====== Setup OpenLDAP-based Personal Addressbook in Turba for Horde ======

===== Introducción =====

Este documento describe cómo diseñar árboles de directorios en OpenLDAP y cómo configurar un servidor Linux para ser usado por aplicaciones de mensajería como un servicio de directorio.

This document particularly describes how OpenLDAP-based personal addressbooks can be setup
in Turba to be used by IMP on a Linux mail server. After reading this document, one can also
setup a public addressbook in an OpenLDAP directory and these same directory services can be 
shared by other mail programs, like Outlook, Netscape Messenger and KMail.   

1. Introduction 

This document would be most useful if you have a sound understanding of some TCP/IP protocols, 
like LDAP, SMTP, IMAP, POP3, SSL/TLS, DNS and HTTP, and intimate familiarity with their 
implementations, like OpenLDAP, sendmail, Postfix, uw-imap, OpenSSL, BIND and Apache. It is 
also helpful if you know well about some open-source software, including Linux, MySQL, PHP, 
Horde, IMP and Turba. After all, you have to put all things together to make what is described
in this document work. 

This document is based on the author's work on an old Pentium 550 Dell PC. What follows is the
list of software and their versions installed on the server.  

       Mandrake Linux 10.0  
       Apache 2.0.48-6 
       Apache2-mod_php 2.0.48_4.3.4-1 
       BIND 9.2.3-6 
       Horde 2.2.5 
       IMP 3.2.4 
       MySQL 4.0.18 
       OpenLDAP 2.1.25-6 
       OpenSSL 0.9.7c-3 
       Postfix 2.1.0 
       Turba 1.2.2 
       UW-IMAP 2002d-8 

2. Example deployment scenario 

A email hosting company is offering its clients to store their personal addressbooks in the
company's OpenLDAP directory. The company has already created a directory tree, called "base", 
for its hosting clients under "ou=Hosting, ou=Accounts, dc=redant, dc=ca". Since each user has
a unique UID on the system, we choose UID as the RDN attribute. The DN for each user now looks
like this: "uid=pni, ou=Hosting,ou=Account, dc=redant, dc=ca".

A personal addressbook is going to be associated with a particular user. So we choose "cn"
and "uid" as the RDN underneath the base "ou=personal_addressbook, dc=redant, dc=ca", to make
the entry unique at this particular directory tree level. This concept can be easily understood
by realizing the fact that one user might have a friend called "John Smith", another user might
have a vendor contact also called "John Smith". Here, "cn" and "uid" is similar to the 
composite primary key in a relational database table. 

A typical entry of a personal addressbook for Patrick Ni looks like this: "cn=Johnson Zhao, 
ou=pni, ou=personal_addressbook, dc=redant, dc=ca". 

3. OpenLDAP directory design 

We need two directory trees, one for hosting accounts, the other for their personal
addressbooks. 

3.1 Directory tree for hosting accounts 

            base: ou=Hosting, ou=Accounts, dc=redant, dc=ca 
            dn: uid=pni, ou=Hosting, ou=Accounts, dc=redant, dc=ca 
            objectClass: person 
            objectClass: organizationalPerson 
            objectClass: inetOrgPerson 
            uid: pni 
            displayName: Ni Patrick 
            cn: Patrick Ni 
            givenName: Patrick  
            givenName: Tian Hua  
            sn: Ni  
            title: Network Consultant 
            ou: Information Systems 
            o: RedAnt Networks Co.  
            postalAddress:: MzE0LTEwODUxIE1vcnRmaWVsZCBSZApSaWNobW9uZCBCQyAgVjdBIDJXMQo= 
            telephoneNumber: +1 604 274 1100  
            mobile: +1 604 603 1707  
            mail: pni@redant.ca  
            homePostalAddress:: MzE0LTEwODUxIE1vcnRmaWVsZCBSZApSaWNobW9uZCBCQyAgVjdBIDJXMQo= 
            homePhone: +1 604 274 1100  
            jpegPhoto: <file:///home/pni/photos/pni.jpg
            userPassword:: e1NTSEF9dGFLMHh5Mk5rRG1MQTEwYlNCeHg2dXJ5a2kraGIwbys=
            description: CISSP, CCNA, CCDA, HP-UX, MCP 

Note: The userPassword attribute is used to bind the identity (DN) to the directory. Turba first
obtains your IMP login credentials and compare them to the UID portion of the DN,  and the 
userPassword entry. So you have to have a web-based interface program to allow each user to 
modify their userPassword attribute to match the password for IMP login.  

3.2 Directory tree for personal addressbooks 

            base: ou=personal_addressbook, dc=redant, dc=ca 
            dn: cn=Johnson Zhao, ou=pni, ou=personal_addressbook, dc=redant, dc=ca 
            objectClass: person 
            objectClass: organizationalPerson 
            objectClass: inetOrgPerson 
            cn: Johnson Zhao 
            givenName: Johnson  
            sn: Zhao  
            title: Vice President 
            ou: Sales 
            o: Prima Electronics Ltd.  
            postalAddress:: SDE2MC0yMjEyMiAyMHRoIEF2ZSBTRQpCb3RoZWxsIFdBIDk4MDM2Cg== 
            telephoneNumber: +1 866 447 7462   
            mobile: +1 206 335 1965 
            mail: johnson@primaamerica.com 
            mail: zhaoxin@zhaotangjun.com 
            homePostalAddress:: MTgwLTEzMjAwIERlbGYgUGwKUmljaG1vbmQgQkMgIFYyViAyQTIK 
            homePhone: +1 425 349 1709  
            description: Love to drive Pathfinder 

4. OpenLdap Configuration 

You just need to make a few modifications to the OpenLDAP files to make a OpenLDAP-based Turba
addressbook work. You can leave other default configurations intact.  

4.1 /etc/openldap/slapd.conf 

      suffix     "dc=redant,dc=ca" 
      rootdn     "cn=Manager,dc=redant,dc=ca" 
      rootpw     {MD5}8lovxyaQt4CyoU4UDvap4A==   

Note: Set rootdn password as "iloveyou" using {MD5} hash     

4.2 /etc/openldap/slapd.access.conf 

      access to * by * write 

Note: You definitely have to write a better ACLs after everything works. 

4.3 /etc/ldap.conf 

BASE    dc=redant, dc=ca 
HOST    ldap.redant.ca 
URI     ldap://ldap.redant.ca 

5. Turba Configuration 

You need to modify two files: sources.php and attributes.php 
 
5.1  /var/www/html/horde/turba/config/sources.php 
 
  $uid = Auth::getAuth(); 
  if (preg_match('/(^.*)@/', $uid, $matches)) { 
    $uid = $matches[1]; 
  } 
  $basedn = 'dc=redant,dc=ca'; 
  $cfgSources['personal_ldap'] = array(
    'title' => 'My OpenLDAP Addressbook', 
    'type' => 'ldap', 
    'params' => array( 
        'server' => 'localhost', 
        'root' => 'ou=' . $uid . ',ou=personal_addressbook,' . $basedn, 
        'bind_dn' => 'uid=' . $uid . ',ou=Hosting,' . 'ou=Accounts,' . $basedn, 
        'bind_password' => Auth::getCredential('password'), 
        'dn' => array('cn','uid'), 
        'objectclass' => array('person', 
                               'organizationalPerson', 
                               'inetOrgPerson'), 
        'encoding' => 'utf8', 
        'version' => 3 
    ), 
    'map' => array( 
        '__key' => 'dn', 
        'name' => 'cn', 
        'firstName' => 'givenname', 
        'lastName' => 'sn', 
        'title' => 'title', 
        'department' => 'ou', 
        'company' => 'o', 
        'companyAddress' => 'postaladdress', 
        'officePhone' => 'telephonenumber', 
        'cellPhone' => 'mobile', 
        'email' => 'mail', 
        'homeAddress' => 'homepostaladdress', 
        'homePhone' => 'homephone', 
        'notes' => 'description' 
    ), 
  'search' => array( 
        'name', 
        'firstName', 
        'lastName', 
        'title', 
        'department', 
        'company', 
        'companyAddress', 
        'officePhone', 
        'cellPhone', 
        'email', 
        'homeAddress', 
        'homePhone', 
        'notes' 
    ), 
    'strict' => array( 
        'dn' 
    ), 
    'public' => true, 
    'readonly' => false, 
    'admin' => array($uid), 
    'export' => true 
  ); 

Note: You have to lowcase all OpenLDAP attribute types to avoid strange problems.

5.2 /var/www/html/horde/turba/attributes.php 

This file is quite self-explanatory. Add or Modify parameters according to the sources.php file.    

6. Some screenshots 

6.1 Add a hosting account entry to the directory 

Add a hosting account entry to the directory

Once you have created the LDIF file, you can use the following command to add the entry to the
directory. 

     ldapadd -x -D "cn=manager,dc=redant,dc=ca" -W -f pni.ldif 

Note: 

*Before adding this entry, you should add its parent entry, which is "ou=Hosting, ou=Accounts,
 ou=redant, ou=ca". 

*The userPassword attribute value can be generated using the slappasswd command. To change it, 
 first delete the attribute, then generate a new one and add it back using LDIF file.  

               version: 1 
               dn: uid=pni,ou=Hosting,ou=Accounts,dc=redant,dc=ca 
               changetype: modify 
               add: userPassword 
               userPassword: {SSHA}Q/Z/GnRLfEi1gK2Z90uws0RV65qSmnC/ 

*The jpegPhoto attribute can be added seperately later, and is not used in this document. It can 
 be probably used by another application or your customized script to manager hosting clients. It
 is not supported by Turba, so it is not included in the personal addressbook design. 

6.2 Add a personal addressbook entry for a hosting user Patrick Ni (uid=pni)

Add a personal addressbook entry image 1/2

Add a personal addressbook entry image 2/2     

Note: Before adding this entry, you should add its parent entry, which is "ou=pni, 
ou=personal_addressbook, dc=redant, dc=ca".  

Note: Although OpenLDAP supports multiplevalued attributes, like "mail", Turba does not. 

7. Security considerations 

The backend addressbook operations performed by Turba are over LDAP, not LDAPS. Authentication
to the directory is simple authentication. No SASL mechanism is provisioned. These are all hard
coded. We expect future releases of Horde and Turba can get these concerns addressed.  

===== Basado en un documento escrito por =====
 
Patrick Ni, Network Consultant

314-10851 Mortfield Rd 

Richmond BC  V7A 2W1 

Email: pni@redant.ca

===== Bibliografía =====

  - http://web.archive.org/web/20060708192705/http://ww2.redant.ca/consulting/ldap/turba.php
  - http://wiki.debian.org/Horde
  - http://wiki.horde.org/ExistingLDAPHowTo
  - LDAP. http://tldp.org/HOWTO/LDAP-HOWTO/
  - OpenLDAP: database creation and maintenance tools. http://www.openldap.org/doc/admin22/dbtools.html
  - RFC 3377: Lightweight Directory Access Protocol (v3): Technical Specification 
  - RFC 2251: Lightweight Directory Access Protocol (v3) 
  - RFC 2252: LDAPv3: Attribute Syntax Definitions 
  - RFC 2253: LDAPv3: UTF-8 String Representation of Distinguished Names 
  - RFC 2254: The String Representation of LDAP Search Filters 
  - RFC 2255: The LDAP URL Format 
  - RFC 2256: A Summary of the X.500(96) User Schema for use with LDAPv3 
  - RFC 2798: Definition of the inetOrgPerson LDAP Object Class 
  - RFC 2808: The SecurID(r) SASL Mechanism 
  - RFC 2222: Simple Authentication and Security Layer (SASL) 
  - RFC 2829: Authentication Methods for LDAP 
  - RFC 2830: LDAPv3: Extension for Transport Layer Security 
  - RFC 2849: The LDAP Data Interchange Format (LDIF) - Technical Specification 
  - RFC 1274: The COSINE and Internet X.500 Schema 
  - RFC 3112. LDAP Authentication Password Schema 
  - ITU-T Rec. E.123, Notation for national and international telephone numbers, 1988