,
        'root' => 'mail=' . $usermail . ',ou=addressbook,o=megacity.org',

/*        BIND AS USER NOT AS ROOT    */

        'bind_dn' => 'mail=' . $usermail . ',ou=people,o=megacity.org',
        'bind_password' => $pass,
        'dn' => array('mail'),
        'objectclass' => array( 'hordePerson','megacitykey'),
        'filter' =>  ''
    ),
    'map' => array(
        '__key' => 'dn',
        'name' => 'cn',
        'email' => 'mail',
        'alias' => 'givenname'
    ),
    'search' => array(
        'name',
        'email',
        'alias'
    ),

    'strict' => array(
        'dn'
    ),

    'public' => true,
    'readonly' => false,
    'admin' => array(),
    'export' => true
);

$cfgSources['corporate'] = array(
    'title' => 'Our ' . $vdomain . ' Directory',
    'type' => 'ldap',
    'params' => array(
        'server' => 'localhost',
        'port' => 389,
        'root' => 'ou=people,o=megacity.org',

/*        BIND AS USER *NOT* AS ROOT        */

        'bind_dn' => 'mail=' . $usermail . ',ou=people,o=megacity.org',
        'bind_password' => $pass,
        'dn' => array('cn'),
        'objectclass' => array( 'hordePerson','megacitykey'),
        'filter' => ''
    ),
    'map' => array(
        '__key' => 'dn',
        'name' => 'cn',
        'email' => 'mail',
        'sirname' => 'sn',
        'title' => 'title',
        'company' => 'o',
        'businesscategory' => 'businesscategory',
        'companyaddress' => 'postaladdress',
        'zip' => 'postalcode',
        'workphone' => 'telephonenumber',
        'fax' => 'facsimiletelephonenumber',
        'homeaddress' => 'homepostaladdress',
        'city' => 'l',
        'state' => 'st',
        'homephone' => 'homephone',
        'cellphone' => 'mobile',
        'alias' => 'givenname',
        'notes' => 'description',
        'pgpPublicKey' => 'object_pgppublickey'
    ),
    'search' => array(
        'name',
        'email',
        'company',
        'alias',
        'sirname',
        'homephone',
        'workphone',
        'cellphone',
        'homeaddress'
    ),
    'public' => true,
    'readonly' => false,
    'admin' => array('eculp@' .  $vdomain ),
    'export' => true
);

 | 
 | I'm using IMP authentication, but the LDAP directory contains the same 
 | passwords IMP authenticates against.
 | 
 | Any thoughts?
 | 
 | D
 | 
 | 
 | --
 | +------------------------------+--------------------------------+
 | | Derek J. Balling             | "You can get more with a kind  |
 | | dredd@megacity.org           |  word and a two-by-four, than  |
 | | www.megacity.org/blog/       |  you can with just a kind      |
 | |                              |  word."               - Marcus |
 | +---------------------------------------------------------------+
 | 
 | 
 | -- 
 | Turba mailing list
 | Frequently Asked Questions: http://horde.org/faq/
 | To unsubscribe, mail: turba-unsubscribe@lists.horde.org


--
Previous message: [turba] Feature Request
Next message: [turba] Feature Request
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]