> And now just to doublecheck - you actually want just the simple name
> returned, not the full DN. Correct?
Sure. As this is what Cyrus IMAPd expects.
Without the canon_user, you'd type
AUTH id000012
You wouldn't type
AUTH uid=id000012,ou=user,ou=...
It's getting 1:00 a.m. now where I am. So I hope you got all the info
and I can go to bed now. I'd really be thankful for you help with that.
Any probably many others as well.
Regards,
Torsten
Howard Chu schrieb:
Torsten Schlabach wrote:
As long as it serves the purpose. Just recall, please ...
If you rewrite some@xxxxxxxx to id000012 then you need to make sure
that Cyrus IMAPd sees id000012 as it is going to use that as the name
for the mailbox.
I need to say ... I am *not* sure about the sequence in which auxprop
and canon_user are called. But isn't it that Cyrus IMAPd will take in
a username, run it through canon_user (in case there is any), then run
the rewritten username through auxprop to retrieve a password and
compare the one that the user inputted to that.
So in pseudo-code this would be:
username = what the user entered as username
password = what the user entered as password
username = canon_user(username)
correct_password = auxprop(username)
if correct_password == password
look for mailbox username
endif
If I was right with that assumption, than you could do anyting in an
auxprop plugin to find the proper password (what you can indeed do
today already using that authz rewrite rules) but you cannot change
the value of username in the auxprop plugin. Isn't this why there are
two different hooks, i.e. canon_user and auxprop?
Correct. (Yes, our emails crossed.)
The ldapdb_connect() function currently in ldapdb.c can serve both
purposes, I just need to write a canon_user_server wrapper around it to
do the right thing. The other refinement would be to save the LDAP
connection handle that canon_user uses, so that auxprop doesn't need to
open a new one.
And now just to doublecheck - you actually want just the simple name
returned, not the full DN. Correct?
On the other hand, as I said in my initial posting, I think the actual
canon_user plugin would be not too complicated as it would just have
to do a single lookup, i.e. use the given username in an LDAP url to
find an object and return another attribute of that object as the
canonicalized username. E.g. search for mailAlias=someone@xxxxxxxx and
return the uid attribute of the matched object.