[jira] [Created] (JAMES-3905) LDAP: have per domain base DNs overrides

Mon, 24 Apr 2023 04:26:11 -0700 

Benoit Tellier created JAMES-3905:
-------------------------------------

             Summary: LDAP: have per domain base DNs overrides
                 Key: JAMES-3905
                 URL: https://issues.apache.org/jira/browse/JAMES-3905
             Project: James Server
          Issue Type: Improvement
            Reporter: Benoit Tellier


h2. Why

James supports virtual hosting, ie manage several domains like linagora.com, 
ossa.fr, openpaas.org, etc...

A common set up is to get one LDAP base DN per entity / group of users to 
better organise access to apps.

Eg ou=users,dc=linagora.com,dc=lng and ou=demo,dc=linagora.com,dc=lngetc...

Today writing such a configuration is really painful and involves more LDAP 
filters than it actually should!

h2. What

Address these on-prem multi-hosted set up by updating the LDAP configuration 
and allow per-virtual hosted domain BASE DN.

EG:


{code:java}
<usersrepository name="LocalUsers"
    class="org.apache.james.user.ldap.CombinedUsersRepository"
    ldapHost="${env:OP_JAMES_LDAP_URI}"
    userBase="${env:OP_JAMES_LDAP_BASE_DN}"
    principal="${env:OP_JAMES_LDAP_PRINCIPAL_DN}"
    credentials="${env:OP_JAMES_LDAP_BIND_PW}"
    userIdAttribute="mail"
    userObjectClass="person"
    administratorId="${env:OP_JAMES_ADMINISTRATOR_ID}" >

    <enableVirtualHosting>true</enableVirtualHosting>

   <domains>
       <ossa.fr>
           <userBase>ou=user,dc=ossa.fr,dclng</userBase>
       </ossa.fr>
   </domains>
</usersrepository>
{code}


-   Domain entry is only allowed with virtual hosting. Without it it throws.
-   Domains (here ossa.fr) needs to be managed (into domain list - note that 
domain list can contain a set of statically configured domains <3)
-   Upon retrieving a user entry, the domain part is used to see if the LDAP 
user base dn should be overriden. (searchAndBuildUser).
-   Listing operations should also include domains extra based DN (filtered to 
only include entries of the concerned domain!)

Create an easy to override abstraction for domain -> Base DN so that if someone 
else wants to make this dynamic, it is possible!

h2. Definition of Done

Unit tests



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Reply via email to