Sponsoring a canon_user plugin for LDAP lookup
Howard Chu
hyc at highlandsun.com
Fri Jan 12 12:16:58 EST 2007
Torsten Schlabach wrote:
> Hi!
>
> We are in needed of a canon_user plugin.
>
> The scope is quite simple:
>
> We use technical IDs for mailbox names in Cyrus IMAPd. Our mailboxes
> are called mb00001, mb00002, mb00003, ... You get the concept. In our
> MTA we have defined aliases for the actual email addresses that point
> to a mailbox, so each user can have multiple email addresses connected
> to a single mailbox, for example:
>
> info at domain.com -> mb000002
> john.doe at domain.de -> mb000002
> john.doe at another.de -> mb000002
> someome at else.net -> mb000816
>
> This is handles by the MTA (Exim) querying LDAP for object like this one:
>
> dn: mailAlias=someone,ou=...
> dc: else.com
> mailAlias: someone
> objectClass: mailAlias
> objectClass: mailDomain
> objectClass: top
> mailAliasedName: mb000816
>
> We've also configured Cyrus IMAPd to query LDAP via the SASL layer
> where we store user objects, such as:
>
> dn: uid=mb000816,ou=.....
> uid: mb000816
> objectClass: account
> objectClass: simpleSecurityObject
> objectClass: top
> userPassword: xxxxxxx
>
> Now users would like to be able to use one of their email addresses to
> login, rather than having to remember their mbXXXXXX id.
>
> I understand that this is what a canon_user plugin would be suitable
> for, so it would just take the user's input of a username (in this
> case someone at else.com), do a lookup for a mailAlias object in LDAP
> which has dc={domain part of email address} and mailAlias={local part
> of email address} and return the mailAliasedName attribute, which id
> the Cyrus IMAPd mailbox id.
>
> From looking at a sample I would guess that this will be 100 lines of
> code or less. But we don't have any experienced C programmer and as
> this is meant for production use, I would appreciate this done by
> someone who knows that he doing. And it would be great if this had a
> chance to become part of the codebase.
>
> So as nobody obviously felt the need for that before, we're thinking
> of paying someone to do it and donate the code. As I think this is a
> quite limited scope, we'd be hoping this could be done for a lower
> 3-digit USD figure?
>
> Anyone intersted?
>
> Regards,
> Torsten
>
Not that I'm one to turn down easy money, but OpenLDAP slapd has a
canon_user plugin built in. If you add the mailAlias name to your
mailbox entries then you can use a simple authz-regexp to resolve this,
something like:
authz-regexp "uid=([^,]*),cn=DIGEST-MD5,cn=auth" ldap:///<base
DN>??sub?(mailalias=$1)
If you don't modify your entries as suggested above, it's a little more
complicated, and you need to have configured OpenLDAP with
--enable-rewrite and manually enabled SLAP_AUTH_REWRITE. Then, since you
need to perform two LDAP lookups, you need additional rules:
authid-rewriteMap ldap alias2DN ldap://<host>/<base DN>?mailAliasedName?sub?
authid-rewriteRule "uid=([^,]*),cn=DIGEST-MD5,cn=auth"
"ldap:///<base DN>??sub?(uid=%{alias2dn(mailalias=%0)})"
Note that because it requires two lookups, this will be a lot slower
than the first solution. It's usually a better idea to modify your data
to make the lookups more efficient, than to use extra lookups to make up
for poorly designed data.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
More information about the Cyrus-sasl
mailing list