Re: [Mailzu-users] LDAP Authentication mod
Brought to you by:
trilexcom
Menu
▾
▴
Re: [Mailzu-users] LDAP Authentication mod
|
From: Sam T. <st...@gm...> - 2005-10-25 15:31:50
|
On 10/24/05, Ron Grant <rg...@sh...> wrote: > Here is another suggestion for LDAP Authentication if people are having > problems making it work with non-standard directories: > > At our site, our users login to POP or IMAP or Squirrelmail using any of > their full Email Addresses, which is specified as an Attribute of an > LDAP object of a custom type resembling courierMailAccount. Their > mailAttr is "mail", but this same LDAP directory holds customer > information, including business details, CRM details, and Contact info. > Contacts are not necessarily Mail Accounts, and vice versa. > > Therefore, neither of the lookup types (statically composed DN, or > directory-wide search using a single attribute) would work. I also > wanted the Quarantine to allow only "Enabled'" users (or rather, > specifically deny "Disabled" users). > I understand that this additional LDAP filter can restrict login. But I am not sure why neither of the lookup types (statically composed DN, or directory-wide search using a single attribute) would work. Could you give me an example please? > It appeared that MailZu was using the filter "mailAttr=3D%m", but there i= s > only one place where this filter is passed on to the LDAP module itself, > so with the addition of an extra (and optional) text string in the > config file, ooh, let's call it "ldap_objectType", you can compose a > complex filter to narrow down the type of object that would yield a > successful search and subsequent bind. > I have actually two problems with this method: 1. I still cannot restrict DN that was statically composed. 2. I cannot restrict login based on group membership. Therefore I think it may be better to do a user login restriction check after we get the user DN in the Auth.class.php. What do you think? Sam |
