[turba] ldap browse returns non-people
Andy Rowan
rowan@crssa.rutgers.edu
Thu Oct 24 17:22:11 2002
I wrote
> > So my question is what do I need to do to have it just return the records
> > for people? The "objectclass" setting in sources.php seems to only affect
> > adding new records, because the browse is asking openldap for
> > objectclass=*. Can I have it only ask for objectclass=person? Do I want
> > to do that?
>
> > turba is connecting as the openldap root user. Is that the reason?
OK, so with some help from Cliff Green at UMDNJ, I got this behavior under
control. (Thanks, Cliff. Next time maybe I should just open the window
and shout, eh?) I changed turba so it does anonymous access to the ldap
directory, and set the slapd ACLs so that anonymous has read access only to
dn="cn.*"
This leads me to another question that turns out to be related. First I
guess I need to explain what I'm after. I'm setting up LDAP for a fairly
small organization, mainly in order to have a shared address book to access
from imp. If I could get it so that most people have read-only access, and
a couple of us have write access, that would be ok. Things don't change so
much that I need to be able to let users change their own stuff, we can do
it for them. So as it stands now, the LDAP database has its root user, but
no other passwords are defined there.
Here's the question: in turba's sources.php, where it has
"'readonly'=true," and "'admin'=array()," I see that I'm supposed to put
users into that admin array who would then be allowed to edit via
turba. But what kind of users are we talking about? If I put a name in
there, what is it going to be matched against? IOW, where is turba going
to be looking for that user to exist? A system user, or an entry in the
LDAP database, or what? My authentication for horde is being done by imp,
against the system's user/password database. When I put my system username
in the admin array, I still don't get write access. Is it looking to match
against something in the LDAP, and if so, what kind of record/attribute?
Thanks!
-Andy