[turba] Re: ldap config so users can edit their own address book

eculp at encontacto.net eculp at encontacto.net
Wed Mar 12 12:06:10 PST 2003


Quoting Lucius Junevicus <ljunevicus at delphinus.com>:

| Thanks I'll try this.
| 
| I'm not sure how the bind_password => Auth::getCredential('password') works
| in regards to the slapd.conf file.

Auth::getCredential('password') will supply the -s the_user's_password
as Auth::getAuth() supplies the user id.  This completes an equivalent
of the 
ldapsearch or ldapmodify 
-D "mail=ljunevicus at delphinus.com,ou=people,o=delphinus.com" -w SECRET

The relationship with slapd.conf is that your ACL's determine each user's
permissions.  For example I have something like the following:

access  to      dn="mail=.+,ou=people,o=delphinus.com"
        by      self    write
        by      anonymous       auth
        by      *       read

The above will vary based on your individual needs.  In fact there are 
other ways of doing stating the same and probably better than mine but
this works for me.

| 
| I assume it trys to bind with the user's password, but I'm not sure how
| openldap knows that this password is something it can use. 

Amith and I are assuming that you are using ldap for authentication.  If you
aren't then we probably have an issue.  If you are using it for authentication
you gave your password to login to horde/imp and it is available in the
above mentioned variable.

| The root ldap
| password is specified in the slapd.conf file, but I don't have the user's
| passwords specified in that file.  How does that work?

The password has to be in the ldap directory if you are using ldap for
authentication and is verified when needed.

| 
| Still a beginner with ldap.

Isn't everyone?  I feel the same way and I've been using it for a couple
of years.  :-)

Good luck,

ed
| 
| Thanks.
| 
| 
| 
| "Amith Varghese" <amith at xalan.com> wrote in message
| news:1047403078.e795987794286 at amith.xalan.com...
| > > The array(Auth::getAuth()) seems to allow me to edit everyone's address.
| >
| > I have this, but the difference between my entry and your is the
| following:
| >
| > 'root' => 'ou=' . Auth::getAuth() . ',ou=Personal Address
| Book,dc=mydomain,dc=com',
| > 'bind_dn' => 'uid=' . Auth::getAuth() . ',ou=People,dc=mydomain,dc=com',
| > 'bind_password' => Auth::getCredential('password'),
| >
| > That way only the person logged in can access their own address book based
| on
| > the how the root and bind_dn are constructed.  Not pretty but it works
| well.
| >
| > >
| > > This is the access part of my slapd.conf file
| > > access to dn=".*,ou=users,o=ourcompany"
| > >   by self write
| > >   by dn="cn=userAdmin,o=ourcompany" write
| > >   by anonymous read
| >
| > To back this up with ACLs I do the following
| >
| > access to dn="ou=(.*),ou=Personal Address Book,dc=mydomain,dc=com"
| >         by dn="uid=$1,ou=People,dc=mydomain,dc=com" write
| >         by * none
| >
| > This enforces it within OpenLDAP so clients connecting with other clients
| can
| > view/edit someone else's address book.
| >
| > Amith
| >
| >
| > --
| > Turba mailing list
| > Frequently Asked Questions: http://horde.org/faq/
| > To unsubscribe, mail: turba-unsubscribe at lists.horde.org
| >
| 
| 
| 
| 
| --
| Turba mailing list
| Frequently Asked Questions: http://horde.org/faq/
| To unsubscribe, mail: turba-unsubscribe at lists.horde.org
| 


-- 


-------------------------------------------------



More information about the turba mailing list