[turba] Re: ldap config so users can edit their own address
book
eculp at encontacto.net
eculp at encontacto.net
Wed Mar 12 12:06:10 PST 2003
Quoting Lucius Junevicus <ljunevicus at delphinus.com>:
| Thanks I'll try this.
|
| I'm not sure how the bind_password => Auth::getCredential('password') works
| in regards to the slapd.conf file.
Auth::getCredential('password') will supply the -s the_user's_password
as Auth::getAuth() supplies the user id. This completes an equivalent
of the
ldapsearch or ldapmodify
-D "mail=ljunevicus at delphinus.com,ou=people,o=delphinus.com" -w SECRET
The relationship with slapd.conf is that your ACL's determine each user's
permissions. For example I have something like the following:
access to dn="mail=.+,ou=people,o=delphinus.com"
by self write
by anonymous auth
by * read
The above will vary based on your individual needs. In fact there are
other ways of doing stating the same and probably better than mine but
this works for me.
|
| I assume it trys to bind with the user's password, but I'm not sure how
| openldap knows that this password is something it can use.
Amith and I are assuming that you are using ldap for authentication. If you
aren't then we probably have an issue. If you are using it for authentication
you gave your password to login to horde/imp and it is available in the
above mentioned variable.
| The root ldap
| password is specified in the slapd.conf file, but I don't have the user's
| passwords specified in that file. How does that work?
The password has to be in the ldap directory if you are using ldap for
authentication and is verified when needed.
|
| Still a beginner with ldap.
Isn't everyone? I feel the same way and I've been using it for a couple
of years. :-)
Good luck,
ed
|
| Thanks.
|
|
|
| "Amith Varghese" <amith at xalan.com> wrote in message
| news:1047403078.e795987794286 at amith.xalan.com...
| > > The array(Auth::getAuth()) seems to allow me to edit everyone's address.
| >
| > I have this, but the difference between my entry and your is the
| following:
| >
| > 'root' => 'ou=' . Auth::getAuth() . ',ou=Personal Address
| Book,dc=mydomain,dc=com',
| > 'bind_dn' => 'uid=' . Auth::getAuth() . ',ou=People,dc=mydomain,dc=com',
| > 'bind_password' => Auth::getCredential('password'),
| >
| > That way only the person logged in can access their own address book based
| on
| > the how the root and bind_dn are constructed. Not pretty but it works
| well.
| >
| > >
| > > This is the access part of my slapd.conf file
| > > access to dn=".*,ou=users,o=ourcompany"
| > > by self write
| > > by dn="cn=userAdmin,o=ourcompany" write
| > > by anonymous read
| >
| > To back this up with ACLs I do the following
| >
| > access to dn="ou=(.*),ou=Personal Address Book,dc=mydomain,dc=com"
| > by dn="uid=$1,ou=People,dc=mydomain,dc=com" write
| > by * none
| >
| > This enforces it within OpenLDAP so clients connecting with other clients
| can
| > view/edit someone else's address book.
| >
| > Amith
| >
| >
| > --
| > Turba mailing list
| > Frequently Asked Questions: http://horde.org/faq/
| > To unsubscribe, mail: turba-unsubscribe at lists.horde.org
| >
|
|
|
|
| --
| Turba mailing list
| Frequently Asked Questions: http://horde.org/faq/
| To unsubscribe, mail: turba-unsubscribe at lists.horde.org
|
--
-------------------------------------------------
More information about the turba
mailing list