Egroupware : hide private contacts in LDAP

Posted by Antonin AMAND Mon, 28 Aug 2006 14:47:00 GMT

Egroupware can store contacts from address book in an LDAP server. So, it is possible to access address book from a Mail client that supports LDAP.

The problem is that users would see any contact, even if it is private.

To prevent this from happening you can add this in slapd.conf :

access to dn.sub="ou=contacts,dc=example,dc=com"
        filter="(&(objectClass=phpgwContact)(phpgwContactAccess=private))"
        by dn="cn=admin,dc=example,dc=com" write
        by * none

access to dn.sub="ou=contacts,dc=example,dc=com"
        by dn="cn=admin,dc=example,dc=com" write
        by * read
Remember to add this before : 
access to *
        by dn="cn=admin,dc=example,dc=com" write
        by * read

pam_ldap : Impossible to connect with local account when ldap server is down

Posted by Antonin AMAND Mon, 28 Aug 2006 10:23:00 GMT

Versions (debian packages):

  • libnss_ldap : 251-1
  • libpam-ldap : 180-1

When using ldap authentification with pam_ldap, if ldap server fails it may be impossible, or very slow to login even with a local account.

This happen when libnss-ldap is configured with the option :

bind_policy hard_open

To fix this, use :

bind_policy soft