****Re: openldap + kmail

Craig White craig at tobyhouse.com
Thu May 1 16:08:38 UTC 2008 

On Thu, 2008-05-01 at 00:11 +0100, Timothy Murphy wrote:
> Craig White wrote:
> 
> > No - you misunderstood him
> > 
> > It is not possible to have a 'DN: Address Book'
> 
> No, it is you who misunderstand.
> I was _asked_ for the DN,
> and the only response that worked was "Address Book".
> 
> Bizarrely, I just checked, and now any response works -
> presumably the DN (or RDN) has been stored somewhere.
----
it's ignoring what you put in and getting the base dn from the server
and doing a sub search.

It may be functional but it's a mess and works only because you're
basically doing nothing else with LDAP. If you had LDAP under any kind
of load, doing sub searches across the entire DSA is a rather stupid
thing to do...it slows down every search and ties up the LDAP server.

While you might get away this as a 'read only' client, it doesn't work
if you intend to use Kaddressbook to 'write' because it HAS to know what
the baseDN is to know where to 'write'
-----
> > All you need is suitable 'ou' with ACL permissions to access that 'ou'
> > and if that 'ou' were called 'People_I_Want_to_SPAM', Kaddressbook would
> > be happy with that too. Of course, that gets into the nuts and bolts of
> > LDAP. Having an 'ou' called 'Address Book' or 'AddressBook' has no
> > meaning to Kaddressbook unless Kaddressbook is configured to use the DN
> > like...
> > ou=AddressBook,dc=xyz,dc=com
> 
> KAddressBook had already asked for my host.
> The only sense I can make of it is that KAddressBook constructed the DN
> from this, together with "Address Book", which I gave in response to "DN".
----
yeah, it probably got the baseDN from your server and is doing a 'sub'
search on everything in your LDAP DSA as explained above. That doesn't
make it the right way to use it.

For example, on my ldap servers, I typically do...

ou=AddressBook,dc=example,dc=com # public address book
ou=People,dc=example,dc=com      # users
ou=AddressBook,uid=SOME_USER,ou=People,dc=example,dc=com
# as the users own personal LDAP address book

and probably some others.

I have a lot of users and I can't have them trying to do sub searches
from the base all over the entire DSA. Therefore, they have 3 different
LDAP address books set up (per above) and they only need to authenticate
to their personal LDAP address book (ACL restriction) and anonymous
users can (read only) use the shared address book and the 'users' list.
----
> Incidentally, the reason I did this was that I was following
> the yolinux tutorial at
> <http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP.html>.
> You are invited to access their LDAP server,
> and I found that I could indeed see their address book
> in my KAddressBook when I gave Host: ldap.yo-linux.com , DN: o=stooges .
> This was following their general instructions, which read (in part):
> 
>     * Name: YoLinux Demo
>     * Hostname: ldap.yo-linux.com
>     * Base DN: o=stooges
----
OK - but yo-linux is running a public LDAP server that has a 'base' of
o=stooges 

If you are trying to make a point here, you aren't making it.

Craig

More information about the fedora-list mailing list