Sponsoring a canon_user plugin for LDAP lookup

Fri Jan 12 15:21:17 EST 2007

Howard,

thank you very much for your suggestion.

I think I had tried something with authz-regexp, but are you really sure 
that Cyrus IMAPd will actually see the rewritten username afterwards? I 
was able to take this to the point where the apropriate LDAP object was 
found and used for authentication, but Cyrus IMAPd would have still been 
looking for a mailbox with the original name rather than the rewritten one.

Well ... will try, I don't remember having used

 > --enable-rewrite and manually enabled SLAP_AUTH_REWRITE.

so maybe this is going to do the trick.

Regards,
Torsten

Howard Chu schrieb:
> Torsten Schlabach wrote:
> 
>> Hi!
>>
>> We are in needed of a canon_user plugin.
>>
>> The scope is quite simple:
>>
>> We use technical IDs for mailbox names in Cyrus IMAPd. Our mailboxes 
>> are called mb00001, mb00002, mb00003, ... You get the concept. In our 
>> MTA we have defined aliases for the actual email addresses that point 
>> to a mailbox, so each user can have multiple email addresses connected 
>> to a single mailbox, for example:
>>
>> info at domain.com -> mb000002
>> john.doe at domain.de -> mb000002
>> john.doe at another.de -> mb000002
>> someome at else.net -> mb000816
>>
>> This is handles by the MTA (Exim) querying LDAP for object like this one:
>>
>> dn: mailAlias=someone,ou=...
>> dc: else.com
>> mailAlias: someone
>> objectClass: mailAlias
>> objectClass: mailDomain
>> objectClass: top
>> mailAliasedName: mb000816
>>
>> We've also configured Cyrus IMAPd to query LDAP via the SASL layer 
>> where we store user objects, such as:
>>
>> dn: uid=mb000816,ou=.....
>> uid: mb000816
>> objectClass: account
>> objectClass: simpleSecurityObject
>> objectClass: top
>> userPassword: xxxxxxx
>>
>> Now users would like to be able to use one of their email addresses to 
>> login, rather than having to remember their mbXXXXXX id.
>>
>> I understand that this is what a canon_user plugin would be suitable 
>> for, so it would just take the user's input of a username (in this 
>> case someone at else.com), do a lookup for a mailAlias object in LDAP 
>> which has dc={domain part of email address} and mailAlias={local part 
>> of email address} and return the mailAliasedName attribute, which id 
>> the Cyrus IMAPd mailbox id.
>>
>> From looking at a sample I would guess that this will be 100 lines of 
>> code or less. But we don't have any experienced C programmer and as 
>> this is meant for production use, I would appreciate this done by 
>> someone who knows that he doing. And it would be great if this had a 
>> chance to become part of the codebase.
>>
>> So as nobody obviously felt the need for that before, we're thinking 
>> of paying someone to do it and donate the code. As I think this is a 
>> quite limited scope, we'd be hoping this could be done for a lower 
>> 3-digit USD figure?
>>
>> Anyone intersted?
>>
>> Regards,
>> Torsten
>>
> Not that I'm one to turn down easy money, but OpenLDAP slapd has a 
> canon_user plugin built in. If you add the mailAlias name to your 
> mailbox entries then you can use a simple authz-regexp to resolve this, 
> something like:
> 
>    authz-regexp "uid=([^,]*),cn=DIGEST-MD5,cn=auth"   ldap:///<base 
> DN>??sub?(mailalias=$1)
> 
> If you don't modify your entries as suggested above, it's a little more 
> complicated, and you need to have configured OpenLDAP with 
> --enable-rewrite and manually enabled SLAP_AUTH_REWRITE. Then, since you 
> need to perform two LDAP lookups, you need additional rules:
> 
> authid-rewriteMap ldap alias2DN ldap://<host>/<base 
> DN>?mailAliasedName?sub?
> authid-rewriteRule "uid=([^,]*),cn=DIGEST-MD5,cn=auth"
>     "ldap:///<base DN>??sub?(uid=%{alias2dn(mailalias=%0)})"
> 
> Note that because it requires two lookups, this will be a lot slower 
> than the first solution. It's usually a better idea to modify your data 
> to make the lookups more efficient, than to use extra lookups to make up 
> for poorly designed data.
> 