LDAP auth, and Cyrus mailboxes..

Mike Beattie mike.beattie at otago.ac.nz
Thu Sep 2 08:32:07 EDT 2004 

On Wed, Jun 16, 2004 at 11:59:08AM -0400, Rob Siemborski wrote:
> >Ok, well, it's known behaviour, perhaps I'll need to think up another
> >solution. (an ugly patch to cyrus that adds a "loginrequiresinbox:"
> >option?)
> 
> This is not unreasonable. I'd probably implement it as part of the 
> PROXY_POLICY callbacks to sasl (e.g. mysasl_proxy_policy).
> 
> Note that you want to be sure to not exclude admins (who shouldn't have a 
> mailbox) when you do this.

Ok, I've finally gotten around to doing this, since we deleted around 6.5k
student accounts last week, and some have been wondering why all their mail
was deleted... (since they can still log into horde/imp, and see an
'inbox').

Patch is attached... took me a while to figure out that imapd has its own
PROXY_POLICY callback, where the others all use the one in config.c

It's hackish, but it's a concept, and it Works For Me(tm).  It may be a
starting point for something more robust.

Mike.
-- 
Mike Beattie  <mike.beattie at otago.ac.nz>     UNIX Systems Engineer, ITS
Ph: +64 3 479 8597       Fax: +64 3 479 5080      Cell: +64 27 44 80386
* Opinions expressed are my own, not those of the University of Otago *
-------------- next part --------------
diff -urN cyrus21-imapd-2.1.16.orig/debian/imapd.conf cyrus21-imapd-2.1.16/debian/imapd.conf
--- cyrus21-imapd-2.1.16.orig/debian/imapd.conf Thu Sep  2 17:00:08 2004
+++ cyrus21-imapd-2.1.16/debian/imapd.conf      Thu Sep  2 16:59:22 2004
@@ -71,6 +71,9 @@
 # No anonymous logins
 allowanonymouslogin: no
 
+# Login requires an inbox (admins excluded)
+#loginrequiresinbox: no
+
 # Minimum time between POP mail fetches in minutes
 popminpoll: 1
 
diff -urN cyrus21-imapd-2.1.16.orig/imap/config.c cyrus21-imapd-2.1.16/imap/config.c
--- cyrus21-imapd-2.1.16.orig/imap/config.c     Thu Sep  2 16:59:58 2004
+++ cyrus21-imapd-2.1.16/imap/config.c  Fri Sep  3 00:22:57 2004
@@ -521,6 +521,19 @@
        return SASL_OK;
     }
 
+    if (config_getswitch("loginrequiresinbox", 0) && !userisadmin) {
+       char inboxname[1024];
+
+       if (strchr(auth_identity, '.') || strlen(auth_identity)+6 >= sizeof(inboxname)) return 0;
+       strcpy(inboxname, "user.");
+       strcat(inboxname, auth_identity);
+       
+       if (mboxlist_lookup(inboxname, NULL, NULL, NULL)) {
+           sasl_seterror(conn, 0, "No inbox for user %s", auth_identity);
+           return SASL_BADAUTH;
+       }
+    }
+
     if (alen != rlen || strncmp(auth_identity, requested_user, alen)) {
        /* we want to authenticate as a different user; we'll allow this
           if we're an admin or if we've allowed ACL proxy logins */
diff -urN cyrus21-imapd-2.1.16.orig/imap/imapd.c cyrus21-imapd-2.1.16/imap/imapd.c
--- cyrus21-imapd-2.1.16.orig/imap/imapd.c      Wed Mar 17 09:39:58 2004
+++ cyrus21-imapd-2.1.16/imap/imapd.c   Fri Sep  3 00:19:48 2004
@@ -343,6 +343,19 @@
     /* ok, is auth_identity an admin? */
     imapd_userisadmin = authisa(imapd_authstate, "imap", "admins");
 
+    if (config_getswitch("loginrequiresinbox", 0) && !imapd_userisadmin) {
+       char inboxname[1024];
+
+       if (strchr(auth_identity, '.') || strlen(auth_identity)+6 >= sizeof(inboxname)) return 0;
+       strcpy(inboxname, "user.");
+       strcat(inboxname, auth_identity);
+
+       if (mboxlist_lookup(inboxname, NULL, NULL, NULL)) {
+           sasl_seterror(conn, 0, "No inbox for user %s", auth_identity);
+           return SASL_BADAUTH;
+       }
+    }
+
     if (alen != rlen || strncmp(auth_identity, requested_user, alen)) {
        /* we want to authenticate as a different user; we'll allow this
           if we're an admin or if we've allowed ACL proxy logins */

More information about the Info-cyrus mailing list