[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: some thoughts about RDN

On Wed, Jun 10, 2009 at 12:31:56PM +0200, Paweł Madej wrote:

> To not spam to much this list i've pasted roundcube webmail LDAP part here
> http://pastebin.com/m6ba78ab4

It looks to me as if the per-user private addressbook facility
requires a specific DIT structure with the username in the DN. This is
very restrictive, so I suggest asking the developers to change it.

A more general solution requires something like this:

A 'system' DN and password to bind to the directory before we have
verified the user. In some cases this search can be anonymous, but in
others anon would be blocked by access-control policy.

A base DN from which to start a subtree search to find the user entry.

A configurable search spec to find user entries. In your case, this
might say something like:
[Note the use of objectclass to prevent it from finding addressbook
entries: we only want the main account entry at this stage]

Having found the user entry, the application should re-bind as the
user for access to addressbooks etc.

For per-user addressbooks, you then want to prepend an optional RDN
component to the user DN (e.g. cn=addressbook) and build the addressbook
entries below that. I would suggest using a meaningless random number
as the RDN of each entry.

Note that the use of search means that the DIT structure is not
constrained by the application.

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |