| View previous topic :: View next topic |
| Author |
Message |
VinzC
Watchman
Joined: 17 Apr 2004
Posts: 5098
Location: Dark side of the mood
|
 Posted: Wed Nov 11, 2009 3:09 pm Post subject: LDAP: Any item can contain any other items, right? |
 |
|
Hi.
I'd just like some clarifying about LDAP -- need to know if I got it right. I've implemented OpenLDAP for both authentication and for use as address book. Currently, the address book only consists of the members, who need to authenticate. I'd like to extend it to a public (and writable) address book, i.e. person items that are not users. And I'd like the directory to hold private address books as well. The final purpose is for every user to fill in her own address book from roundcube (for which I have found some guides) and thunderbird (which I hope can write back to the address book).
I've read this post, which explains how to configure ldap.conf and I've seen the trick is to just allow everyone to write in her own address book container:
| Code: | access to dn="ou=(.+),ou=personal_addressbook,dc=net,dc=home"
by dn="uid=$1,ou=People,dc=net,dc=home" write
by * none |
This will basically allow any user to own a private address book. Hence my question: any LDAP entry can contain a sub-tree, right? Since my users are defined as dn: uid=xxxx, ou=yyy,....,dc=company,dc=tld nothing prevents these entries to hold a tree, that's what LDAP is all about, I presume?
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
| Back to top |
|
 |
nativemad
Retired Dev
Joined: 30 Aug 2004
Posts: 918
Location: Switzerland
|
| Posted: Fri Nov 13, 2009 9:17 am Post subject: |
|
|
Hi Vinz,
yes, you can do that! (i even abuse posix-groups as some kind of ou's...  )
But if you want to have the whole users subtree to be writeable by the user itself, then i would go with an acl (in slapd.conf) like that:
| Code: |
access to dn.regex="(.+,)?uid=([^,]+),ou=([^,]+),dc=company,dc=tld$"
by dn.expand="uid=$2,ou=$3,dc=company,dc=tld" write
by * break
|
Hope that helps...
Cheers
_________________
Power to the people! |
|
| Back to top |
|
|
VinzC
Watchman
Joined: 17 Apr 2004
Posts: 5098
Location: Dark side of the mood
|
| Posted: Fri Nov 13, 2009 3:30 pm Post subject: |
|
|
Thanks for the tip, nativemad. I could figure out the dn.regex thing -- as I got errors when slapd started -- but not dn.expand. I'll fix the ACL clauses. Too bad that Thunderbird has no LDAP write support...
I'm currently considering roundcube for accessing personal address books so it's less harmful for now but I wonder if I'll keep using Thunderbird at all. If you have some experience to share BTW, please go.
Thanks again.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
| Back to top |
|
|
M
Guru
Joined: 12 Dec 2006
Posts: 432
|
| Posted: Fri Nov 13, 2009 6:48 pm Post subject: |
|
|
| Quote: | | Too bad that Thunderbird has no LDAP write support... |
If you compile thunderbird you could try to
#define MOZ_EXPERIMENTAL_WRITEABLE_LDAP true
in file "nsAbLDAPDirectory.cpp
make patch, whatever, I needed this for xp clients, but I didn't want to even try to compile it on win, I hope in 3.0 final this will no more be experimental. |
|
| Back to top |
|
|
VinzC
Watchman
Joined: 17 Apr 2004
Posts: 5098
Location: Dark side of the mood
|
| Posted: Sat Nov 14, 2009 2:35 pm Post subject: |
|
|
Thanks M. Will try that. Claws-mail seems to have LDAP write support. I'll also try it on both Gentoo and Windows to see how it works.
EDIT: Back on the topic, I came across this guide, which is exactly what I was looking for.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
