Cyrus case issues
Gardiner Leverett
gdl at merit.edu
Wed Nov 13 09:35:05 EST 2002
To complete this thread...
I modified the lib/auth_unix.c file with the code below, added
a -DENEABLE_EDUNET in the Makefile in the lib dir, did a
make clean, make, and make install, and now all of the id's are
translated to lowercase, and Cyrus is happy. Thanks Voutsinas!
A possible addition for future versions of Cyrus: maybe add a config
option in the cyrus.conf file to allow this translation without
re-compiling.
Voutsinas Nikos wrote:
>
> mmmm .....
>
> /* Map of which characters are allowed by auth_canonifyid.
> * Key: 0 -> not allowed (special, ctrl, or would confuse Unix or imapd)
> * 1 -> allowed, but requires an alpha somewhere else in the string
> * 2 -> allowed, and is an alpha
> *
> * At least one character must be an alpha.
> *
> * This may not be restrictive enough.
> * Here are the reasons for the restrictions:
> *
> * & forbidden because of MUTF-7. (This could be fixed.)
> * : forbidden because it's special in /etc/passwd
> * / forbidden because it can't be used in a mailbox name
> * * % forbidden because they're IMAP magic in the LIST/LSUB commands
> * ? it just scares me
> * ctrl chars, DEL
> * can't send them as IMAP characters in plain folder names, I think
> * 80-FF forbidden because you can't send them in IMAP anyway
> * (and they're forbidden as folder names). (This could be fixed.)
> *
> * + and - are *allowed* although '+' is probably used for userid+detail
> * subaddressing and qmail users use '-' for subaddressing.
> *
> * Identifiers don't require a digit, really, so that should probably be
> * relaxed, too.
> */
> static char allowedchars[256] = {
> /* 0 1 2 3 4 5 6 7 8 9 A B C D E F */
> 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 00-0F */
> 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 10-1F */
> #ifdef ENABLE_EDUNET
> 0, 1, 1, 1, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 1, 0, /* 20-2F */
> 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 0, /* 30-3F */
>
> 1, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, /* 40-4F */
> 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 1, 1, 1, 1, 1, /* 50-5F */
> #else
> 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 1, 0, /* 20-2F */
> 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 0, /* 30-3F */
>
> 1, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, /* 40-4F */
> 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1, /* 50-5F */
> #endif
> 1, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, /* 60-6F */
> 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 1, 1, 1, 1, 0, /* 70-7F */
>
> 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
> 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
> 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
> 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
>
> 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
> 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
> 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
> 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
> };
>
> /*
> * Convert 'identifier' into canonical form.
> * Returns a pointer to a static buffer containing the canonical form
> * or NULL if 'identifier' is invalid.
> *
> * XXX If any of the characters marked with 0 are valid and are
> cropping up,
> * the right thing to do is probably to canonicalize the identifier to two
> * representations: one for getpwent calls and one for folder names. The
> * latter canonicalizes to a MUTF7 representation.
> */
> char *auth_canonifyid(identifier, len)
> const char *identifier;
> size_t len;
> {
> static char retbuf[81];
> #ifndef ENABLE_EDUNET
> struct group *grp;
> #endif
> char sawalpha;
> char *p;
>
> if(!len) len = strlen(identifier);
> if(len >= sizeof(retbuf)) return NULL;
>
> if (strcasecmp(identifier, "anonymous") == 0) {
> return "anonymous";
> }
> if (strcasecmp(identifier, "anybody") == 0 ||
> strcasecmp(identifier, "anyone") == 0) {
> return "anyone";
> }
>
> memcpy(retbuf, identifier, len);
> retbuf[len] = '\0';
>
> /* This used to be far more restrictive, but many sites seem to
> ignore the
> * ye olde Unix conventions of username. Specifically, we used to
> * - drop case on the buffer
> * - disallow lots of non-alpha characters ('-', '_', others)
> * Now we do neither of these, but impose a very different policy
> based on
> * the character map above.
> */
>
> if (!strncmp(retbuf, "group:", 6)) {
> #ifndef ENABLE_EDUNET
> grp = getgrnam(retbuf+6);
> if (!grp) return 0;
> strcpy(retbuf+6, grp->gr_name);
> #endif
> return retbuf;
> }
>
> /* Copy the string and look up values in the allowedchars array above.
> * If we see any we don't like, reject the string.
> */
> sawalpha = 0;
> for(p = retbuf; *p; p++) {
> switch (allowedchars[*(unsigned char*) p]) {
> case 0:
> return NULL;
>
> case 2:
> sawalpha = 1;
> /* FALL THROUGH */
> #ifdef ENABLE_EDUNET
> case 3:
> sawalpha = 1;
> *p = tolower((unsigned char) *p);
> #endif
>
> default:
> ;
> }
> }
>
> if (!sawalpha) return NULL; /* has to be one alpha char */
>
> return retbuf;
> }
>
> Gardiner Leverett wrote:
> >
> > Gardiner Leverett wrote:
> >
> >
> >>The problem is this:
> >>On the new machine, a user mailbox is "foobar" for example.
> >>The user connects (through the client) as "FOOBAR". SASL
> >>authenticates the user fine, but the user can't see the INBOX
> >>or any other folders. If the user connects as "foobar", SASL
> >>authenticates correctly, and the user can see their mailbox.
> >
> >
> > One other note: if the user is using Outlook and they connect
> > as uppercase, Cyrus will CREATE a new mailbox for the uppercase
> > user. When I tried using Netscape, this did not happen. I don't
> > know if it's a config issue with Outlook, but either way, the mailbox
> > is created, and the user FOOBAR has access to the new mailbox
> > "FOOBAR" and not "foobar".
> >
More information about the Info-cyrus
mailing list