Sponsoring a canon_user plugin for LDAP lookup
Torsten Schlabach
tschlabach at gmx.net
Fri Jan 12 15:21:17 EST 2007
Howard,
thank you very much for your suggestion.
I think I had tried something with authz-regexp, but are you really sure
that Cyrus IMAPd will actually see the rewritten username afterwards? I
was able to take this to the point where the apropriate LDAP object was
found and used for authentication, but Cyrus IMAPd would have still been
looking for a mailbox with the original name rather than the rewritten one.
Well ... will try, I don't remember having used
> --enable-rewrite and manually enabled SLAP_AUTH_REWRITE.
so maybe this is going to do the trick.
Regards,
Torsten
Howard Chu schrieb:
> Torsten Schlabach wrote:
>
>> Hi!
>>
>> We are in needed of a canon_user plugin.
>>
>> The scope is quite simple:
>>
>> We use technical IDs for mailbox names in Cyrus IMAPd. Our mailboxes
>> are called mb00001, mb00002, mb00003, ... You get the concept. In our
>> MTA we have defined aliases for the actual email addresses that point
>> to a mailbox, so each user can have multiple email addresses connected
>> to a single mailbox, for example:
>>
>> info at domain.com -> mb000002
>> john.doe at domain.de -> mb000002
>> john.doe at another.de -> mb000002
>> someome at else.net -> mb000816
>>
>> This is handles by the MTA (Exim) querying LDAP for object like this one:
>>
>> dn: mailAlias=someone,ou=...
>> dc: else.com
>> mailAlias: someone
>> objectClass: mailAlias
>> objectClass: mailDomain
>> objectClass: top
>> mailAliasedName: mb000816
>>
>> We've also configured Cyrus IMAPd to query LDAP via the SASL layer
>> where we store user objects, such as:
>>
>> dn: uid=mb000816,ou=.....
>> uid: mb000816
>> objectClass: account
>> objectClass: simpleSecurityObject
>> objectClass: top
>> userPassword: xxxxxxx
>>
>> Now users would like to be able to use one of their email addresses to
>> login, rather than having to remember their mbXXXXXX id.
>>
>> I understand that this is what a canon_user plugin would be suitable
>> for, so it would just take the user's input of a username (in this
>> case someone at else.com), do a lookup for a mailAlias object in LDAP
>> which has dc={domain part of email address} and mailAlias={local part
>> of email address} and return the mailAliasedName attribute, which id
>> the Cyrus IMAPd mailbox id.
>>
>> From looking at a sample I would guess that this will be 100 lines of
>> code or less. But we don't have any experienced C programmer and as
>> this is meant for production use, I would appreciate this done by
>> someone who knows that he doing. And it would be great if this had a
>> chance to become part of the codebase.
>>
>> So as nobody obviously felt the need for that before, we're thinking
>> of paying someone to do it and donate the code. As I think this is a
>> quite limited scope, we'd be hoping this could be done for a lower
>> 3-digit USD figure?
>>
>> Anyone intersted?
>>
>> Regards,
>> Torsten
>>
> Not that I'm one to turn down easy money, but OpenLDAP slapd has a
> canon_user plugin built in. If you add the mailAlias name to your
> mailbox entries then you can use a simple authz-regexp to resolve this,
> something like:
>
> authz-regexp "uid=([^,]*),cn=DIGEST-MD5,cn=auth" ldap:///<base
> DN>??sub?(mailalias=$1)
>
> If you don't modify your entries as suggested above, it's a little more
> complicated, and you need to have configured OpenLDAP with
> --enable-rewrite and manually enabled SLAP_AUTH_REWRITE. Then, since you
> need to perform two LDAP lookups, you need additional rules:
>
> authid-rewriteMap ldap alias2DN ldap://<host>/<base
> DN>?mailAliasedName?sub?
> authid-rewriteRule "uid=([^,]*),cn=DIGEST-MD5,cn=auth"
> "ldap:///<base DN>??sub?(uid=%{alias2dn(mailalias=%0)})"
>
> Note that because it requires two lookups, this will be a lot slower
> than the first solution. It's usually a better idea to modify your data
> to make the lookups more efficient, than to use extra lookups to make up
> for poorly designed data.
>
More information about the Cyrus-sasl
mailing list