Re: Sponsoring a canon_user plugin for LDAP lookup

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Torsten Schlabach wrote:

As long as it serves the purpose. Just recall, please ...
If you rewrite some@xxxxxxxx to id000012 then you need to make sure that Cyrus IMAPd sees id000012 as it is going to use that as the name for the mailbox.
I need to say ... I am *not* sure about the sequence in which auxprop and canon_user are called. But isn't it that Cyrus IMAPd will take in a username, run it through canon_user (in case there is any), then run the rewritten username through auxprop to retrieve a password and compare the one that the user inputted to that. 

So in pseudo-code this would be:

username = what the user entered as username
password = what the user entered as password

username = canon_user(username)

correct_password = auxprop(username)

if correct_password == password

  look for mailbox username

endif
If I was right with that assumption, than you could do anyting in an auxprop plugin to find the proper password (what you can indeed do today already using that authz rewrite rules) but you cannot change the value of username in the auxprop plugin. Isn't this why there are two different hooks, i.e. canon_user and auxprop? 

Correct. (Yes, our emails crossed.)
The ldapdb_connect() function currently in ldapdb.c can serve both purposes, I just need to write a canon_user_server wrapper around it to do the right thing. The other refinement would be to save the LDAP connection handle that canon_user uses, so that auxprop doesn't need to open a new one.
And now just to doublecheck - you actually want just the simple name returned, not the full DN. Correct?
On the other hand, as I said in my initial posting, I think the actual canon_user plugin would be not too complicated as it would just have to do a single lookup, i.e. use the given username in an LDAP url to find an object and return another attribute of that object as the canonicalized username. E.g. search for mailAlias=someone@xxxxxxxx and return the uid attribute of the matched object. 


--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/
[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux