UMich LDAP for Thunderbird

At the University of Michigan, setting up Thunderbird to query the university's LDAP directory has always been a mystery. The basic directory server settings for Thunderbird are easy enough to get right:

Hostname: ldap.itd.umich.edu
Base DN: dc=umich,dc=edu

But for some reason, Thunderbird would still refuse to work. I've started looking a bit more closely at OpenLDAP lately, and now I finally figured out how to get it partially working. First, some background...

To find someone in an LDAP directory, a client constructs a query that tells the directory what entry to look for. For those not steeped in LDAP, a query looks something like "(cn=Benjamin*)" to search for records showing a common name that starts with 'Benjamin'. Other attributes you could search for are given name, surname, or mail address, to name a few.

The default query for Thunderbird, when you type someone's name into the Address Book search box, looks something like: "(|(mail=*benjamin*)(cn=*benjamin*)(givenName=*benjamin*)(sn=*benjamin*))". Anything that has "benjamin" as a substring in any of those four attributes will match. That's a pretty wide net to cast.

And our administrators don't allow it. Querying on the "mail" attribute when there is a "*" in the parameter, or on "givenName" for any parameter will result in an "Administrative limit exceeded" error. So when you OR all those together, of course the server rejects it.

The solution is to have Thunderbird change how it constructs its queries. I haven't found out how to do this for the search box, but it is possible to get address auto-completion working. According to an ancient email, you can do this by adding the following line to Thunderbird's "prefs.js" file:

user_pref("ldap_2.servers.UMich.autoComplete.filterTemplate",
          "(|(cn=*%v*)(mail=%v)(uid=%v))");

Then enable auto-complete via LDAP in the Preferences | Composition | Addressing dialog. You should change "UMich" to reflect whatever Thunderbird has internally named your LDAP server profile (look through prefs.js to figure that out). This directs Thunderbird to search for substrings of common names and exact matches for your mail address or uniqname. The latter two parts are of limited use, but the first seems to return good results. You still hit an admin limit if your search is too generic though (i.e. "ben").

I bet there's a similar hidden preference setting to adjust the main search box, but I doubt I'll find it unless I start reading through more XPCOM code than I care to do.

Nothing is New

I have read of a gentleman who owned a so fine house in London, and when he went for months of summer to Switzerland and lock up his house, some burglar come and broke window at back and got in. Then he went and made open the shutters in front and walk out and in through the door, before the very eyes of the police. Then he have an auction in that house, and advertise it, and put up big notice. And when the day come he sell off by a great auctioneer all the goods of that other man who own them. Then he go to a builder, and he sell him that house, making an agreement that he pull it down and take all away within a certain time. And your police and other authority help him all they can. And when that owner come back from his holiday in Switzerland he find only an empty hole where his house had been.

I found this passage in Bram Stoker's Dracula, published in 1897. It reminded me of a scam I first heard of being used on Craigslist. Someone looking to rent a room in another town finds a nice place online, sends in a deposit, and then shows up to find that the owner of the house knows nothing about a room for rent. The poster, who is not the owner of the house, gets away with whatever deposit was paid. It looks like pretending to own some property and selling it off is not by any measure a new fraud!