[turba] IMP ldap prefs/Turba personal ldap addresses

Lee lee at disinfo.com
Sat Dec 14 13:51:55 PST 2002 

I believe rootdn has read write access to everything automatically. Im 
not sure why it is having problems. Regardless, you really shouldnt be 
using rootdn for ispman. If the ispman server is ever comprimised the 
intruder will have full access to the entire directory. Your much 
better off creating a new account (simple inetOrgPerson) that has read 
/ write access ONLY to those entries which is absolutely needs.

Something else to remember, when you add a new ACL rule (say allowing 
users to read or write something) you also have to say allow all other 
accounts that you want to be able to touch that entry to have the 
applicative permissions on this entry also.

i.e.

If you add:

access to dn=".*ou=addressbook,(uid=.+),ou=users,dc=ourcompany,dc=com"
        by dn="$1,ou=users,dc=ourcompany,dc=com" write


Now only dn=...., ou=users,dc=ourcompany,dc=com will have specified 
access to that entry.

Instead you should more likely add:

access to dn=".*ou=addressbook,(uid=.+),ou=users,dc=ourcompany,dc=com"
        by dn="$1,ou=users,dc=ourcompany,dc=com" write
        by someotheraccount,dc=com read
        by anotheraccount,ou=users,dc=com write
        by anonymous auth
        by * none

Obviously all of the above is conditioned on what your other rules say.

Lee




On Saturday, December 14, 2002, at 12:06 AM, Gary C. New wrote:

> Lee,
>
> I decided to use the horde.schema with my current
> ispman directory and the hordePrefs and impPrefs are
> working well as using my rootdn.  I am trying to glean
> from your ACL examples, so as to authorize read and
> write access on a per user basis.  However, when
> attempting to impliment the per user ACLs I begin to
> have problems with rootdn access.  I believe ISPMan
> reads anonymously from the directory, but writes as
> the rootdn and some how the per user ACLs are hosing
> things up.  Any suggestions?
>
> I was also wondering if you are able to access your
> turba personal addressbooks via a POP/IMAP client such
> as OutLook Express or Mozilla.  I know both of these
> clients have the capability of storing addressbooks
> via ldap, but was wondering if they used a schema
> simular to turba.
>
> Thanks again for your great help.  It is exciting to
> see an entirely ldap based mail system come together.
>
> Respectfully,
>
>
> Gary
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com

More information about the turba mailing list