Sponsoring a canon_user plugin for LDAP lookup
Howard Chu
hyc at highlandsun.com
Fri Jan 12 18:39:58 EST 2007
Torsten Schlabach wrote:
> As long as it serves the purpose. Just recall, please ...
>
> If you rewrite some at else.com to id000012 then you need to make sure
> that Cyrus IMAPd sees id000012 as it is going to use that as the name
> for the mailbox.
>
> I need to say ... I am *not* sure about the sequence in which auxprop
> and canon_user are called. But isn't it that Cyrus IMAPd will take in
> a username, run it through canon_user (in case there is any), then run
> the rewritten username through auxprop to retrieve a password and
> compare the one that the user inputted to that.
>
> So in pseudo-code this would be:
>
> username = what the user entered as username
> password = what the user entered as password
>
> username = canon_user(username)
>
> correct_password = auxprop(username)
>
> if correct_password == password
>
> look for mailbox username
>
> endif
>
> If I was right with that assumption, than you could do anyting in an
> auxprop plugin to find the proper password (what you can indeed do
> today already using that authz rewrite rules) but you cannot change
> the value of username in the auxprop plugin. Isn't this why there are
> two different hooks, i.e. canon_user and auxprop?
Correct. (Yes, our emails crossed.)
The ldapdb_connect() function currently in ldapdb.c can serve both
purposes, I just need to write a canon_user_server wrapper around it to
do the right thing. The other refinement would be to save the LDAP
connection handle that canon_user uses, so that auxprop doesn't need to
open a new one.
And now just to doublecheck - you actually want just the simple name
returned, not the full DN. Correct?
>
> On the other hand, as I said in my initial posting, I think the actual
> canon_user plugin would be not too complicated as it would just have
> to do a single lookup, i.e. use the given username in an LDAP url to
> find an object and return another attribute of that object as the
> canonicalized username. E.g. search for mailAlias=someone at else.com and
> return the uid attribute of the matched object.
>
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
More information about the Cyrus-sasl
mailing list