6.0.0-git
2021-09-18
Last Modified 2005-04-25 by ben

LDAP HowTo


This document is intended to help administrators configure various parts of horde to use an LDAP directory. Please fill in any gaps or expand on the content with your own experiences on using horde with LDAP. All example code given here is taken from a working installation in a production environment.


Document Standards

In this document, we assume the following, please adjust accordingly for your LDAP directory

  • User information is stored in ou=Users,dc=example,dc=com.
    • cn=horde,ou=DSA,dc=example,dc=com is used by horde to bind to the LDAP directory.
    • The LDAP directory is secured, with no anonymous binding.

Authenticating with LDAP

Horde Setup

The Horde authentication setup should look something like the following:

auth_horde_setup.png

  • The hostname of the LDAP server - This is the address of your LDAP server. If it is running on the same machine as horde, then localhost is fine here. Otherwise enter the hostname or IP address of the server.
    • The base DN for the LDAP server - This is the subtree that horde will search through to find user information.
    • The DN used to bind to the LDAP server - Because our LDAP directory does not allow anonymous binding, we must provide the binding account here. If your LDAP directory allows anonymous binding, this can be left blank.
    • The password used to bind to the LDAP server - The password associated with the binding account. Leave this blank if binding anonymously.
    • LDAP Protocol Version - This should almost always be LDAPv3.
    • The username search key - This is the field that stores the username.
    • How to specify a filter for the user lists - Unless you have to use some fancy filters to find users, One or more objectclass filters should work fine here.
    • The objectclass filter used to search for users. Can be a single objectclass or a list - This is simply a list of objectClass values that represent valid users. We are piggybacking on an existing LDAP directory used to authenticate users on a POSIX system, so we know that a posixAccount object is a valid user account.

Directory Permissions

These are the minimum LDAP directory permissions needed by horde to authenticate against LDAP


access to dn.children="ou=Users,dc=example,dc=com"

        attrs=entry,objectClass,uid

        by dn="cn=horde,ou=DSA,dc=example,dc=com" read

        by self read

        by * none

access to dn.children="ou=Users,dc=example,dc=com"

        attrs=userPassword

        by self write

        by anonymous auth

        by * none


Storing Preferences with LDAP

Horde Setup

Directory Permissions


LDAP Based Address Book

Turba Setup

Turba ships with an example LDAP address book, so we will use that here as our base. This example assumes that we are providing an address book containing all of the users who have access to this horde installation.


$cfgSourses['localldap'] = array(

    'title' => _("Shared Directory"),

    'type' => 'ldap',

    'params' => array(

        'server' => 'localhost',

        'port' => 389,

        'root' => 'ou=Users,dc=example,dc=com',

        'bind_dn' => 'cn=horde,ou=Users,dc=example,dc=com',

        'bind_password' => '********',

        'sizelimit' => 200,

        'filter' => '(&(uid=*)(objectClass=posixAccount))',

        'dn' => array('cn'),

        'objectclass' => array('top',

                               'person',

                               'organizationalPerson',

                               'inetOrgPerson'),

        'charset' => 'iso-8859-1',

        'checkrequired' => false,

        'version' => 3

    ),

    'map' => array(

        '__key' => 'dn',

        'name' => 'displayName',

        'email' => 'mail',

        'workPhone' => 'telephonenumber',

        'cellPhone' => 'mobile',

        'office' => 'roomNumber',

        'employeeType' => 'employeeType',

        'pgpPublicKey' => 'userCertificate',

        'freebusyUrl' => 'calFBURL',

    ),

    'search' => array(

        'name',

        'email',

        'homePhone',

        'workPhone',

        'cellPhone',

        'homeAddress'

    ),

    'public' => true,

    'readonly' => true,

    'admin' => array(),

    'export' => true

);

The amount of information you can store is not by any means limited by what we have configured here. Any number of LDAP fields can be added to the 'map' array.

Directory Configuration

In order to use the calFBURL field, we have to include the rfc2739 schema in our LDAP configuration file.

  • Copy horde/turba/scripts/ldap/rfc2739.schema to your server's schema directory. This is commonly /etc/openldap/schema/.
    • Add the following to your LDAP configuration file (/etc/openldap/slapd.conf)


include /etc/openldap/schema/rfc2739.schema

Directory Permissions

These are the minimum LDAP permissions required for the address book we defined above. If you included extra fields, be sure to add them here.


access to dn.children="ou=Users,dc=example,dc=com"

        attrs=entry,objectClass,mail,telephoneNumber,mobile,roomNumber,employeeType,userCertificate,calFBURL,displayName

        by dn="cn=horde,ou=DSA,dc=example,dc=com" read

        by self read

        by * none