[turba] ldap: how do I stop the posixAccounts appearing in shared

Mark Worsdall turba at worsdall.demon.co.uk
Sun Feb 19 09:47:17 PST 2006


In message <X2j$C5Aqq59DFwOS at worsdall.demon.co.uk>, Mark Worsdall
<turba at worsdall.demon.co.uk> writes
>Hi,
>
[snip]
>Any ideas where I HAVE MESSED UP??? cos I am thick:-)

Glad no one answered this time cos I feel GOOD! I have cracked it,
welcome to the darkside of Ldap:-)

The answer was basically reading http://www.zytrax.com/books/ldap/
as the author knew the frustrations, once read I was then able to do
some giggery pokery in turba/config/sources.php for the Shared and
Personal address books.

Basically it was necessary to Create 2 1st level entries, I did 3, the
3rd one for the admin account.

1) A first level entry for account (This is where all authentication
users are stored under).

2) A first level entry for people (This is where all the person address
book stuff are stored under).


All the unix user accounts had an ou=account added into the DN:

1.1) A second level entry for a unix user account.

dn: uid=jdw,ou=Account,dc=shadowrobot,dc=com
uid: jdw
cn: Mark Worsdall
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: SECRET
shadowLastChange: 13193
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1010
gidNumber: 1010
homeDirectory: /home/jdw



Whereas the personal_address book ou's had people in the DN:

2.1) A second level entry for personal add book.

dn: ou=jdw,ou=personal_addressbook,dc=shadowrobot,dc=com
objectclass: top
objectClass: organizationalUnit
ou: jdw


Note these are for the same user: jdw


Next I altered the horde/turba/config/sources.php to reflect this:

NOTE: ou=people
localldap:

        'root' => 'ou=people,dc=shadowrobot,dc=com',
        'bind_dn' => 'cn=admin,dc=shadowrobot,dc=com',
        'bind_password' => 'ADMINSECRET',



NOTE: ou=account
The personal address book LDAP

        'root' => 'ou=' . $uid . ',ou=personal_addressbook,' . $basedn,
        'bind_dn' => 'uid=' . $uid . ',ou=account,' . $basedn,

And then map uid to ou to stop the uid corruption:

        '__uid' => 'ou',



The in slapd.conf

Note again people for Shared (localldap) and account for personal
address book:

access to dn.children="ou=people,dc=shadowrobot,dc=com"
        attrs=entry,objectClass,mail,telephoneNumber (etc add more in
here as necessary)

        by dn="cn=admin,dc=shadowrobot,dc=com" read
        by self read
        by * none


access to
dn.regex="ou=(.+),ou=personal_addressbook,dc=shadowrobot,dc=com"
        by dn.regex="uid=(.+),ou=account,dc=shadowrobot,dc=com" write


Restart slapd of course:-)

And bingo all is well.

Not the shadowrobot.com is now where near the Internet!!!

Hope this may helps others and has nothing glaringly wrong with it.

Seriously, read the url as that can help get to understand ldap, worked
for me:-)

M.
-- 
Mark Worsdall
http://www.shadowrobot.com/  need a hand??


More information about the turba mailing list