[Mailzu-users] LDAP Authentication mod

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Here is another suggestion for LDAP Authentication if people are having 
problems making it work with non-standard directories:

At our site, our users login to POP or IMAP or Squirrelmail using any of 
their full Email Addresses, which is specified as an Attribute of an 
LDAP object of a custom type resembling courierMailAccount. Their 
mailAttr is "mail", but this same LDAP directory holds customer 
information, including business details, CRM details, and Contact info. 
Contacts are not necessarily Mail Accounts, and vice versa.

Therefore, neither of the lookup types (statically composed DN, or 
directory-wide search using a single attribute) would work. I also 
wanted the Quarantine to allow only "Enabled'" users (or rather, 
specifically deny "Disabled" users).

It appeared that MailZu was using the filter "mailAttr=%m", but there is 
only one place where this filter is passed on to the LDAP module itself, 
so with the addition of an extra (and optional) text string in the 
config file, ooh, let's call it "ldap_objectType", you can compose a 
complex filter to narrow down the type of object that would yield a 
successful search and subsequent bind.

Here's the addition I would add to config.php-sample:

// Valid LDAP filter to AND with mailAttr if searching by mailAttr
// Filter will look like (&(ldap_mailAttr=%m)(ldap_objectType)),
// so don't include outer parentheses
// Examples:
// $conf['auth']['ldap_objectType'] = "objectclass=courierMailAccount";
// $conf['auth']['ldap_objectType'] = 
"&(objectclass=amavisAccount)(amavisSpamQuarantineTo=*)";
// Defaults to not using a filter
$conf['auth']['ldap_objectType'] = '';

and here's the change to lib/LDAPEngine.class.php

*** lib/LDAPEngine.class.php    2005-08-30 14:03:36.000000000 -0700
--- ../mailzu/lib/LDAPEngine.class.php  2005-10-24 17:38:51.000000000 -0700
***************
*** 109,112 ****
--- 109,113 ----
                                $this->name = $conf['auth']['ldap_name'];
                                $this->mailAttr = 
$conf['auth']['ldap_mailAttr'];
+                               $this->objectType = 
$conf['auth']['ldap_objectType'];
                                $this->searchUser = 
$conf['auth']['ldap_searchUser'];
                                $this->searchPassword = 
$conf['auth']['ldap_searchPassword'];
***************
*** 226,229 ****
--- 227,233 ----
                                        // Search for user dn
                                        $searchFilter = $this->login . 
"=" . $userlogin;
+                                       if ( $this->objectType != '') {
+                                               $searchFilter = 
"(&($searchFilter)(".$this->objectType."))";
+                                       }
                                        $dn = 
$this->searchUserDN($searchFilter);
                                }

I can then use this line in my config.php to specify the exact and 
active user, amongst thousands spread out under hundreds of domains in 
hundreds of subdirectories:
$conf['auth']['ldap_objectType'] = 
"&(objectclass=balServiceMailAccount)(!(servicestatus=Disabled))";

P.S. there is a typo in config.php.sample
$conf['auth']['ldap_searchUsername'] = '';

should be
$conf['auth']['ldap_searchUser'] = '';