Sponsoring a canon_user plugin for LDAP lookup

Howard Chu hyc at highlandsun.com
Fri Jan 12 12:16:58 EST 2007 

Torsten Schlabach wrote:
> Hi!
>
> We are in needed of a canon_user plugin.
>
> The scope is quite simple:
>
> We use technical IDs for mailbox names in Cyrus IMAPd. Our mailboxes 
> are called mb00001, mb00002, mb00003, ... You get the concept. In our 
> MTA we have defined aliases for the actual email addresses that point 
> to a mailbox, so each user can have multiple email addresses connected 
> to a single mailbox, for example:
>
> info at domain.com -> mb000002
> john.doe at domain.de -> mb000002
> john.doe at another.de -> mb000002
> someome at else.net -> mb000816
>
> This is handles by the MTA (Exim) querying LDAP for object like this one:
>
> dn: mailAlias=someone,ou=...
> dc: else.com
> mailAlias: someone
> objectClass: mailAlias
> objectClass: mailDomain
> objectClass: top
> mailAliasedName: mb000816
>
> We've also configured Cyrus IMAPd to query LDAP via the SASL layer 
> where we store user objects, such as:
>
> dn: uid=mb000816,ou=.....
> uid: mb000816
> objectClass: account
> objectClass: simpleSecurityObject
> objectClass: top
> userPassword: xxxxxxx
>
> Now users would like to be able to use one of their email addresses to 
> login, rather than having to remember their mbXXXXXX id.
>
> I understand that this is what a canon_user plugin would be suitable 
> for, so it would just take the user's input of a username (in this 
> case someone at else.com), do a lookup for a mailAlias object in LDAP 
> which has dc={domain part of email address} and mailAlias={local part 
> of email address} and return the mailAliasedName attribute, which id 
> the Cyrus IMAPd mailbox id.
>
> From looking at a sample I would guess that this will be 100 lines of 
> code or less. But we don't have any experienced C programmer and as 
> this is meant for production use, I would appreciate this done by 
> someone who knows that he doing. And it would be great if this had a 
> chance to become part of the codebase.
>
> So as nobody obviously felt the need for that before, we're thinking 
> of paying someone to do it and donate the code. As I think this is a 
> quite limited scope, we'd be hoping this could be done for a lower 
> 3-digit USD figure?
>
> Anyone intersted?
>
> Regards,
> Torsten
>
Not that I'm one to turn down easy money, but OpenLDAP slapd has a 
canon_user plugin built in. If you add the mailAlias name to your 
mailbox entries then you can use a simple authz-regexp to resolve this, 
something like:

    authz-regexp "uid=([^,]*),cn=DIGEST-MD5,cn=auth"   ldap:///<base 
DN>??sub?(mailalias=$1)

If you don't modify your entries as suggested above, it's a little more 
complicated, and you need to have configured OpenLDAP with 
--enable-rewrite and manually enabled SLAP_AUTH_REWRITE. Then, since you 
need to perform two LDAP lookups, you need additional rules:

authid-rewriteMap ldap alias2DN ldap://<host>/<base DN>?mailAliasedName?sub?
authid-rewriteRule "uid=([^,]*),cn=DIGEST-MD5,cn=auth"
     "ldap:///<base DN>??sub?(uid=%{alias2dn(mailalias=%0)})"

Note that because it requires two lookups, this will be a lot slower 
than the first solution. It's usually a better idea to modify your data 
to make the lookups more efficient, than to use extra lookups to make up 
for poorly designed data.

-- 
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

More information about the Cyrus-sasl mailing list