Herramientas de usuario
Tabla de Contenidos
Setup OpenLDAP-based Personal Addressbook in Turba for Horde
Introducción
Este documento describe cómo diseñar árboles de directorios en OpenLDAP y cómo configurar un servidor Linux para ser usado por aplicaciones de mensajería como un servicio de directorio.
This document particularly describes how OpenLDAP-based personal addressbooks can be setup in Turba to be used by IMP on a Linux mail server. After reading this document, one can also setup a public addressbook in an OpenLDAP directory and these same directory services can be shared by other mail programs, like Outlook, Netscape Messenger and KMail.
1. Introduction
This document would be most useful if you have a sound understanding of some TCP/IP protocols, like LDAP, SMTP, IMAP, POP3, SSL/TLS, DNS and HTTP, and intimate familiarity with their implementations, like OpenLDAP, sendmail, Postfix, uw-imap, OpenSSL, BIND and Apache. It is also helpful if you know well about some open-source software, including Linux, MySQL, PHP, Horde, IMP and Turba. After all, you have to put all things together to make what is described in this document work.
This document is based on the author's work on an old Pentium 550 Dell PC. What follows is the list of software and their versions installed on the server.
Mandrake Linux 10.0
Apache 2.0.48-6
Apache2-mod_php 2.0.48_4.3.4-1
BIND 9.2.3-6
Horde 2.2.5
IMP 3.2.4
MySQL 4.0.18
OpenLDAP 2.1.25-6
OpenSSL 0.9.7c-3
Postfix 2.1.0
Turba 1.2.2
UW-IMAP 2002d-8
2. Example deployment scenario
A email hosting company is offering its clients to store their personal addressbooks in the company's OpenLDAP directory. The company has already created a directory tree, called “base”, for its hosting clients under “ou=Hosting, ou=Accounts, dc=redant, dc=ca”. Since each user has a unique UID on the system, we choose UID as the RDN attribute. The DN for each user now looks like this: “uid=pni, ou=Hosting,ou=Account, dc=redant, dc=ca”.
A personal addressbook is going to be associated with a particular user. So we choose “cn” and “uid” as the RDN underneath the base “ou=personal_addressbook, dc=redant, dc=ca”, to make the entry unique at this particular directory tree level. This concept can be easily understood by realizing the fact that one user might have a friend called “John Smith”, another user might have a vendor contact also called “John Smith”. Here, “cn” and “uid” is similar to the composite primary key in a relational database table.
A typical entry of a personal addressbook for Patrick Ni looks like this: “cn=Johnson Zhao, ou=pni, ou=personal_addressbook, dc=redant, dc=ca”.
3. OpenLDAP directory design
We need two directory trees, one for hosting accounts, the other for their personal addressbooks.
3.1 Directory tree for hosting accounts
base: ou=Hosting, ou=Accounts, dc=redant, dc=ca
dn: uid=pni, ou=Hosting, ou=Accounts, dc=redant, dc=ca
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: pni
displayName: Ni Patrick
cn: Patrick Ni
givenName: Patrick
givenName: Tian Hua
sn: Ni
title: Network Consultant
ou: Information Systems
o: RedAnt Networks Co.
postalAddress:: MzE0LTEwODUxIE1vcnRmaWVsZCBSZApSaWNobW9uZCBCQyAgVjdBIDJXMQo=
telephoneNumber: +1 604 274 1100
mobile: +1 604 603 1707
mail: pni@redant.ca
homePostalAddress:: MzE0LTEwODUxIE1vcnRmaWVsZCBSZApSaWNobW9uZCBCQyAgVjdBIDJXMQo=
homePhone: +1 604 274 1100
jpegPhoto: <file:///home/pni/photos/pni.jpg
userPassword:: e1NTSEF9dGFLMHh5Mk5rRG1MQTEwYlNCeHg2dXJ5a2kraGIwbys=
description: CISSP, CCNA, CCDA, HP-UX, MCP
Note: The userPassword attribute is used to bind the identity (DN) to the directory. Turba first obtains your IMP login credentials and compare them to the UID portion of the DN, and the userPassword entry. So you have to have a web-based interface program to allow each user to modify their userPassword attribute to match the password for IMP login.
3.2 Directory tree for personal addressbooks
base: ou=personal_addressbook, dc=redant, dc=ca
dn: cn=Johnson Zhao, ou=pni, ou=personal_addressbook, dc=redant, dc=ca
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Johnson Zhao
givenName: Johnson
sn: Zhao
title: Vice President
ou: Sales
o: Prima Electronics Ltd.
postalAddress:: SDE2MC0yMjEyMiAyMHRoIEF2ZSBTRQpCb3RoZWxsIFdBIDk4MDM2Cg==
telephoneNumber: +1 866 447 7462
mobile: +1 206 335 1965
mail: johnson@primaamerica.com
mail: zhaoxin@zhaotangjun.com
homePostalAddress:: MTgwLTEzMjAwIERlbGYgUGwKUmljaG1vbmQgQkMgIFYyViAyQTIK
homePhone: +1 425 349 1709
description: Love to drive Pathfinder
4. OpenLdap Configuration
You just need to make a few modifications to the OpenLDAP files to make a OpenLDAP-based Turba addressbook work. You can leave other default configurations intact.
4.1 /etc/openldap/slapd.conf
suffix "dc=redant,dc=ca"
rootdn "cn=Manager,dc=redant,dc=ca"
rootpw {MD5}8lovxyaQt4CyoU4UDvap4A==
Note: Set rootdn password as “iloveyou” using {MD5} hash
4.2 /etc/openldap/slapd.access.conf
access to * by * write
Note: You definitely have to write a better ACLs after everything works.
4.3 /etc/ldap.conf
BASE dc=redant, dc=ca HOST ldap.redant.ca URI ldap://ldap.redant.ca
5. Turba Configuration
You need to modify two files: sources.php and attributes.php
5.1 /var/www/html/horde/turba/config/sources.php
$uid = Auth::getAuth();
if (preg_match('/(^.*)@/', $uid, $matches)) {
$uid = $matches[1];
}
$basedn = 'dc=redant,dc=ca';
$cfgSources['personal_ldap'] = array(
'title' => 'My OpenLDAP Addressbook',
'type' => 'ldap',
'params' => array(
'server' => 'localhost',
'root' => 'ou=' . $uid . ',ou=personal_addressbook,' . $basedn,
'bind_dn' => 'uid=' . $uid . ',ou=Hosting,' . 'ou=Accounts,' . $basedn,
'bind_password' => Auth::getCredential('password'),
'dn' => array('cn','uid'),
'objectclass' => array('person',
'organizationalPerson',
'inetOrgPerson'),
'encoding' => 'utf8',
'version' => 3
),
'map' => array(
'__key' => 'dn',
'name' => 'cn',
'firstName' => 'givenname',
'lastName' => 'sn',
'title' => 'title',
'department' => 'ou',
'company' => 'o',
'companyAddress' => 'postaladdress',
'officePhone' => 'telephonenumber',
'cellPhone' => 'mobile',
'email' => 'mail',
'homeAddress' => 'homepostaladdress',
'homePhone' => 'homephone',
'notes' => 'description'
),
'search' => array(
'name',
'firstName',
'lastName',
'title',
'department',
'company',
'companyAddress',
'officePhone',
'cellPhone',
'email',
'homeAddress',
'homePhone',
'notes'
),
'strict' => array(
'dn'
),
'public' => true,
'readonly' => false,
'admin' => array($uid),
'export' => true
);
Note: You have to lowcase all OpenLDAP attribute types to avoid strange problems.
5.2 /var/www/html/horde/turba/attributes.php
This file is quite self-explanatory. Add or Modify parameters according to the sources.php file.
6. Some screenshots
6.1 Add a hosting account entry to the directory
Add a hosting account entry to the directory
Once you have created the LDIF file, you can use the following command to add the entry to the directory.
ldapadd -x -D "cn=manager,dc=redant,dc=ca" -W -f pni.ldif
Note:
*Before adding this entry, you should add its parent entry, which is “ou=Hosting, ou=Accounts, ou=redant, ou=ca”.
*The userPassword attribute value can be generated using the slappasswd command. To change it, first delete the attribute, then generate a new one and add it back using LDIF file.
version: 1
dn: uid=pni,ou=Hosting,ou=Accounts,dc=redant,dc=ca
changetype: modify
add: userPassword
userPassword: {SSHA}Q/Z/GnRLfEi1gK2Z90uws0RV65qSmnC/
*The jpegPhoto attribute can be added seperately later, and is not used in this document. It can be probably used by another application or your customized script to manager hosting clients. It is not supported by Turba, so it is not included in the personal addressbook design.
6.2 Add a personal addressbook entry for a hosting user Patrick Ni (uid=pni)
Add a personal addressbook entry image 1/2
Add a personal addressbook entry image 2/2
Note: Before adding this entry, you should add its parent entry, which is “ou=pni, ou=personal_addressbook, dc=redant, dc=ca”.
Note: Although OpenLDAP supports multiplevalued attributes, like “mail”, Turba does not.
7. Security considerations
The backend addressbook operations performed by Turba are over LDAP, not LDAPS. Authentication to the directory is simple authentication. No SASL mechanism is provisioned. These are all hard coded. We expect future releases of Horde and Turba can get these concerns addressed.
Basado en un documento escrito por
Patrick Ni, Network Consultant
314-10851 Mortfield Rd
Richmond BC V7A 2W1
Email: pni@redant.ca
Bibliografía
- OpenLDAP: database creation and maintenance tools. http://www.openldap.org/doc/admin22/dbtools.html
- RFC 3377: Lightweight Directory Access Protocol (v3): Technical Specification
- RFC 2251: Lightweight Directory Access Protocol (v3)
- RFC 2252: LDAPv3: Attribute Syntax Definitions
- RFC 2253: LDAPv3: UTF-8 String Representation of Distinguished Names
- RFC 2254: The String Representation of LDAP Search Filters
- RFC 2255: The LDAP URL Format
- RFC 2256: A Summary of the X.500(96) User Schema for use with LDAPv3
- RFC 2798: Definition of the inetOrgPerson LDAP Object Class
- RFC 2808: The SecurID® SASL Mechanism
- RFC 2222: Simple Authentication and Security Layer (SASL)
- RFC 2829: Authentication Methods for LDAP
- RFC 2830: LDAPv3: Extension for Transport Layer Security
- RFC 2849: The LDAP Data Interchange Format (LDIF) - Technical Specification
- RFC 1274: The COSINE and Internet X.500 Schema
- RFC 3112. LDAP Authentication Password Schema
- ITU-T Rec. E.123, Notation for national and international telephone numbers, 1988
Herramientas de la página
