Mapping a login(uid) to different mailbox
Dan White
dwhite at olp.net
Wed Sep 7 17:30:26 EDT 2011
On 07/09/11 20:49 +0100, Jeroen van Meeuwen (Kolab Systems) wrote:
>Dan White wrote:
>> On 27/08/11 09:47 -0300, Lucas Zinato Carraro wrote:
>> >Hi,
>> >
>> > I have several users that will change your login(LDAP uid).
>> >How to map a login to another mailbox ?
>>
>> Use a sasl canonicalization plugin to (re)map an authentication identity.
>> The mapped identity returned by sasl will be used when opening the user's
>> mailbox.
>>
>> There is an ldapdb canon_user plugin available in sasl CVS, and a sql
>> plugin available in bugzilla. Documentation can be found in
>> doc/options.html in the sasl source.
>
>Hi Dan,
>
>I'm sorry to respond to this thread so late, ...
>
>I fail to recognize the RFC definition of SASL allowing the return of "OK:
><authorization ID>", but perhaps I'm completely looking in the wrong
>direction...
>
>Could you elaborate on where SASL is allowed / providing said canonification?
>
>For Cyrus IMAP implementations I've done so far, I've needed a patch against
>the application(!, Cyrus IMAP in this case) to use a ptclient method/client
>library capable of handling the desired (LDAP) functionality.
Jeroen,
libsasl2 provides a canonicalization "hook if your site has specific
requirements for how userids are presented to the applications."
http://www.cyrusimap.org/docs/cyrus-sasl/2.1.23/components.php
Such a plugin might be used to present, for instance,
'uid=jsmith,dc=example,dc=net' as 'jsmith at example.net' to a calling
application which might happen to be using EXTERNAL authentication via
starttls (and using some field within the client certificate as the
authentication identity).
OpenLDAP contains its own mapping logic via its sasl authz-regex
configuration to map variously unfriendly looking identities such as:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
to
root
A libsasl2 canonicalization plugin, such as ldapdb, provides a way for a
system administrator to present usernames to an (ignorant) calling
application in whatever form is most appropriate. One scenario is to map
horrible looking authentication identities like 'jsmith00014235' to (for
the purpose of referencing a mailbox) 'jsmith', or vice versa.
An example usage case (/etc/imapd.conf):
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_ldapdb_uri: ldap://ldap.example.net ldap://ldap2.example.net
sasl_ldapdb_mech: GSSAPI
sasl_canon_user_plugin: ladpdb
sasl_ldapdb_canon_attr: uid
Where all users get normalized as the uid attribute (jsmith at example.net)
after authentication.
On the OpenLDAP side of things:
authz-regexp
"uid=([^,]+),cn=([^,]+),cn=auth"
ldap:///ou=people,dc=example,dc=net??one?(&(btcAltUid=$1)(!(btcAccountStatus=suspended)))
where btcAltUID is a (custom) multi-value attribute which can hold an unlimited
number of forms of the user identity:
uid=jsmith at example.net,ou=people,dc=example,dc=net
...
uid: jsmith at example.net
btcAltUID: jsmith
btcAltUID: jsmith at example.net
btcAltUID: jsmith at EXAMPLE.NET
btcAltUID: somealias at example.com
...
I've used this method with Cyrus POP3/IMAP and Postfix. I have not used
ptclient, so I don't know if this method could substitute for your patch.
--
Dan White
More information about the Info-cyrus
mailing list