Howard,
thank you very much for your suggestion.
I think I had tried something with authz-regexp, but are you really sure
that Cyrus IMAPd will actually see the rewritten username afterwards? I
was able to take this to the point where the apropriate LDAP object was
found and used for authentication, but Cyrus IMAPd would have still been
looking for a mailbox with the original name rather than the rewritten one.
Well ... will try, I don't remember having used
> --enable-rewrite and manually enabled SLAP_AUTH_REWRITE.
so maybe this is going to do the trick.
Regards,
Torsten
Howard Chu schrieb:
Torsten Schlabach wrote:
Hi!
We are in needed of a canon_user plugin.
The scope is quite simple:
We use technical IDs for mailbox names in Cyrus IMAPd. Our mailboxes
are called mb00001, mb00002, mb00003, ... You get the concept. In our
MTA we have defined aliases for the actual email addresses that point
to a mailbox, so each user can have multiple email addresses connected
to a single mailbox, for example:
info@xxxxxxxxxx -> mb000002
john.doe@xxxxxxxxx -> mb000002
john.doe@xxxxxxxxxx -> mb000002
someome@xxxxxxxx -> mb000816
This is handles by the MTA (Exim) querying LDAP for object like this one:
dn: mailAlias=someone,ou=...
dc: else.com
mailAlias: someone
objectClass: mailAlias
objectClass: mailDomain
objectClass: top
mailAliasedName: mb000816
We've also configured Cyrus IMAPd to query LDAP via the SASL layer
where we store user objects, such as:
dn: uid=mb000816,ou=.....
uid: mb000816
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
userPassword: xxxxxxx
Now users would like to be able to use one of their email addresses to
login, rather than having to remember their mbXXXXXX id.
I understand that this is what a canon_user plugin would be suitable
for, so it would just take the user's input of a username (in this
case someone@xxxxxxxx), do a lookup for a mailAlias object in LDAP
which has dc={domain part of email address} and mailAlias={local part
of email address} and return the mailAliasedName attribute, which id
the Cyrus IMAPd mailbox id.
From looking at a sample I would guess that this will be 100 lines of
code or less. But we don't have any experienced C programmer and as
this is meant for production use, I would appreciate this done by
someone who knows that he doing. And it would be great if this had a
chance to become part of the codebase.
So as nobody obviously felt the need for that before, we're thinking
of paying someone to do it and donate the code. As I think this is a
quite limited scope, we'd be hoping this could be done for a lower
3-digit USD figure?
Anyone intersted?
Regards,
Torsten
Not that I'm one to turn down easy money, but OpenLDAP slapd has a
canon_user plugin built in. If you add the mailAlias name to your
mailbox entries then you can use a simple authz-regexp to resolve this,
something like:
authz-regexp "uid=([^,]*),cn=DIGEST-MD5,cn=auth" ldap:///<base
DN>??sub?(mailalias=$1)
If you don't modify your entries as suggested above, it's a little more
complicated, and you need to have configured OpenLDAP with
--enable-rewrite and manually enabled SLAP_AUTH_REWRITE. Then, since you
need to perform two LDAP lookups, you need additional rules:
authid-rewriteMap ldap alias2DN ldap://<host>/<base
DN>?mailAliasedName?sub?
authid-rewriteRule "uid=([^,]*),cn=DIGEST-MD5,cn=auth"
"ldap:///<base DN>??sub?(uid=%{alias2dn(mailalias=%0)})"
Note that because it requires two lookups, this will be a lot slower
than the first solution. It's usually a better idea to modify your data
to make the lookups more efficient, than to use extra lookups to make up
for poorly designed data.
