Tran Hong Quan created JAMES-3930: ------------------------------------- Summary: LDAP: support for localpart as login when virtualHosting is on Key: JAMES-3930 URL: https://issues.apache.org/jira/browse/JAMES-3930 Project: James Server Issue Type: Improvement Components: ldap, UsersStore & UsersRepository Reporter: Tran Hong Quan
## Why? ### User Story 1 We got several time the request: as a user eg `btell...@linagora.com` I want to login with just `btellier` but get access to my mails as `btell...@linagora.com`. Basically if not presented with an email, we can fallback to a uid search to get the LDAP entry then pick the mail attribute to identify the mailbox. ### User story 2 Also the following proposal allows for more complicated setup to have one set of creds per application: As an administrator I do not want to leak user password to any third party application, including IMAP/SMTP clients. IMAP and SMTP apps are password based: they send the LOGIN + Password upon auth (unless you do complex setup!) Thus we want to generate one couple of login-password distinct for each app. Let's call them `one-app-login` and `one-app-password`. This could easily be done with the following LDAP architecture: - dedicated branch for users. Eg here: `uid: btellier + mail: btell...@linagora.com` - dedicated branch for one-app-logins and one-app-passwords Eg here: `uid: btellier-app1 + mail: btell...@linagora.com` - LemonLDAP based for to generate one-app-logins and one-app-passwords, with one-app-passwords only shown once. Revocation possible for one-app-logins. The mechanism involved on James side are basically the same than US 1... So we kill one bird with two stones. ## How? Step 1: Modify `UsersRepository` API to allow for username translation upon authentication. Return an Optional of username instead of a boolean upon auth. Step 2: Add a `resolveLocalPartWithAttribute` property in `usersrepository.xml. If specified the attribute will be used to resolve the user if a localPart is specified. Overwize localParts are rejected. Step 3: Modify LDAPUsersRepository to return the username based on the user obtained on step 2. ## Definition of done Write integration tests in IMAP and SMTP for both US1 and US2 in james-server-memory-app using TemporaryJamesServer for on the fly configuration of the LDAP config file. ## Risk If 2 LDA entries have the same UID (even on different brach) it would cause a breach in user isolation, allowing user A to access account of user B. As such the feature should be option, turned off by default: ``` <usersrepository name="LocalUsers" ldapHost="ldap://myldapserver:389" principal="uid=ldapUser,ou=system" credentials="password" userBase="ou=People,o=myorg.com,ou=system" userIdAttribute="uid" userObjectClass="person"> <enableVirtualHosting>true</enableVirtualHosting> <resolveLocalPartWithAttribute>uid</resolveLocalPartWithAttribute> <enableForwarding>true</enableForwarding> </usersrepository> ``` `revolveLocalPartWithAttribute` is by default absent, causing local parts to be rejected. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org