On 07/09/11 20:49 +0100, Jeroen van Meeuwen (Kolab Systems) wrote: >Dan White wrote: >> On 27/08/11 09:47 -0300, Lucas Zinato Carraro wrote: >> >Hi, >> > >> > I have several users that will change your login(LDAP uid). >> >How to map a login to another mailbox ? >> >> Use a sasl canonicalization plugin to (re)map an authentication identity. >> The mapped identity returned by sasl will be used when opening the user's >> mailbox. >> >> There is an ldapdb canon_user plugin available in sasl CVS, and a sql >> plugin available in bugzilla. Documentation can be found in >> doc/options.html in the sasl source. > >Hi Dan, > >I'm sorry to respond to this thread so late, ... > >I fail to recognize the RFC definition of SASL allowing the return of "OK: ><authorization ID>", but perhaps I'm completely looking in the wrong >direction... > >Could you elaborate on where SASL is allowed / providing said canonification? > >For Cyrus IMAP implementations I've done so far, I've needed a patch against >the application(!, Cyrus IMAP in this case) to use a ptclient method/client >library capable of handling the desired (LDAP) functionality. Jeroen, libsasl2 provides a canonicalization "hook if your site has specific requirements for how userids are presented to the applications." http://www.cyrusimap.org/docs/cyrus-sasl/2.1.23/components.php Such a plugin might be used to present, for instance, 'uid=jsmith,dc=example,dc=net' as 'jsmith@xxxxxxxxxxx' to a calling application which might happen to be using EXTERNAL authentication via starttls (and using some field within the client certificate as the authentication identity). OpenLDAP contains its own mapping logic via its sasl authz-regex configuration to map variously unfriendly looking identities such as: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth to root A libsasl2 canonicalization plugin, such as ldapdb, provides a way for a system administrator to present usernames to an (ignorant) calling application in whatever form is most appropriate. One scenario is to map horrible looking authentication identities like 'jsmith00014235' to (for the purpose of referencing a mailbox) 'jsmith', or vice versa. An example usage case (/etc/imapd.conf): sasl_pwcheck_method: auxprop sasl_auxprop_plugin: ldapdb sasl_ldapdb_uri: ldap://ldap.example.net ldap://ldap2.example.net sasl_ldapdb_mech: GSSAPI sasl_canon_user_plugin: ladpdb sasl_ldapdb_canon_attr: uid Where all users get normalized as the uid attribute (jsmith@xxxxxxxxxxx) after authentication. On the OpenLDAP side of things: authz-regexp "uid=([^,]+),cn=([^,]+),cn=auth" ldap:///ou=people,dc=example,dc=net??one?(&(btcAltUid=$1)(!(btcAccountStatus=suspended))) where btcAltUID is a (custom) multi-value attribute which can hold an unlimited number of forms of the user identity: uid=jsmith@xxxxxxxxxxx,ou=people,dc=example,dc=net ... uid: jsmith@xxxxxxxxxxx btcAltUID: jsmith btcAltUID: jsmith@xxxxxxxxxxx btcAltUID: jsmith@xxxxxxxxxxx btcAltUID: somealias@xxxxxxxxxxx ... I've used this method with Cyrus POP3/IMAP and Postfix. I have not used ptclient, so I don't know if this method could substitute for your patch. -- Dan White ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
