[RCD] Need some advices about feature to improve adressbook from LDAP filters

Julien Gribonvald julien.gribonvald at recia.fr
Thu Dec 6 12:32:14 CET 2012


Hi,
Sorry, but maybe I don't understood all, but I wil try to 
complete/explain our case with example of configuration.

Le 05/12/2012 19:48, Jeroen van Meeuwen (Kolab Systems) a écrit :
> On 2012-12-05 18:23, Julien Gribonvald wrote:
>> Thanks for your response,
>>
>> The things is that we doesn't use LDAP auth but the CAS auth.
>> After we doesn't permit user auth and access to ldap so I don't think
>> that we can use your example if I understood your ldap configuration.
>>
>
> My example wasn't so much related to the user authentication itself as 
> it was to authorization within LDAP.
>
> I was indeed assuming the user was required to bind to LDAP (as 
> themselves / with their own credentials) - I figured it was a 
> reasonable assumption as otherwise all information contained in the 
> LDAP tree is public / commonly available to all, but perhaps it wasn't 
> ;-)
>
> I'd still like to learn if my description of your functional 
> requirement was indeed somewhat correct / accurate:
We don't bind the user, we use only a generic user account wihch is 
configured to access to somes attributes needed for the application.

At the login we get from the CAS auth the user uid which help to get 
ldap attributs from this config :

$rcmail_config['ldap_public']['All'] = array(
....
     'user_specific' => true,
     'base_dn'       => 'ou=people,dc=our_domain,dc=fr',
     'bind_dn'       => 
'cn=service_user,ou=administrateurs,dc=our_domain,dc=fr',
     'bind_pass'     => 'password',
     'writable'      => false,
     'LDAP_Object_Classes' => array('top', 'inetOrgPerson'),
     'required_fields'     => array('cn', 'mail'),
     'LDAP_rdn'      => 'cn',
     'ldap_version'  => '3',
     'search_fields' => array('mail', 'cn'),
     'name_field'    => 'cn',
     'email_field'   => 'mail',
     'surname_field' => 'sn',
     'firstname_field' => 'givenName',
     'sort'          => 'cn',
     'scope'         => 'sub',
     'filter'        => '(|(objectClass=ENTPerson)(mail=*))',
     'fuzzy_search'  => true,
     'sizelimit'     => '3000',
     'timelimit'     => '10000',
);

$rcmail_config['new_user_identity_addressbook']='All';
$rcmail_config['new_user_identity_match'] = 'uid';

My configuration would be to use a special multivalued user attribute in 
a filter to specify an addressbook depending of this value. The 
attribute isn't in a LDAP subcontext, only in index.

>
> On 2012-12-05 18:13, Jeroen van Meeuwen (Kolab Systems) wrote:
>> Are you saying that you need, for example, a filter of:
>>
>>   (&(objectclass=inetorgperson)(location:$branch_office_1))
>>
>> for somebody that logs in that has an LDAP attribute 'location' set
>> to '$branch_office_1', or something along similar lines?
>>
>
> That said, I reckon Roundcube still logs in to an IMAP server using 
> some sort of set of credentials, correct? Could these credentials not 
> also be used to "log in" (bind) to LDAP?
IMAP also use CAS auth in our context, and the mail box is associated to 
the uid given by CAS, i don't think that this service make a search on 
ldap. Only the dovecot make ldap request to look for the match between 
the mail adresse and user uid.
For the mail we have a special LDAP mail schema :
- branch people => user object {uid, mail}
- branch mail => ou=virtual_domain_name=> mail object {mail_alias, 
mail_drop} where virtual_domain_name is the mail domain, mail_alias is 
the user login used for the mail adress (part before the @) and 
mail_drop (multivalued) where to send the mail ie the uid and maybe 
other user mail address where to forward.
> Please allow me to state a snippet of (stock, off-the-shelf) Roundcube 
> configuration that we use:
>
> /etc/roundcubemail/main.inc.php:
>>    'user_specific'         => true,
>>    'base_dn'               => 'dc=example,dc=org',
>>    'bind_dn'               => '%dn',
>>    'bind_pass'             => '',
>>    'search_base_dn'        => 'dc=example,dc=org',
>>    'search_bind_dn'        => 'uid=some-service-account,ou=Some 
>> OU,dc=example,dc=org',
>>    'search_bind_pw'        => 'somepass',
>>    'search_filter'         => 
>> '(&(objectClass=inetOrgPerson)(|(uid=%u)(mail=%fu)))',
>>
>
> This would cause Roundcube to perform two bind operations against the 
> global address book (one of possibly multiple address books in 
> $rcmail_config['ldap_public']), before the UI is populated with 
> information (using the 'filter' setting and other standard parameters);
>
> 1) A bind operation in order to allow searching for the entryDN of the 
> user to bind as (using service account credentials, in this case, as 
> anonymous searching is not allowed),
>
> 2) A bind operation with the entryDN that is found for the user.
>
> Neither should interfere with your CAS authentication, but of course 
> the question is whether the user / Roundcube could be made to bind to 
> LDAP.

My question is more like how to get the user attribute needed to compose 
my adressbook filter depending my config, I think I'm more in the first 
case, but maybe i missed something that can permit to get directly user 
attributes value and to place it in a filter for addressbook.

Regards,
Julien


More information about the dev mailing list