On 2012-12-05 18:23, Julien Gribonvald wrote:
Thanks for your response,
The things is that we doesn't use LDAP auth but the CAS auth.
After we doesn't permit user auth and access to ldap so I don't think
that we can use your example if I understood your ldap configuration.
My example wasn't so much related to the user authentication itself as
it was to authorization within LDAP.
I was indeed assuming the user was required to bind to LDAP (as
themselves / with their own credentials) - I figured it was a reasonable
assumption as otherwise all information contained in the LDAP tree is
public / commonly available to all, but perhaps it wasn't ;-)
I'd still like to learn if my description of your functional
requirement was indeed somewhat correct / accurate:
On 2012-12-05 18:13, Jeroen van Meeuwen (Kolab Systems) wrote:
Are you saying that you need, for example, a filter of:
(&(objectclass=inetorgperson)(location:$branch_office_1))
for somebody that logs in that has an LDAP attribute 'location' set
to '$branch_office_1', or something along similar lines?
That said, I reckon Roundcube still logs in to an IMAP server using
some sort of set of credentials, correct? Could these credentials not
also be used to "log in" (bind) to LDAP?
Please allow me to state a snippet of (stock, off-the-shelf) Roundcube
configuration that we use:
/etc/roundcubemail/main.inc.php:
'user_specific' => true,
'base_dn' => 'dc=example,dc=org',
'bind_dn' => '%dn',
'bind_pass' => '',
'search_base_dn' => 'dc=example,dc=org',
'search_bind_dn' => 'uid=some-service-account,ou=Some
OU,dc=example,dc=org',
'search_bind_pw' => 'somepass',
'search_filter' =>
'(&(objectClass=inetOrgPerson)(|(uid=%u)(mail=%fu)))',
This would cause Roundcube to perform two bind operations against the
global address book (one of possibly multiple address books in
$rcmail_config['ldap_public']), before the UI is populated with
information (using the 'filter' setting and other standard parameters);
1) A bind operation in order to allow searching for the entryDN of the
user to bind as (using service account credentials, in this case, as
anonymous searching is not allowed),
2) A bind operation with the entryDN that is found for the user.
Neither should interfere with your CAS authentication, but of course
the question is whether the user / Roundcube could be made to bind to
LDAP.
Kind regards,
Jeroen van Meeuwen
--
Systems Architect, Kolab Systems AG
e: vanmeeuwen at kolabsys.com
m: +44 74 2516 3817
w: http://www.kolabsys.com
pgp: 9342 BF08
_______________________________________________
Roundcube Development discussion mailing list
[email protected]
http://lists.roundcube.net/mailman/listinfo/dev
