Mapping a login(uid) to different mailbox
dwhite at olp.net
Wed Sep 7 17:30:26 EDT 2011
On 07/09/11 20:49 +0100, Jeroen van Meeuwen (Kolab Systems) wrote:
>Dan White wrote:
>> On 27/08/11 09:47 -0300, Lucas Zinato Carraro wrote:
>> > I have several users that will change your login(LDAP uid).
>> >How to map a login to another mailbox ?
>> Use a sasl canonicalization plugin to (re)map an authentication identity.
>> The mapped identity returned by sasl will be used when opening the user's
>> There is an ldapdb canon_user plugin available in sasl CVS, and a sql
>> plugin available in bugzilla. Documentation can be found in
>> doc/options.html in the sasl source.
>I'm sorry to respond to this thread so late, ...
>I fail to recognize the RFC definition of SASL allowing the return of "OK:
><authorization ID>", but perhaps I'm completely looking in the wrong
>Could you elaborate on where SASL is allowed / providing said canonification?
>For Cyrus IMAP implementations I've done so far, I've needed a patch against
>the application(!, Cyrus IMAP in this case) to use a ptclient method/client
>library capable of handling the desired (LDAP) functionality.
libsasl2 provides a canonicalization "hook if your site has specific
requirements for how userids are presented to the applications."
Such a plugin might be used to present, for instance,
'uid=jsmith,dc=example,dc=net' as 'jsmith at example.net' to a calling
application which might happen to be using EXTERNAL authentication via
starttls (and using some field within the client certificate as the
OpenLDAP contains its own mapping logic via its sasl authz-regex
configuration to map variously unfriendly looking identities such as:
A libsasl2 canonicalization plugin, such as ldapdb, provides a way for a
system administrator to present usernames to an (ignorant) calling
application in whatever form is most appropriate. One scenario is to map
horrible looking authentication identities like 'jsmith00014235' to (for
the purpose of referencing a mailbox) 'jsmith', or vice versa.
An example usage case (/etc/imapd.conf):
sasl_ldapdb_uri: ldap://ldap.example.net ldap://ldap2.example.net
Where all users get normalized as the uid attribute (jsmith at example.net)
On the OpenLDAP side of things:
where btcAltUID is a (custom) multi-value attribute which can hold an unlimited
number of forms of the user identity:
uid=jsmith at example.net,ou=people,dc=example,dc=net
uid: jsmith at example.net
btcAltUID: jsmith at example.net
btcAltUID: jsmith at EXAMPLE.NET
btcAltUID: somealias at example.com
I've used this method with Cyrus POP3/IMAP and Postfix. I have not used
ptclient, so I don't know if this method could substitute for your patch.
More information about the Info-cyrus