[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: some thoughts about RDN

To: Paweł Madej <nysander@quanteam.pl>
Subject: Re: some thoughts about RDN
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Date: Thu, 11 Jun 2009 12:07:57 +0100
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <7121920bbc9a2c7a40c98712cd2dc7b0@poczta.quanteam.pl>
References: <7e0c3b7c6ac6a33c4be37657143ab6f9@poczta.quanteam.pl> <200906091846.07870.bgmilne@staff.telkomsa.net> <541c75bcf0c3ff8da7b18929407fd6f5@poczta.quanteam.pl> <200906101123.02942.bgmilne@staff.telkomsa.net> <7121920bbc9a2c7a40c98712cd2dc7b0@poczta.quanteam.pl>
User-agent: Mutt/1.5.17 (2007-11-01)

On Wed, Jun 10, 2009 at 12:31:56PM +0200, Paweł Madej wrote:

> To not spam to much this list i've pasted roundcube webmail LDAP part here
> http://pastebin.com/m6ba78ab4

It looks to me as if the per-user private addressbook facility
requires a specific DIT structure with the username in the DN. This is
very restrictive, so I suggest asking the developers to change it.

A more general solution requires something like this:

A 'system' DN and password to bind to the directory before we have
verified the user. In some cases this search can be anonymous, but in
others anon would be blocked by access-control policy.

A base DN from which to start a subtree search to find the user entry.

A configurable search spec to find user entries. In your case, this
might say something like:
	(&(objectclass=account)(mail=%fu))
[Note the use of objectclass to prevent it from finding addressbook
entries: we only want the main account entry at this stage]

Having found the user entry, the application should re-bind as the
user for access to addressbooks etc.

For per-user addressbooks, you then want to prepend an optional RDN
component to the user DN (e.g. cn=addressbook) and build the addressbook
entries below that. I would suggest using a meaningless random number
as the RDN of each entry.

Note that the use of search means that the DIT structure is not
constrained by the application.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

References:
- some thoughts about RDN
  - From: Paweł Madej <nysander@quanteam.pl>
- Re: some thoughts about RDN
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>
- Re: some thoughts about RDN
  - From: Paweł Madej <nysander@quanteam.pl>
- Re: some thoughts about RDN
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>
- Re: some thoughts about RDN
  - From: Paweł Madej <nysander@quanteam.pl>

Prev by Date: Howto synchronization the username and password between windows AD and OpenLDAP server?
Next by Date: Translucent Proxy & Schemas
Index(es):
- Chronological
- Thread