[
https://issues.apache.org/jira/browse/JAMES-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tran Hong Quan updated JAMES-3930:
----------------------------------
Description:
h2. Why?
h3. User Story 1
We got several time the request: as a user eg {{[email protected]}} I want
to login with just {{btellier}} but get access to my mails as
{{{}[email protected]{}}}.
Basically if not presented with an email, we can fallback to a uid search to
get the LDAP entry then pick the mail attribute to identify the mailbox.
h3. User story 2
Also the following proposal allows for more complicated setup to have one set
of creds per application:
As an administrator I do not want to leak user password to any third party
application, including IMAP/SMTP clients.
IMAP and SMTP apps are password based: they send the LOGIN + Password upon auth
(unless you do complex setup!)
Thus we want to generate one couple of login-password distinct for each app.
Let's call them {{one-app-login}} and {{{}one-app-password{}}}.
This could easily be done with the following LDAP architecture:
* dedicated branch for users. Eg here: {{uid: btellier + mail:
[email protected]}}
* dedicated branch for one-app-logins and one-app-passwords Eg here: {{uid:
btellier-app1 + mail: [email protected]}}
* LemonLDAP based for to generate one-app-logins and one-app-passwords, with
one-app-passwords only shown once. Revocation possible for one-app-logins.
The mechanism involved on James side are basically the same than US 1... So we
kill one bird with two stones.
h2. How?
Step 1: Modify {{UsersRepository}} API to allow for username translation upon
authentication. Return an Optional of username instead of a boolean upon auth.
Step 2: Add a {{resolveLocalPartWithAttribute}} property in
`usersrepository.xml. If specified the attribute will be used to resolve the
user if a localPart is specified. Overwize localParts are rejected.
Step 3: Modify LDAPUsersRepository to return the username based on the user
obtained on step 2.
h2. Definition of done
Write integration tests in IMAP and SMTP for both US1 and US2 in
james-server-memory-app using TemporaryJamesServer for on the fly configuration
of the LDAP config file.
h2. Risk
If 2 LDA entries have the same UID (even on different brach) it would cause a
breach in user isolation, allowing user A to access account of user B.
As such the feature should be option, turned off by default:
{{ ldapHost="ldap://myldapserver:389";
principal="uid=ldapUser,ou=system"
credentials="password"
userBase="ou=People,o=myorg.com,ou=system"
userIdAttribute="uid"
userObjectClass="person">
<enableVirtualHosting>true</enableVirtualHosting>
<resolveLocalPartWithAttribute>uid</resolveLocalPartWithAttribute>
<enableForwarding>true</enableForwarding>
</usersrepository>}}
{{revolveLocalPartWithAttribute}} is by default absent, causing local parts to
be rejected.
was:
## Why?
### User Story 1
We got several time the request: as a user eg `[email protected]` I want to
login with just `btellier` but get access to my mails as
`[email protected]`.
Basically if not presented with an email, we can fallback to a uid search to
get the LDAP entry then pick the mail attribute to identify the mailbox.
### User story 2
Also the following proposal allows for more complicated setup to have one set
of creds per application:
As an administrator I do not want to leak user password to any third party
application, including IMAP/SMTP clients.
IMAP and SMTP apps are password based: they send the LOGIN + Password upon auth
(unless you do complex setup!)
Thus we want to generate one couple of login-password distinct for each app.
Let's call them `one-app-login` and `one-app-password`.
This could easily be done with the following LDAP architecture:
- dedicated branch for users. Eg here: `uid: btellier + mail:
[email protected]`
- dedicated branch for one-app-logins and one-app-passwords Eg here: `uid:
btellier-app1 + mail: [email protected]`
- LemonLDAP based for to generate one-app-logins and one-app-passwords, with
one-app-passwords only shown once. Revocation possible for one-app-logins.
The mechanism involved on James side are basically the same than US 1... So we
kill one bird with two stones.
## How?
Step 1: Modify `UsersRepository` API to allow for username translation upon
authentication. Return an Optional of username instead of a boolean upon auth.
Step 2: Add a `resolveLocalPartWithAttribute` property in `usersrepository.xml.
If specified the attribute will be used to resolve the user if a localPart is
specified. Overwize localParts are rejected.
Step 3: Modify LDAPUsersRepository to return the username based on the user
obtained on step 2.
## Definition of done
Write integration tests in IMAP and SMTP for both US1 and US2 in
james-server-memory-app using TemporaryJamesServer for on the fly configuration
of the LDAP config file.
## Risk
If 2 LDA entries have the same UID (even on different brach) it would cause a
breach in user isolation, allowing user A to access account of user B.
As such the feature should be option, turned off by default:
``` <usersrepository name="LocalUsers"
ldapHost="ldap://myldapserver:389";
principal="uid=ldapUser,ou=system"
credentials="password"
userBase="ou=People,o=myorg.com,ou=system"
userIdAttribute="uid"
userObjectClass="person">
<enableVirtualHosting>true</enableVirtualHosting>
<resolveLocalPartWithAttribute>uid</resolveLocalPartWithAttribute>
<enableForwarding>true</enableForwarding>
</usersrepository>
```
`revolveLocalPartWithAttribute` is by default absent, causing local parts to be
rejected.
> LDAP: support for localpart as login when virtualHosting is on
> --------------------------------------------------------------
>
> Key: JAMES-3930
> URL: https://issues.apache.org/jira/browse/JAMES-3930
> Project: James Server
> Issue Type: Improvement
> Components: ldap, UsersStore & UsersRepository
> Reporter: Tran Hong Quan
> Priority: Major
>
> h2. Why?
> h3. User Story 1
> We got several time the request: as a user eg {{[email protected]}} I
> want to login with just {{btellier}} but get access to my mails as
> {{{}[email protected]{}}}.
> Basically if not presented with an email, we can fallback to a uid search to
> get the LDAP entry then pick the mail attribute to identify the mailbox.
> h3. User story 2
> Also the following proposal allows for more complicated setup to have one set
> of creds per application:
> As an administrator I do not want to leak user password to any third party
> application, including IMAP/SMTP clients.
> IMAP and SMTP apps are password based: they send the LOGIN + Password upon
> auth (unless you do complex setup!)
> Thus we want to generate one couple of login-password distinct for each app.
> Let's call them {{one-app-login}} and {{{}one-app-password{}}}.
> This could easily be done with the following LDAP architecture:
> * dedicated branch for users. Eg here: {{uid: btellier + mail:
> [email protected]}}
> * dedicated branch for one-app-logins and one-app-passwords Eg here: {{uid:
> btellier-app1 + mail: [email protected]}}
> * LemonLDAP based for to generate one-app-logins and one-app-passwords, with
> one-app-passwords only shown once. Revocation possible for one-app-logins.
> The mechanism involved on James side are basically the same than US 1... So
> we kill one bird with two stones.
> h2. How?
> Step 1: Modify {{UsersRepository}} API to allow for username translation upon
> authentication. Return an Optional of username instead of a boolean upon auth.
> Step 2: Add a {{resolveLocalPartWithAttribute}} property in
> `usersrepository.xml. If specified the attribute will be used to resolve the
> user if a localPart is specified. Overwize localParts are rejected.
> Step 3: Modify LDAPUsersRepository to return the username based on the user
> obtained on step 2.
> h2. Definition of done
> Write integration tests in IMAP and SMTP for both US1 and US2 in
> james-server-memory-app using TemporaryJamesServer for on the fly
> configuration of the LDAP config file.
> h2. Risk
> If 2 LDA entries have the same UID (even on different brach) it would cause a
> breach in user isolation, allowing user A to access account of user B.
> As such the feature should be option, turned off by default:
>
> {{ ldapHost="ldap://myldapserver:389";
> principal="uid=ldapUser,ou=system"
> credentials="password"
> userBase="ou=People,o=myorg.com,ou=system"
> userIdAttribute="uid"
> userObjectClass="person">
> <enableVirtualHosting>true</enableVirtualHosting>
> <resolveLocalPartWithAttribute>uid</resolveLocalPartWithAttribute>
> <enableForwarding>true</enableForwarding>
> </usersrepository>}}
> {{revolveLocalPartWithAttribute}} is by default absent, causing local parts
> to be rejected.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
