Re: [Mailzu-users] LDAP Authentication mod

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 10/24/05, Ron Grant <rg...@sh...> wrote:
> Here is another suggestion for LDAP Authentication if people are having
> problems making it work with non-standard directories:
>
> At our site, our users login to POP or IMAP or Squirrelmail using any of
> their full Email Addresses, which is specified as an Attribute of an
> LDAP object of a custom type resembling courierMailAccount. Their
> mailAttr is "mail", but this same LDAP directory holds customer
> information, including business details, CRM details, and Contact info.
> Contacts are not necessarily Mail Accounts, and vice versa.
>
> Therefore, neither of the lookup types (statically composed DN, or
> directory-wide search using a single attribute) would work. I also
> wanted the Quarantine to allow only "Enabled'" users (or rather,
> specifically deny "Disabled" users).
>
> It appeared that MailZu was using the filter "mailAttr=3D%m", but there i=
s
> only one place where this filter is passed on to the LDAP module itself,
> so with the addition of an extra (and optional) text string in the
> config file, ooh, let's call it "ldap_objectType", you can compose a
> complex filter to narrow down the type of object that would yield a
> successful search and subsequent bind.
>
> Here's the addition I would add to config.php-sample:
>
> // Valid LDAP filter to AND with mailAttr if searching by mailAttr
> // Filter will look like (&(ldap_mailAttr=3D%m)(ldap_objectType)),
> // so don't include outer parentheses
> // Examples:
> // $conf['auth']['ldap_objectType'] =3D "objectclass=3DcourierMailAccount=
";
> // $conf['auth']['ldap_objectType'] =3D
> "&(objectclass=3DamavisAccount)(amavisSpamQuarantineTo=3D*)";
> // Defaults to not using a filter
> $conf['auth']['ldap_objectType'] =3D '';
>
> and here's the change to lib/LDAPEngine.class.php
>
> *** lib/LDAPEngine.class.php    2005-08-30 14:03:36.000000000 -0700
> --- ../mailzu/lib/LDAPEngine.class.php  2005-10-24 17:38:51.000000000 -07=
00
> ***************
> *** 109,112 ****
> --- 109,113 ----
>                                 $this->name =3D $conf['auth']['ldap_name'=
];
>                                 $this->mailAttr =3D
> $conf['auth']['ldap_mailAttr'];
> +                               $this->objectType =3D
> $conf['auth']['ldap_objectType'];
>                                 $this->searchUser =3D
> $conf['auth']['ldap_searchUser'];
>                                 $this->searchPassword =3D
> $conf['auth']['ldap_searchPassword'];
> ***************
> *** 226,229 ****
> --- 227,233 ----
>                                         // Search for user dn
>                                         $searchFilter =3D $this->login .
> "=3D" . $userlogin;
> +                                       if ( $this->objectType !=3D '') {
> +                                               $searchFilter =3D
> "(&($searchFilter)(".$this->objectType."))";
> +                                       }
>                                         $dn =3D
> $this->searchUserDN($searchFilter);
>                                 }
>
>
> I can then use this line in my config.php to specify the exact and
> active user, amongst thousands spread out under hundreds of domains in
> hundreds of subdirectories:
> $conf['auth']['ldap_objectType'] =3D
> "&(objectclass=3DbalServiceMailAccount)(!(servicestatus=3DDisabled))";
>
> P.S. there is a typo in config.php.sample
> $conf['auth']['ldap_searchUsername'] =3D '';
>
> should be
> $conf['auth']['ldap_searchUser'] =3D '';
>

Thank you for your contribution, Ron.
I will add this new feature to MailZu. Paolo also suggested such a solution=
.
It will serve all LDAP enabled site well.

Regards,
Sam