next up previous contents index
Next: 8. Sympa with S/MIME and HTTPS Up: Sympa Mailing Lists Management Software Previous: 6. Sympa and its database   Contents   Index

Subsections


7. Using Sympa with LDAP

LDAP is a client-server protocol for accessing a directory service. Sympa provide various features based on access to one or more LDAP directories :

7.1 Authentication via uid or alternate email

Sympa stores the data relative to the subscribers in a DataBase. Among these data: password, email exploited during the Web authentication . The module of LDAP authentication allows to use Sympa in intranet without duplicating the user's passwords.

Then, users can indiferently authenticate with their ldap_uid, their alternate_email or their canonic email stored in theldap directory (the most explicit user's email :for example John.Carpenter@Host.com).

Sympa gets the canonic email in the ldap directory with the ldap_uid or the alternate_email. Sympa will first intend an anonymous bind to the directory to get the user's DN, and then Sympa will bind with the DN and the user's ldap_password in order to realise an efficient authentication. This last bind will work only if the good ldap_password is provided. Indeed the value returned by the bind(DN,ldap_password) is tested.

Example: a person is described by

                 Dn:cn=Fabrice Rafart,
                 ou=Siege ,
                 o=MaSociete ,
                 c=FR Objectclass:
                 person Cn: Fabrice Rafart
                 Title: Network Responsible
                 O: Siege
                 Or: Data processing
                 Telephonenumber: 01-00-00-00-00
                 Facsimiletelephonenumber:01-00-00-00-00
                 L:Paris
                 Country: France

		 uid: frafart
 		 mail: Fabrice.Rafart@MaSociete.fr
                 alternate_email: frafart@MaSociete.fr
                 alternate:rafart@MaSociete.fr

So Fabrice Rafart can be authenticated with: frafart, Fabrice.Rafart@MaSociete.fr, frafart@MaSociete.fr,Rafart@MaSociete.fr. After this operation, the address in the field FROM will be the Canonic email, in this case Fabrice.Rafart@MaSociete.fr. That means that Sympa will get this email and use it during all the session until you clearly ask to Sympa to change your email address via 2 pages : which and pref.

7.1.1 auth.conf

The /etc/auth.conf configuration file contains numerous parameters which are read on start-up of Sympa. If you change this file, do not forget that you will need to restart Sympa afterwards.

The /etc/auth.conf is organised in paragraphs. Each paragraph coincides with the configuration of an ldap directory.

The /etc/auth.conf file contains directives in the following format:

paragraphs
keyword value

paragraphs
keyword value

Comments start with the # character at the beginning of a line.

Empty lines are also considered as comments and are ignored at the beginning. After the first paragraph they are consideredas paragrahs separators.

There should only be one directive per line, but their order in the file is of no importance.

Thanks to this type of configuration Sympa is able to consult various directories. So, users who come from different directories will be authenticated thanks to their ldap_password. Indeed, Sympa will try to bind on the first directory with the given ldap_password, if it does not work, Sympa will try to bind on the second with the same ldap_password etc.. This mecanism is useful in the case of homonyms.

Example :

#Configuration file auth.conf for the LDAP authentification
#Description of parameters for each directory



ldap
	host				ldap.univ-rennes1.fr:389
	timeout				30
	suffix				dc=univ-rennes1,dc=fr
	get_dn_by_uid_filter		(uid=[sender])
	get_dn_by_email			(|(mail=[sender])(mailalternateaddress=[sender]))
	email_attribute			mail
	alternative_email_attribute	mailalternateaddress,ur1mail
	scope				sub

ldap
	host				ldap.univ-nancy2.fr:392,ldap1.univ-nancy2.fr:392,ldap2.univ-nancy2.fr:392
	timeout				20		
	suffix				dc=univ-nancy2,dc=fr
	get_dn_by_uid_filter		(uid=[sender])
	get_dn_by_email			(|(mail=[sender])(n2atraliasmail=[sender]))
	alternative_email_attribute	n2atrmaildrop
	email_attribute			mail
	scope				sub

7.2 Named Filters

At the moment Named Filters are only used in scenarii. They enable to select a category of people who will be authorized or not to realise some actions.

As a consequence, you can grant privileges in a list to people belonging to an LDAP directory thanks to a scenario.

7.2.1 Definition

People are selected thanks to an Ldap filter defined in a configuration file. This file must have the extension '.ldap'.It is stored in ~sympa/etc/search_filters/.

You must mention many informations in order to create a Named Filter:

example.ldap : we want to select the professors of mathematics in the university of Rennes1 in France

	
	host		ldap.univ-rennes1.fr
	port		389
	suffix		dc=univ-rennes1.fr,dc=fr
	filter		(&(canonic_mail = [sender])(EmployeeType = prof)(subject = math))
	scope		sub

7.2.2 Search Condition

The search condition is used in scenarii which are defined and decribed in (see 9.8)

The syntax of this rule is:

	search(example.ldap,[sender])      smtp,smime,md5    -> do_it

The variables used by 'search' are :

The method of authentication does not change.


next up previous contents index
Next: 8. Sympa with S/MIME and HTTPS Up: Sympa Mailing Lists Management Software Previous: 6. Sympa and its database   Contents   Index
root 2001-11-16