Skip navigation.
Home
WhitemiceConsulting.Com
Openness protects your investment.
 [WMMI.net] [WMOGAG] [MOSG] [Amazon Wishlist]
[F.A.Q.] [Presentation Index] [Project Index] [Link Index]
Home » blogs » awilliam's blog

Directory Enabled Horde: Part II

Submitted by awilliam on Sat, 2005-08-27 17:22. LDAP

Part one of this series is here.

Now that you are into the Horde configuration page there are many many options available for you to tune or tweak. You should carefully go through each tab and consider each options appropriateness to your site and users. But to get off the ground the first tab we want to visit is "Preference System". This tab defines how Horde saves the user's preferences and options.

Change the "What preferences driver should we use" option to "LDAP", and set "The hostname of the LDAP server" and "The port of the LDAP server" to appropriate values. If you don't know what port your LDAP server listens on try "389" as that is the standard port and should work unless the DSA administrator is doing something very strange.

The "base DN for the LDAP server" does NOT need to be the root of your Dit, and probably should not be. Horde only needs to see the user objects, so this should be set to the container below which all of your user objects exist. In our case it is ou=People,ou=Entities,ou=SAM,dc=whitemice,dc=org. Having Horde search your entire Dit from the top is bad not just for performance but also security. If there is a loop hole in your ACLs that allows a user to create an object somewhere that matches Horde's search criteria it would then be possible they could use that unexpected object for some nefarious purpose. By restricting Horde to searching a single branch or container makes breaching your security just that much harder.

Next you need to enter the DN Horde will bind with to read preferences and write changes. For the love of all that is holy do NOT actually use your DSA's administrative DN; ask yourself: Should Horde be able to create user accounts, delete user accounts, change user passwords, and delete every object from my Dit? The answer is a very emphatic NO!. Create a bind context just for the Horde application, for instance, we created "uid=horde,ou=System,ou=Entities,ou=SAM,dc=whitemice,dc=org". This doesn't need to be, and shouldn't be, a full fledged user account. Just having a password is sufficient so make an account + simpleSecurityObject object and set a nice long password. For example:

dn: uid=horde,ou=System,ou=Entities,ou=SAM,dc=whitemice,dc=org
objectClass: top
objectClass: account
objectClass: simpleSecurityObject
uid: horde
userPassword: *****************************

The password for this bind is stored in the Horde configuration in clear text. So the power granted to this bind should be severely limited. It is a good idea to constrain the ability to modify the Horde preferences anyway, so create something like the following ACL at the approriate place in your stack:

access to dn.sub="ou=People,ou=Entities,ou=SAM,dc=whitemice,dc=org"
attrs=@hordePerson
by group="cn=DSA,ou=Administrators,ou=Access Control,dc=whitemice,dc=org" write
by group="cn=Horde,ou=Administrators,ou=Access Control,dc=whitemice,dc=org" write
by * none

The cn=Horde,ou=Administrators,ou=Access Control,dc=whitemice,dc=org group has uid=horde,ou=System,ou=Entities,ou=SAM,dc=whitemice,dc=org as a member along with anyone else who is not in cn=DSA,ou=Administrators,ou=Access Control,dc=whitemice,dc=org but should be able to diddle with a user's Horde preferences. The Horde bind dn will also need to be able to read the uid and objectclass attributes of objects in order to locate the user, but beyond this the bind context for Horde should have no other privileges.

The last element on this tab is "The username search key" and will almost certainly be "uid". This is the attribute that contains the user's account name.

Now click "Generate Horde Configuration". You should be greeted with a "Successfully saved the backup configuration file ..../horde/config/conf.php.bak" message. Your preference system should be ready to work, all we need now is to setup the connection to your IMAP server.
Your IMAP server, this is an IMP configuration issue, is stored in the file horde/imp/config/servers.php. What you put here depends greatly on your configuration. Ours looks like:

$servers['cyrus'] = array(
'name' => 'Cyrus IMAP Server',
'server' => 'estate1.wmmi.net',
'hordeauth' => false
'protocol' => 'imap/ssl/novalidate-cert',
'port' => 143,
'folders' => '',
'namespace' => '',
'maildomain' => 'wmmi.net',
'smtphost' => 'estate1.wmmi.net',
'smtpport' => 25,
'realm' => '',
'preferred' => '',
'admin' => array(
'params' => array(
'login' => 'cyrus',
'password' => '***********',
'userhierarchy' => 'user.',
'protocol' => 'imap/ssl/novalidate-cert',
'hostspec' => 'estate1.wmmi.net',
'port' => 143
)
),
'quota' => array(
'driver' => 'cyrus',
'params' => array(
'login' => 'cyrus',
'password' => '***********',
'userhierarchy' => 'user.',
'protocol' => 'imap/ssl/novalidate-cert',
'hostspec' => 'estate1.wmmi.net',
'port' => 143
)
),
'acl' => array(
'driver' => 'rfc2086',
),
'dotfiles' => false,
'hierarchies' => array());

Since we will be using IMP to authenticate users it is important that the above be correct. Go back to the "Administration/Setup" link in the left hand Hode menu and this time click "Mail (imp)". We are now in the IMP configuration application. Simply click "Generate Mail Configuration". Once those settings have been created click on "Mail" in the left menu - you should come to an IMP login screen. Attempt to login to your mail account. If you cannot login to your mail adjust your server settings until IMP login succeeds.

Once IMP login is working we want to tell Horde that IMP will be doing all the authentication for us, this means that when a user logins to Horde they are logging into their mailbox. If logging into their mailbox fails then logging into Horde fails. Click the "Administration/Setup" link in the left hand Horde menu and select "Horde (horde)" again. Only this time we want to go to the "Authentication" tab.

In "Which users should be treated as administrators (root, super-user) by Horde" field enter the usernames of all the users who should see the "Administration" menu in their horde session. You can specify multiple users as a comma seperated list. Then change "What backend should we use for authenticating users to Horde?" to "Let a Horde application handle authentication". After doing so you should see a "The application which is providing authentication" select box, wherein you can select "imp". Do the "Generate Horde Configuration" and then logout.

You should now be able to login to Horde using your user account, click on the "Mail" link in the Horde menu and see you mailbox. You should also be able to click Options and start setting up your Horde session to your own liking.

To be continued.....

Part I:Installing Horde
Part II:Setting up preferences
Part III:Sending Authenticated Mail

» awilliam's blog | add new comment | 2961 reads