This document is intended to help administrators configure various parts of horde to use an LDAP directory. Please fill in any gaps or expand on the content with your own experiences on using horde with LDAP. All example code given here is taken from a working installation in a production environment.
In this document, we assume the following, please adjust accordingly for your LDAP directory
The Horde authentication setup should look something like the following:
These are the minimum LDAP directory permissions needed by horde to authenticate against LDAP
access to dn.children="ou=Users,dc=example,dc=com" attrs=entry,objectClass,uid by dn="cn=horde,ou=DSA,dc=example,dc=com" read by self read by * none access to dn.children="ou=Users,dc=example,dc=com" attrs=userPassword by self write by anonymous auth by * none
Turba ships with an example LDAP address book, so we will use that here as our base. This example assumes that we are providing an address book containing all of the users who have access to this horde installation.
$cfgSourses['localldap'] = array( 'title' => _("Shared Directory"), 'type' => 'ldap', 'params' => array( 'server' => 'localhost', 'port' => 389, 'root' => 'ou=Users,dc=example,dc=com', 'bind_dn' => 'cn=horde,ou=Users,dc=example,dc=com', 'bind_password' => '********', 'sizelimit' => 200, 'filter' => '(&(uid=*)(objectClass=posixAccount))', 'dn' => array('cn'), 'objectclass' => array('top', 'person', 'organizationalPerson', 'inetOrgPerson'), 'charset' => 'iso-8859-1', 'checkrequired' => false, 'version' => 3 ), 'map' => array( '__key' => 'dn', 'name' => 'displayName', 'email' => 'mail', 'workPhone' => 'telephonenumber', 'cellPhone' => 'mobile', 'office' => 'roomNumber', 'employeeType' => 'employeeType', 'pgpPublicKey' => 'userCertificate', 'freebusyUrl' => 'calFBURL', ), 'search' => array( 'name', 'email', 'homePhone', 'workPhone', 'cellPhone', 'homeAddress' ), 'public' => true, 'readonly' => true, 'admin' => array(), 'export' => true );
The amount of information you can store is not by any means limited by what we have configured here. Any number of LDAP fields can be added to the 'map' array.
In order to use the calFBURL field, we have to include the rfc2739 schema in our LDAP configuration file.
include /etc/openldap/schema/rfc2739.schema
These are the minimum LDAP permissions required for the address book we defined above. If you included extra fields, be sure to add them here.
access to dn.children="ou=Users,dc=example,dc=com" attrs=entry,objectClass,mail,telephoneNumber,mobile,roomNumber,employeeType,userCertificate,calFBURL,displayName by dn="cn=horde,ou=DSA,dc=example,dc=com" read by self read by * none