[turba] Turba Personal Address Book LDAP ACL Problems ( Postfix Vdomain Structure )
Data Leung
data_leung at hotmail.com
Mon Apr 16 03:38:18 UTC 2007
Dear List ,
Below are the package which I had been install on my testing
mailserver .
1. CentOS 4.4
2. OpenLDAP 2.2.13.
3. MySQL 4.1.20
4. Postfix + LDAP + Virtual Domain deployment.
5. Phamm ( Web Administration console for Postfix / LDAP )
6. Courier-Auth / Courier-LDAP
7. Horde-3.1.4.tar.gz
8. IMP H3 4.1.4
9. Turba H3 2.1.4
10. Php Version 4.3.9
And I am looking Turba could provide following feature .
1. Global Address Book ( LDAP Base ) * This had been done *
2. Personal Address Book ( LDAP Base ) * Have trouble *
Requirement for Personal Address Book
a. Personal Address Book Sub entry could " Read / Write " their own personal
addressbook.
b. Nobody else could access READ / WRITE " the other users personal address
book exlcude owner.
My problems is while I try to write a entry which's locate in ldap personal
addressbook sub entry.
There got a error message pop-up in " Turba New Contact Page "
====================== ERROR =================================
Here is my ACL which had been deploy in " Slapd.conf "
There was an error adding the new contact. Contact your system administrator
for further help.Failed to add an object: [50] "Insufficient access" DN:
cn=kkk,ou=Address
Book,mail=Data.Leung at strsh.com,vd=strsh.com,o=hosting,dc=strsh,dc=com
(attributes:
[a:3:{s:2:"cn";s:3:"kkk";s:2:"sn";s:3:"kkk";s:11:"objectclass";a:4:{i:0;s:3:"top";i:1;s:6:"person";i:2;s:13:"inetOrgPerson";i:3;s:20:"organizationalPerson";}}]).Charset:UTF-8
=============================================================
Here is my ACL specified in slapd.conf
================= SLAPD ACL ======================
access to dn.regex="^(.+,)?cn=([^,]+),ou=dns,dc=strsh,dc=com$"
by anonymous auth
by dn.exact="cn=dnsldap,ou=dns,dc=strsh,dc=com" read
by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=strsh,dc=com"
write
by dn.exact,expand="cn=master,cn=$2,ou=dns,dc=strsh,dc=com" write
access to dn.regex="^(.+,)?dc=([^,]+),ou=dns,dc=strsh,dc=com$"
by anonymous auth
by dn.exact="cn=dnsldap,ou=dns,dc=strsh,dc=com" read
by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=strsh,dc=com"
write
by dn.exact,expand="cn=master,cn=$2,ou=dns,dc=strsh,dc=com" write
access to dn.exact="ou=dns,dc=strsh,dc=com"
by anonymous auth
by dn.exact="cn=dnsldap,ou=dns,dc=strsh,dc=com" read
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=strsh,dc=com$"
attr=userPassword,sambaNTPassword,sambaLMPassword
by self write
by anonymous auth
by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=strsh,dc=com"
write
by set="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=strsh,dc=com$"
attr=amavisBypassVirusChecks,quota,smtpAuth,accountActive
by self read
by dn.exact="cn=phamm,o=hosting,dc=strsh,dc=com" read
by set="user/editAccounts & [TRUE]" write
by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=strsh,dc=com"
read
by set="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=strsh,dc=com$"
attr=cn,sn,forwardActive,vacationActive,vacationInfo,vacationStart,vacationEnd,vacationForward,amavisSpamTagLevel,amavisSpamTag2Level,amavisSpamKillLevel
by self write
by dn.exact="cn=phamm,o=hosting,dc=strsh,dc=com" read
by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=strsh,dc=com"
write
by set="user/vd & [$1]" write
access to dn.regex="^.*,vd=([^,]+),o=hosting,dc=strsh,dc=com$"
attr=editAccounts
by self read
by set="user/editAccounts & [TRUE]" write
by dn.exact="cn=phamm,o=hosting,dc=strsh,dc=com" read
by * none
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=strsh,dc=com$"
attr=objectClass,entry
by self write
by anonymous read
by dn.exact="cn=phamm,o=hosting,dc=strsh,dc=com" read
by set="user/editAccounts & [TRUE]" write
by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=strsh,dc=com"
read
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=strsh,dc=com$"
attr=amavisBypassSpamChecks,accountActive,delete
by self read
by dn.exact="cn=phamm,o=hosting,dc=strsh,dc=com" read
by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=strsh,dc=com"
write
by set="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=strsh,dc=com$"
attr=FTPQuotaMBytes,FTPStatus,FTPQuotaFiles,uid,otherPath
by anonymous read
by self read
by dn.exact="cn=phamm,o=hosting,dc=strsh,dc=com" read
by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=strsh,dc=com"
read
by set="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=strsh,dc=com$"
attr=uidNumber,gidNumber,createMaildir
by self read
by dn.exact="cn=phamm,o=hosting,dc=strsh,dc=com" read
by set="user/vd & [$1]" read
access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=strsh,dc=com$"
by self write
by dn.exact="cn=phamm,o=hosting,dc=strsh,dc=com" read
by set="user/editAccounts & [FALSE]" read
by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=strsh,dc=com"
write
by set="user/vd & [$2]" write
access to dn.regex=".+,o=hosting,dc=strsh,dc=com$"
by self write
by dn.exact="cn=phamm,o=hosting,dc=strsh,dc=com" read
by anonymous auth
access to dn.regex=".+,ou=admin,dc=strsh,dc=com$" attr=userPassword
by self write
by anonymous auth
access to dn.regex=".+,ou=admin,dc=strsh,dc=com$" attr=vd
by self read
####### Turba Personal Address Book ACL locate in SLAPD.conf#######
access to dn.regex="^ou=Address
Book,mail=([^,]+),vd=strsh.com,o=hosting,dc=strsh,dc=com$" attrs=children
by dn.exact="cn=Manager,dc=strsh,dc=com" write
by dn.exact,expand="mail=$1,vd=strsh.com,o=hosting,dc=strsh,dc=com"
write
access to dn.regex="[^,]+,ou=Address
Book,mail=([^,]+),vd=strsh.com,o=hosting,dc=strsh,dc=com$"
attrs=entry, at inetOrgPerson
by dn.exact="cn=Manager,dc=strsh,dc=com" write
by dn.exact,expand="mail=$1,vd=strsh.com,o=hosting,dc=strsh,dc=com"
write
# give write access to one's address book entry to admin only
access to dn.regex="[^,]+,ou=Address
Book,mail=([^,]+),vd=strsh.com,o=hosting,dc=strsh,dc=com$"
attrs=entry, at inetOrgPerson
by dn.exact="cn=Manager,dc=strsh,dc=com" write
by dn.exact,expand="mail=$1,vd=strsh.com,o=hosting,dc=strsh,dc=com"
read
access to dn.regex="^mail=[^,]+,vd=strsh.com,o=hosting,dc=strsh,dc=com$"
by self read
===============Openldap /var/log/ldap.log ====================
==============="loglevel 128 acl filter" enabled ==================
Apr 16 10:59:17 mailserver1 slapd[8364]: conn=4 fd=14 ACCEPT from
IP=127.0.0.1:55883 (IP=0.0.0.0:389)
Apr 16 10:59:17 mailserver1 slapd[8364]: conn=4 op=0 BIND
dn="cn=Manager,dc=strsh,dc=com" method=128
Apr 16 10:59:17 mailserver1 slapd[8364]: conn=4 op=0 BIND
dn="cn=Manager,dc=strsh,dc=com" mech=SIMPLE ssf=0
Apr 16 10:59:17 mailserver1 slapd[8364]: conn=4 op=0 RESULT tag=97 err=0
text=
Apr 16 10:59:17 mailserver1 slapd[8364]: conn=5 fd=15 ACCEPT from
IP=127.0.0.1:55884 (IP=0.0.0.0:389)
Apr 16 10:59:17 mailserver1 slapd[8364]: conn=5 op=0 BIND
dn="mail=Data.Leung at strsh.com,vd=strsh.com,o=hosting,dc=strsh,dc=com"
method=128
Apr 16 10:59:17 mailserver1 slapd[8364]: => access_allowed: auth access to
"mail=Data.Leung at strsh.com,vd=strsh.com,o=hosting,dc=strsh,dc=com"
"userPassword" requested
Apr 16 10:59:17 mailserver1 slapd[8364]: => dnpat: [1]
^(.+,)?cn=([^,]+),ou=dns,dc=strsh,dc=com$ nsub: 2
Apr 16 10:59:17 mailserver1 slapd[8364]: => dnpat: [2]
^(.+,)?dc=([^,]+),ou=dns,dc=strsh,dc=com$ nsub: 2
Apr 16 10:59:17 mailserver1 slapd[8364]: => dn: [3] ou=dns,dc=strsh,dc=com
Apr 16 10:59:17 mailserver1 slapd[8364]: => dnpat: [4]
.+,vd=([^,]+),o=hosting,dc=strsh,dc=com$ nsub: 1
Apr 16 10:59:17 mailserver1 slapd[8364]: => acl_get: [4] matched
Apr 16 10:59:17 mailserver1 slapd[8364]: => acl_get: [4] attr userPassword
Apr 16 10:59:17 mailserver1 slapd[8364]: => acl_mask: access to entry
"mail=Data.Leung at strsh.com,vd=strsh.com,o=hosting,dc=strsh,dc=com", attr
"userPassword" requested
Apr 16 10:59:17 mailserver1 slapd[8364]: => acl_mask: to all values by "",
(=n)
Apr 16 10:59:17 mailserver1 slapd[8364]: <= check a_dn_pat: self
Apr 16 10:59:17 mailserver1 slapd[8364]: <= check a_dn_pat: anonymous
Apr 16 10:59:17 mailserver1 slapd[8364]: <= acl_mask: [2] applying auth(=x)
(stop)
Apr 16 10:59:17 mailserver1 slapd[8364]: <= acl_mask: [2] mask: auth(=x)
Apr 16 10:59:17 mailserver1 slapd[8364]: => access_allowed: auth access
granted by auth(=x)
Apr 16 10:59:17 mailserver1 slapd[8364]: conn=5 op=0 BIND
dn="mail=Data.Leung at strsh.com,vd=strsh.com,o=hosting,dc=strsh,dc=com"
mech=SIMPLE ssf=0
Apr 16 10:59:17 mailserver1 slapd[8364]: conn=5 op=0 RESULT tag=97 err=0
text=
Apr 16 10:59:17 mailserver1 slapd[8364]: conn=5 op=1 ADD
dn="cn=kkk,ou=Address
Book,mail=Data.Leung at strsh.com,vd=strsh.com,o=hosting,dc=strsh,dc=com"
Apr 16 10:59:17 mailserver1 slapd[8364]: => access_allowed: write access to
"ou=Address
Book,mail=Data.Leung at strsh.com,vd=strsh.com,o=hosting,dc=strsh,dc=com"
"children" requested
Apr 16 10:59:17 mailserver1 slapd[8364]: => dnpat: [1]
^(.+,)?cn=([^,]+),ou=dns,dc=strsh,dc=com$ nsub: 2
Apr 16 10:59:17 mailserver1 slapd[8364]: => dnpat: [2]
^(.+,)?dc=([^,]+),ou=dns,dc=strsh,dc=com$ nsub: 2
Apr 16 10:59:17 mailserver1 slapd[8364]: => dn: [3] ou=dns,dc=strsh,dc=com
Apr 16 10:59:17 mailserver1 slapd[8364]: => dnpat: [4]
.+,vd=([^,]+),o=hosting,dc=strsh,dc=com$ nsub: 1
Apr 16 10:59:17 mailserver1 slapd[8364]: => acl_get: [4] matched
Apr 16 10:59:17 mailserver1 slapd[8364]: => dnpat: [5]
.+,vd=([^,]+),o=hosting,dc=strsh,dc=com$ nsub: 1
Apr 16 10:59:17 mailserver1 slapd[8364]: => acl_get: [5] matched
Apr 16 10:59:17 mailserver1 slapd[8364]: => dnpat: [6]
.+,vd=([^,]+),o=hosting,dc=strsh,dc=com$ nsub: 1
Apr 16 10:59:17 mailserver1 slapd[8364]: => acl_get: [6] matched
Apr 16 10:59:17 mailserver1 slapd[8364]: => dnpat: [7]
^.*,vd=([^,]+),o=hosting,dc=strsh,dc=com$ nsub: 1
Apr 16 10:59:17 mailserver1 slapd[8364]: => acl_get: [7] matched
Apr 16 10:59:17 mailserver1 slapd[8364]: => dnpat: [8]
.+,vd=([^,]+),o=hosting,dc=strsh,dc=com$ nsub: 1
Apr 16 10:59:17 mailserver1 slapd[8364]: => acl_get: [8] matched
Apr 16 10:59:17 mailserver1 slapd[8364]: => dnpat: [9]
.+,vd=([^,]+),o=hosting,dc=strsh,dc=com$ nsub: 1
Apr 16 10:59:17 mailserver1 slapd[8364]: => acl_get: [9] matched
Apr 16 10:59:17 mailserver1 slapd[8364]: => dnpat: [10]
.+,vd=([^,]+),o=hosting,dc=strsh,dc=com$ nsub: 1
Apr 16 10:59:17 mailserver1 slapd[8364]: => acl_get: [10] matched
Apr 16 10:59:17 mailserver1 slapd[8364]: => dnpat: [11]
.+,vd=([^,]+),o=hosting,dc=strsh,dc=com$ nsub: 1
Apr 16 10:59:17 mailserver1 slapd[8364]: => acl_get: [11] matched
Apr 16 10:59:17 mailserver1 slapd[8364]: => dnpat: [12]
^(.+,)?vd=([^,]+),o=hosting,dc=strsh,dc=com$ nsub: 2
Apr 16 10:59:17 mailserver1 slapd[8364]: => acl_get: [12] matched
Apr 16 10:59:17 mailserver1 slapd[8364]: => acl_get: [12] attr children
Apr 16 10:59:17 mailserver1 slapd[8364]: => acl_mask: access to entry
"ou=Address
Book,mail=Data.Leung at strsh.com,vd=strsh.com,o=hosting,dc=strsh,dc=com", attr
"children" requested
Apr 16 10:59:17 mailserver1 slapd[8364]: => acl_mask: to all values by
"mail=data.leung at strsh.com,vd=strsh.com,o=hosting,dc=strsh,dc=com", (=n)
Apr 16 10:59:17 mailserver1 slapd[8364]: <= check a_dn_pat: self
Apr 16 10:59:17 mailserver1 slapd[8364]: <= check a_dn_pat:
cn=phamm,o=hosting,dc=strsh,dc=com
Apr 16 10:59:17 mailserver1 slapd[8364]: => bdb_entry_get: found entry:
"mail=data.leung at strsh.com,vd=strsh.com,o=hosting,dc=strsh,dc=com"
Apr 16 10:59:17 mailserver1 slapd[8364]: <= check a_dn_pat:
cn=postmaster,vd=$2,o=hosting,dc=strsh,dc=com
Apr 16 10:59:17 mailserver1 slapd[8364]: => bdb_entry_get: found entry:
"mail=data.leung at strsh.com,vd=strsh.com,o=hosting,dc=strsh,dc=com"
Apr 16 10:59:17 mailserver1 slapd[8364]: <= acl_mask: no more <who> clauses,
returning =n (stop)
Apr 16 10:59:17 mailserver1 slapd[8364]: => access_allowed: write access
denied by =n
========================================================
Here is my Turba Source.php
=========================================================
//First we need to get the uid.
// $mail_domain = substr($HTTP_HOST, strpos($HTTP_HOST, ".")+1);
$mail_domain = 'strsh.com';
$uid = Auth::getBareAuth();
$basedn = 'dc=strsh,dc=com';
$cfgSources['personal_ldap'] = array(
'title' => _("Personal Address"),
'type' => 'ldap',
'params' => array(
'server' => 'mailserver1.strsh.com',
'tls' => false,
'root' => 'ou=Address Book,mail=' . $uid . '@' .
$mail_domain.',vd=' . $mail_domain.',o=hosting,' . $basedn,
'bind_dn' => 'mail=' . $uid . '@' . $mail_domain . ',vd=' .
$mail_domain . ',o=hosting,' . $basedn,
'bind_password' => Auth::getCredential('password'),
//'bind_password' => '123',
//'bind_password' => Auth::getCredential('userPassword'),
'dn' => array('cn', 'uid' ),
'objectclass' => array('top',
'person',
// 'turbaContact',
'inetOrgPerson',
// 'calEntry',
'organizationalPerson'),
'scope' => 'one',
'charset' => 'utf-8',
'version' => 3
),
'map' => array(
'__key' => 'dn',
///'__uid' => 'uid',
// From horde.schema:
//'__type' => 'turbaType',
//'__members' => 'turbaMembers'
'name' => 'cn',
'email' => 'mail',
'lastname' => 'sn',
'title' => 'title',
'company' => 'organizationname',
'businessCategory' => 'businesscategory',
'workAddress' => 'postaladdress',
'workPostalCode' => 'postalcode',
'workPhone' => 'telephonenumber',
'fax' => 'facsimiletelephonenumber',
'homeAddress' => 'homepostaladdress',
'homePhone' => 'homephone',
'cellPhone' => 'mobile',
'notes' => 'description',
),
'search' => array(
'name',
'email',
'businesscategory',
'title',
'homePhone',
'workPhone',
'cellPhone',
'homeAddress'
),
'strict' => array(
'dn',
),
'export' => true,
'browse' => true,
);
=============================================================
I try to use following way to Diagnostic this problems.
1. Try to use LDAPadmin ( Windows LDAP Client ) and make use of following
ATTR ( mail & userPassword ) login
User Entry :
mail=Data.Leung at strsh.com,vd=strsh.com,o=hosting,dc=strsh,dc=com
password Entry : xxx
2. Try to use the following ACL and specificted " RIGHT PERSONAL " mail /
password attr and create the Personal address Book " Please read TEST ACL "
3. Bind " ROOT PASSWORD " of LDAP and locate in source.php . " That's work ~
" but I don't want this .
================= TEST ACL =====================
#access to dn.regex="^ou=Address
Book,mail=data.leung at strsh.com,vd=strsh.com,o=hosting,dc=strsh,dc=com$"
attrs=children
# by dn.exact="cn=Manager,dc=strsh,dc=com" write
# by
dn.exact,expand="mail=data.leung at strsh.com,vd=strsh.com,o=hosting,dc=strsh,dc=com"
write
#access to dn.regex="[^,]+,ou=Address
Book,mail=([^,]+),vd=strsh.com,o=hosting,dc=strsh,dc=com$"
attrs=entry, at inetOrgPerson
# by dn.exact="cn=Manager,dc=strsh,dc=com" write
# by
dn.exact,expand="mail=data.leung at strsh.com,vd=strsh.com,o=hosting,dc=strsh,dc=com"
write
# give write access to one's address book entry to admin only
#access to dn.regex="[^,]+,ou=Address
Book,mail=([^,]+),vd=strsh.com,o=hosting,dc=strsh,dc=com$"
attrs=entry, at inetOrgPerson
# by dn.exact="cn=Manager,dc=strsh,dc=com" write
# by
dn.exact,expand="mail=data.leung at strsh.com,vd=strsh.com,o=hosting,dc=strsh,dc=com"
read
#access to
dn.regex="^mail=data.leung at strsh.com+,vd=strsh.com,o=hosting,dc=strsh,dc=com$"
# by self read
=========================================================
Below is my LDAP Tree structure .
Personal Address Book OU :
ou=Address
Book,mail=Data.Leung at strsh.com,vd=strsh.com,o=hosting,dc=strsh,dc=com
Users attr store location :
mail=Data.Leung at strsh.com,vd=strsh.com,o=hosting,dc=strsh,dc=com
* Suppose attr mail = uid
I hope somebody else could help , and I and search around Google for few
days already .
But doesn't help me alot to solve this out .
Thanks and looking forward your reply .
>From Data Leung.
_________________________________________________________________
Learn English via Shopping Game, FREE!
http://www.linguaphonenet.com/BannerTrack.asp?EMSCode=MSN06-03ETFJ-0211E
More information about the turba
mailing list