phpgroupware-users
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [phpGroupWare-users] phpGW for Unix users managed by LDAP


From: Dave Hall
Subject: Re: [phpGroupWare-users] phpGW for Unix users managed by LDAP
Date: Thu, 26 Oct 2006 11:38:48 +1000

Hi Emanuel,

On Wed, 2006-10-25 at 11:13 -0700, Emanuel Ziegler wrote:
> 
> Hi,
> 
> I'm running a Debian (sarge) web server with Apache2 for our
> institute. The installation of phpGroupWare was simple, but the
> configuration does not seem to fit perfectly. I got the following
> problems:
> 
> 1) eMail: The eMail-server is a Courier IMAP server that stores its
> mails via Postfix in ~/Maildir. Direct access to the maildir does not
> seem to be supported, but the IMAP needs a password although it is the
> same as the user password. This forces the users to enter it by
> themselves and it does not run out of the box for them.
> 

What is the format of the email login and phpgw logins?  As this varies
the solution of your problem also varies :)

> 2) Password changes: Users are forced to change their password after
> first login. This is uncomfortable and should be deactivated (since
> it is their login password).
> 

I am currently working on a patch for this.  It will not be supported
functionality, but it will work :)  Watch this list for more info.

> 3) LDAP: I managed to allow logins by LDAP and store additional
> information in a MySQL database. However, I needed to enter the LDAP
> admin password although I don't want phpGroupWare to change any entry,
> don't want unencrypted connections to the server transmitting this
> password. The information needed (users, groups, passwort
> authentication) is accessible without admin rights, so why the need
> for the password?
> 

This is caused by the ldap accounts and ldap authentication classes not
being separated enough.  You can force phpgw to use ldaps if your server
is properly configured just use ldaps://ldap.domain.com/ for the ldap
hostname.  This used to work.

As for the admin account, simply use another account which doesn't have
admin rights - even if you create a dummy account, and I _think_ it will
work.

> 4) UID, GID, Groups: Currently only authentication is done via LDAP.
> As soon as a user logs in, an account on MySQL is created with a new
> numeric UID, independent group managment and home directories. I want,
> however, phpGroupAdmin to use the information stored in the
> posixAccount and posixGroup classes of the LDAP. In principle this
> information is available via PAM as well.
> 

This is not currently supported functionality.  It is something we can
look at implementing, but it won't happen quickly or for the 0.9.16
branch.  If it is done, we would implement it in 0.9.18 due of later
this year.

> 5) Filemanager: I'd like to allow the users access to their home
> directories instead of creating new home directories without content.

This is not really possible for security reasons.  The file manager
directories would need to be readable by the apache user.  This would
mean that any security flaw in phpgw, php or apache could potentially
compromise all user's home directories as all home directories would
need to be owned by the group which apache runs as.  Alternatively you
could make the user's home directories world readable, but I don't think
I need to explain the problems with this.

>  Apart form that the home directory seems to be set to /home/$user
> which is very inconvenient, since the home directories are
> automaounted to /home in the format /home/$server/$number/$user.
> 

I think there is some confusion with how the phpgw virtual file system
works and how you think it should work.  It isn't designed to give users
access to their unix file system home directory.  That is why it isn't
as flexible as you seem to expect it to be.

You might be able to symlink a directory from the user's home directory
to the phpgw vfs to allow the functionality you would like.  Maybe call
it webfolder or something.

Cheers

Dave
-- 
Dave Hall (aka skwashd)
API Coordinator
phpGroupWare
e address@hidden
w phpgroupware.org
j address@hidden
sip address@hidden
       _            ____                    __        __             
 _ __ | |__  _ __  / ___|_ __ ___  _   _ _ _\ \      / /_ _ _ __ ___ 
| '_ \| '_ \| '_ \| |  _| '__/ _ \| | | | '_ \ \ /\ / / _` | '__/ _ \
| |_) | | | | |_) | |_| | | | (_) | |_| | |_) \ V  V / (_| | | |  __/
| .__/|_| |_| .__/ \____|_|  \___/ \__,_| .__/ \_/\_/ \__,_|_|  \___|
|_|         |_|                         |_|Web based collaboration platform






reply via email to

[Prev in Thread] Current Thread [Next in Thread]