Bug#347659: [Pkg-Cyrus-imapd-Debian-devel] Bug#347659: please
discuss patch for ldap authentification (Kolab)
Henrique de Moraes Holschuh
hmh at debian.org
Fri Jan 13 01:13:56 UTC 2006
On Thu, 12 Jan 2006, Sven Mueller wrote:
> >>-{ "virtdomains", "off", ENUM("off", "userid", "on") }
> >>+{ "virtdomains", "off", ENUM("off", "userid", "ldap", "on") }
> >
> > THAT I didn't like at all. If it is an authz module, it should have been
> > plugged to the ptloader. Looks more like a hack to the vir. domain system.
>
> >From what I saw in the patch, it uses the LDAP userid (uid field) to
> look up the primary email address of the user. It then returns that
> email address canonified for authentication (i.e. the user logs in with
> his uid, but mail is stored and passwords looked up in sasl according to
> his primary email address.
That ain't how it works with Cyrus. The user logs in with his *mailbox*,
which is uid at vdomain. To change that, you add a canonization plugin that
gets whatever was sent to Cyrus as the mailbox, and changes it to the real
user and domain. But AFAIK, canonization is *global*.
Which means you DELIVER through LMTP to the pre-canonized account, do IMAP
logins and POP3 logins to the pre-canonized account... Depending on how
early SASL is called, SASL may have do deal with the pre-canonized account
as well, I didn't check.
> Besides thinking that the patch is somewhat incomplete (it doesn't
> handle alternate addresses at all AFAICT), I don't see how it could harm
> normal cyrus operation.
I am afraid it might cause subtle bugs, but that's not the worst problem
IMHO. It is that we have no reason to believe it will be easily
forward-portable to 2.3, and 2.3 requires one to be very careful as the
entire murder code has been unified with the normal daemons, and there is
the whole replication system to take into account.
> Well, I don't really see how to map LDAP uids (which are normally also
> login names for servers/workstations) to email addresses (on which cyrus
> operates. The only alternative would be to not use vdomains in cyrus and
> use the MTA to deliver mails to any of the mail addresses of a user to
> <uid>.
IF you are logging in (imap, pop) using userid at vdomain, or using different
listening interfaces to automatically detect vdomain, in which case you
_can_ just use userid instead:
Email, you deliver to userid at vdomain using LMTP. This is done by teaching
the MTA to ask LDAP about the accounts, and where to deliver mail for an
account; that's how everyone doing email delivery of any sort using LDAP
have been doing things for years.
Cyrus logins are userid at vdomain, mapped to SASL as userid=userid,
REALM=vdomain, and used internally by Cyrus as user userid, in domain
vdomain. *SASL* has to map that back to LDAP dn to check the credentials,
usually doing some string substitution to get a dn. If you need to do it
using LDAP *searches*, you have to improve the SASL LDAP auxprop module --
actually, I think the latest one can do it already, it has been a LONG time
since I mucked with cyrus+ldap.
After the authentication (SASL), Cyrus needs to ask stuff on LDAP only to
expand group ACLs (during authorization). That is supposed to be done
through a ptloader LDAP plugin, and definately not a new vdomain scheme.
Heck, tweaking cyrus so that it can canonize each type of service login
differently, and to use dynamically selected canonization schemes would
have been a nice and clean way to do what kolab seems to need done (if I
understood things correctly).
I hope this makes a bit more clear my misgivings about including the patch.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
More information about the Pkg-Cyrus-imapd-Debian-devel
mailing list