Tabla de Contenidos

Setup OpenLDAP-based Personal Addressbook in Turba for Horde

Introducción

Este documento describe cómo diseñar árboles de directorios en OpenLDAP y cómo configurar un servidor Linux para ser usado por aplicaciones de mensajería como un servicio de directorio.

This document particularly describes how OpenLDAP-based personal addressbooks can be setup in Turba to be used by IMP on a Linux mail server. After reading this document, one can also setup a public addressbook in an OpenLDAP directory and these same directory services can be shared by other mail programs, like Outlook, Netscape Messenger and KMail.

1. Introduction

This document would be most useful if you have a sound understanding of some TCP/IP protocols, like LDAP, SMTP, IMAP, POP3, SSL/TLS, DNS and HTTP, and intimate familiarity with their implementations, like OpenLDAP, sendmail, Postfix, uw-imap, OpenSSL, BIND and Apache. It is also helpful if you know well about some open-source software, including Linux, MySQL, PHP, Horde, IMP and Turba. After all, you have to put all things together to make what is described in this document work.

This document is based on the author's work on an old Pentium 550 Dell PC. What follows is the list of software and their versions installed on the server.

     Mandrake Linux 10.0  
     Apache 2.0.48-6 
     Apache2-mod_php 2.0.48_4.3.4-1 
     BIND 9.2.3-6 
     Horde 2.2.5 
     IMP 3.2.4 
     MySQL 4.0.18 
     OpenLDAP 2.1.25-6 
     OpenSSL 0.9.7c-3 
     Postfix 2.1.0 
     Turba 1.2.2 
     UW-IMAP 2002d-8 

2. Example deployment scenario

A email hosting company is offering its clients to store their personal addressbooks in the company's OpenLDAP directory. The company has already created a directory tree, called “base”, for its hosting clients under “ou=Hosting, ou=Accounts, dc=redant, dc=ca”. Since each user has a unique UID on the system, we choose UID as the RDN attribute. The DN for each user now looks like this: “uid=pni, ou=Hosting,ou=Account, dc=redant, dc=ca”.

A personal addressbook is going to be associated with a particular user. So we choose “cn” and “uid” as the RDN underneath the base “ou=personal_addressbook, dc=redant, dc=ca”, to make the entry unique at this particular directory tree level. This concept can be easily understood by realizing the fact that one user might have a friend called “John Smith”, another user might have a vendor contact also called “John Smith”. Here, “cn” and “uid” is similar to the composite primary key in a relational database table.

A typical entry of a personal addressbook for Patrick Ni looks like this: “cn=Johnson Zhao, ou=pni, ou=personal_addressbook, dc=redant, dc=ca”.

3. OpenLDAP directory design

We need two directory trees, one for hosting accounts, the other for their personal addressbooks.

3.1 Directory tree for hosting accounts

          base: ou=Hosting, ou=Accounts, dc=redant, dc=ca 
          dn: uid=pni, ou=Hosting, ou=Accounts, dc=redant, dc=ca 
          objectClass: person 
          objectClass: organizationalPerson 
          objectClass: inetOrgPerson 
          uid: pni 
          displayName: Ni Patrick 
          cn: Patrick Ni 
          givenName: Patrick  
          givenName: Tian Hua  
          sn: Ni  
          title: Network Consultant 
          ou: Information Systems 
          o: RedAnt Networks Co.  
          postalAddress:: MzE0LTEwODUxIE1vcnRmaWVsZCBSZApSaWNobW9uZCBCQyAgVjdBIDJXMQo= 
          telephoneNumber: +1 604 274 1100  
          mobile: +1 604 603 1707  
          mail: pni@redant.ca  
          homePostalAddress:: MzE0LTEwODUxIE1vcnRmaWVsZCBSZApSaWNobW9uZCBCQyAgVjdBIDJXMQo= 
          homePhone: +1 604 274 1100  
          jpegPhoto: <file:///home/pni/photos/pni.jpg
          userPassword:: e1NTSEF9dGFLMHh5Mk5rRG1MQTEwYlNCeHg2dXJ5a2kraGIwbys=
          description: CISSP, CCNA, CCDA, HP-UX, MCP 

Note: The userPassword attribute is used to bind the identity (DN) to the directory. Turba first obtains your IMP login credentials and compare them to the UID portion of the DN, and the userPassword entry. So you have to have a web-based interface program to allow each user to modify their userPassword attribute to match the password for IMP login.

3.2 Directory tree for personal addressbooks

          base: ou=personal_addressbook, dc=redant, dc=ca 
          dn: cn=Johnson Zhao, ou=pni, ou=personal_addressbook, dc=redant, dc=ca 
          objectClass: person 
          objectClass: organizationalPerson 
          objectClass: inetOrgPerson 
          cn: Johnson Zhao 
          givenName: Johnson  
          sn: Zhao  
          title: Vice President 
          ou: Sales 
          o: Prima Electronics Ltd.  
          postalAddress:: SDE2MC0yMjEyMiAyMHRoIEF2ZSBTRQpCb3RoZWxsIFdBIDk4MDM2Cg== 
          telephoneNumber: +1 866 447 7462   
          mobile: +1 206 335 1965 
          mail: johnson@primaamerica.com 
          mail: zhaoxin@zhaotangjun.com 
          homePostalAddress:: MTgwLTEzMjAwIERlbGYgUGwKUmljaG1vbmQgQkMgIFYyViAyQTIK 
          homePhone: +1 425 349 1709  
          description: Love to drive Pathfinder 

4. OpenLdap Configuration

You just need to make a few modifications to the OpenLDAP files to make a OpenLDAP-based Turba addressbook work. You can leave other default configurations intact.

4.1 /etc/openldap/slapd.conf

    suffix     "dc=redant,dc=ca" 
    rootdn     "cn=Manager,dc=redant,dc=ca" 
    rootpw     {MD5}8lovxyaQt4CyoU4UDvap4A==   

Note: Set rootdn password as “iloveyou” using {MD5} hash

4.2 /etc/openldap/slapd.access.conf

    access to * by * write 

Note: You definitely have to write a better ACLs after everything works.

4.3 /etc/ldap.conf

BASE dc=redant, dc=ca HOST ldap.redant.ca URI ldap://ldap.redant.ca

5. Turba Configuration

You need to modify two files: sources.php and attributes.php

5.1 /var/www/html/horde/turba/config/sources.php

$uid = Auth::getAuth();

if (preg_match('/(^.*)@/', $uid, $matches)) { 
  $uid = $matches[1]; 
} 
$basedn = 'dc=redant,dc=ca'; 
$cfgSources['personal_ldap'] = array(
  'title' => 'My OpenLDAP Addressbook', 
  'type' => 'ldap', 
  'params' => array( 
      'server' => 'localhost', 
      'root' => 'ou=' . $uid . ',ou=personal_addressbook,' . $basedn, 
      'bind_dn' => 'uid=' . $uid . ',ou=Hosting,' . 'ou=Accounts,' . $basedn, 
      'bind_password' => Auth::getCredential('password'), 
      'dn' => array('cn','uid'), 
      'objectclass' => array('person', 
                             'organizationalPerson', 
                             'inetOrgPerson'), 
      'encoding' => 'utf8', 
      'version' => 3 
  ), 
  'map' => array( 
      '__key' => 'dn', 
      'name' => 'cn', 
      'firstName' => 'givenname', 
      'lastName' => 'sn', 
      'title' => 'title', 
      'department' => 'ou', 
      'company' => 'o', 
      'companyAddress' => 'postaladdress', 
      'officePhone' => 'telephonenumber', 
      'cellPhone' => 'mobile', 
      'email' => 'mail', 
      'homeAddress' => 'homepostaladdress', 
      'homePhone' => 'homephone', 
      'notes' => 'description' 
  ), 
'search' => array( 
      'name', 
      'firstName', 
      'lastName', 
      'title', 
      'department', 
      'company', 
      'companyAddress', 
      'officePhone', 
      'cellPhone', 
      'email', 
      'homeAddress', 
      'homePhone', 
      'notes' 
  ), 
  'strict' => array( 
      'dn' 
  ), 
  'public' => true, 
  'readonly' => false, 
  'admin' => array($uid), 
  'export' => true 
); 

Note: You have to lowcase all OpenLDAP attribute types to avoid strange problems.

5.2 /var/www/html/horde/turba/attributes.php

This file is quite self-explanatory. Add or Modify parameters according to the sources.php file.

6. Some screenshots

6.1 Add a hosting account entry to the directory

Add a hosting account entry to the directory

Once you have created the LDIF file, you can use the following command to add the entry to the directory.

   ldapadd -x -D "cn=manager,dc=redant,dc=ca" -W -f pni.ldif 

Note:

*Before adding this entry, you should add its parent entry, which is “ou=Hosting, ou=Accounts, ou=redant, ou=ca”.

*The userPassword attribute value can be generated using the slappasswd command. To change it, first delete the attribute, then generate a new one and add it back using LDIF file.

             version: 1 
             dn: uid=pni,ou=Hosting,ou=Accounts,dc=redant,dc=ca 
             changetype: modify 
             add: userPassword 
             userPassword: {SSHA}Q/Z/GnRLfEi1gK2Z90uws0RV65qSmnC/ 

*The jpegPhoto attribute can be added seperately later, and is not used in this document. It can be probably used by another application or your customized script to manager hosting clients. It is not supported by Turba, so it is not included in the personal addressbook design.

6.2 Add a personal addressbook entry for a hosting user Patrick Ni (uid=pni)

Add a personal addressbook entry image 1/2

Add a personal addressbook entry image 2/2

Note: Before adding this entry, you should add its parent entry, which is “ou=pni, ou=personal_addressbook, dc=redant, dc=ca”.

Note: Although OpenLDAP supports multiplevalued attributes, like “mail”, Turba does not.

7. Security considerations

The backend addressbook operations performed by Turba are over LDAP, not LDAPS. Authentication to the directory is simple authentication. No SASL mechanism is provisioned. These are all hard coded. We expect future releases of Horde and Turba can get these concerns addressed.

Basado en un documento escrito por

Patrick Ni, Network Consultant

314-10851 Mortfield Rd

Richmond BC V7A 2W1

Email: pni@redant.ca

Bibliografía

  1. OpenLDAP: database creation and maintenance tools. http://www.openldap.org/doc/admin22/dbtools.html
  2. RFC 3377: Lightweight Directory Access Protocol (v3): Technical Specification
  3. RFC 2251: Lightweight Directory Access Protocol (v3)
  4. RFC 2252: LDAPv3: Attribute Syntax Definitions
  5. RFC 2253: LDAPv3: UTF-8 String Representation of Distinguished Names
  6. RFC 2254: The String Representation of LDAP Search Filters
  7. RFC 2255: The LDAP URL Format
  8. RFC 2256: A Summary of the X.500(96) User Schema for use with LDAPv3
  9. RFC 2798: Definition of the inetOrgPerson LDAP Object Class
  10. RFC 2808: The SecurID® SASL Mechanism
  11. RFC 2222: Simple Authentication and Security Layer (SASL)
  12. RFC 2829: Authentication Methods for LDAP
  13. RFC 2830: LDAPv3: Extension for Transport Layer Security
  14. RFC 2849: The LDAP Data Interchange Format (LDIF) - Technical Specification
  15. RFC 1274: The COSINE and Internet X.500 Schema
  16. RFC 3112. LDAP Authentication Password Schema
  17. ITU-T Rec. E.123, Notation for national and international telephone numbers, 1988