Tran Hong Quan created JAMES-3930:
-------------------------------------
Summary: LDAP: support for localpart as login when virtualHosting
is on
Key: JAMES-3930
URL: https://issues.apache.org/jira/browse/JAMES-3930
Project: James Server
Issue Type: Improvement
Components: ldap, UsersStore & UsersRepository
Reporter: Tran Hong Quan
## Why?
### User Story 1
We got several time the request: as a user eg `btell...@linagora.com` I want to
login with just `btellier` but get access to my mails as
`btell...@linagora.com`.
Basically if not presented with an email, we can fallback to a uid search to
get the LDAP entry then pick the mail attribute to identify the mailbox.
### User story 2
Also the following proposal allows for more complicated setup to have one set
of creds per application:
As an administrator I do not want to leak user password to any third party
application, including IMAP/SMTP clients.
IMAP and SMTP apps are password based: they send the LOGIN + Password upon auth
(unless you do complex setup!)
Thus we want to generate one couple of login-password distinct for each app.
Let's call them `one-app-login` and `one-app-password`.
This could easily be done with the following LDAP architecture:
- dedicated branch for users. Eg here: `uid: btellier + mail:
btell...@linagora.com`
- dedicated branch for one-app-logins and one-app-passwords Eg here: `uid:
btellier-app1 + mail: btell...@linagora.com`
- LemonLDAP based for to generate one-app-logins and one-app-passwords, with
one-app-passwords only shown once. Revocation possible for one-app-logins.
The mechanism involved on James side are basically the same than US 1... So we
kill one bird with two stones.
## How?
Step 1: Modify `UsersRepository` API to allow for username translation upon
authentication. Return an Optional of username instead of a boolean upon auth.
Step 2: Add a `resolveLocalPartWithAttribute` property in `usersrepository.xml.
If specified the attribute will be used to resolve the user if a localPart is
specified. Overwize localParts are rejected.
Step 3: Modify LDAPUsersRepository to return the username based on the user
obtained on step 2.
## Definition of done
Write integration tests in IMAP and SMTP for both US1 and US2 in
james-server-memory-app using TemporaryJamesServer for on the fly configuration
of the LDAP config file.
## Risk
If 2 LDA entries have the same UID (even on different brach) it would cause a
breach in user isolation, allowing user A to access account of user B.
As such the feature should be option, turned off by default:
``` <usersrepository name="LocalUsers"
ldapHost="ldap://myldapserver:389";
principal="uid=ldapUser,ou=system"
credentials="password"
userBase="ou=People,o=myorg.com,ou=system"
userIdAttribute="uid"
userObjectClass="person">
<enableVirtualHosting>true</enableVirtualHosting>
<resolveLocalPartWithAttribute>uid</resolveLocalPartWithAttribute>
<enableForwarding>true</enableForwarding>
</usersrepository>
```
`revolveLocalPartWithAttribute` is by default absent, causing local parts to be
rejected.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
