Sponsoring a canon_user plugin for LDAP lookup

Howard Chu hyc at highlandsun.com
Fri Jan 12 18:39:58 EST 2007 

Torsten Schlabach wrote:
> As long as it serves the purpose. Just recall, please ...
>
> If you rewrite some at else.com to id000012 then you need to make sure 
> that Cyrus IMAPd sees id000012 as it is going to use that as the name 
> for the mailbox.
>
> I need to say ... I am *not* sure about the sequence in which auxprop 
> and canon_user are called. But isn't it that Cyrus IMAPd will take in 
> a username, run it through canon_user (in case there is any), then run 
> the rewritten username through auxprop to retrieve a password and 
> compare the one that the user inputted to that.
>
> So in pseudo-code this would be:
>
> username = what the user entered as username
> password = what the user entered as password
>
> username = canon_user(username)
>
> correct_password = auxprop(username)
>
> if correct_password == password
>
>   look for mailbox username
>
> endif
>
> If I was right with that assumption, than you could do anyting in an 
> auxprop plugin to find the proper password (what you can indeed do 
> today already using that authz rewrite rules) but you cannot change 
> the value of username in the auxprop plugin. Isn't this why there are 
> two different hooks, i.e. canon_user and auxprop?

Correct. (Yes, our emails crossed.)

The ldapdb_connect() function currently in ldapdb.c can serve both 
purposes, I just need to write a canon_user_server wrapper around it to 
do the right thing. The other refinement would be to save the LDAP 
connection handle that canon_user uses, so that auxprop doesn't need to 
open a new one.

And now just to doublecheck - you actually want just the simple name 
returned, not the full DN. Correct?
>
> On the other hand, as I said in my initial posting, I think the actual 
> canon_user plugin would be not too complicated as it would just have 
> to do a single lookup, i.e. use the given username in an LDAP url to 
> find an object and return another attribute of that object as the 
> canonicalized username. E.g. search for mailAlias=someone at else.com and 
> return the uid attribute of the matched object.
>
-- 
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

More information about the Cyrus-sasl mailing list