[ https://issues.apache.org/jira/browse/JAMES-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tran Hong Quan updated JAMES-3930: ---------------------------------- Description: h2. Why? h3. User Story 1 We got several time the request: as a user eg {{btell...@linagora.com}} I want to login with just {{btellier}} but get access to my mails as {{{}btell...@linagora.com{}}}. Basically if not presented with an email, we can fallback to a uid search to get the LDAP entry then pick the mail attribute to identify the mailbox. h3. User story 2 Also the following proposal allows for more complicated setup to have one set of creds per application: As an administrator I do not want to leak user password to any third party application, including IMAP/SMTP clients. IMAP and SMTP apps are password based: they send the LOGIN + Password upon auth (unless you do complex setup!) Thus we want to generate one couple of login-password distinct for each app. Let's call them {{one-app-login}} and {{{}one-app-password{}}}. This could easily be done with the following LDAP architecture: * dedicated branch for users. Eg here: {{uid: btellier + mail: btell...@linagora.com}} * dedicated branch for one-app-logins and one-app-passwords Eg here: {{uid: btellier-app1 + mail: btell...@linagora.com}} * LemonLDAP based for to generate one-app-logins and one-app-passwords, with one-app-passwords only shown once. Revocation possible for one-app-logins. The mechanism involved on James side are basically the same than US 1... So we kill one bird with two stones. h2. How? Step 1: Modify {{UsersRepository}} API to allow for username translation upon authentication. Return an Optional of username instead of a boolean upon auth. Step 2: Add a {{resolveLocalPartWithAttribute}} property in `usersrepository.xml. If specified the attribute will be used to resolve the user if a localPart is specified. Overwize localParts are rejected. Step 3: Modify LDAPUsersRepository to return the username based on the user obtained on step 2. h2. Definition of done Write integration tests in IMAP and SMTP for both US1 and US2 in james-server-memory-app using TemporaryJamesServer for on the fly configuration of the LDAP config file. h2. Risk If 2 LDA entries have the same UID (even on different brach) it would cause a breach in user isolation, allowing user A to access account of user B. As such the feature should be option, turned off by default: {{ ldapHost="ldap://myldapserver:389" principal="uid=ldapUser,ou=system" credentials="password" userBase="ou=People,o=myorg.com,ou=system" userIdAttribute="uid" userObjectClass="person"> <enableVirtualHosting>true</enableVirtualHosting> <resolveLocalPartWithAttribute>uid</resolveLocalPartWithAttribute> <enableForwarding>true</enableForwarding> </usersrepository>}} {{revolveLocalPartWithAttribute}} is by default absent, causing local parts to be rejected. was: ## Why? ### User Story 1 We got several time the request: as a user eg `btell...@linagora.com` I want to login with just `btellier` but get access to my mails as `btell...@linagora.com`. Basically if not presented with an email, we can fallback to a uid search to get the LDAP entry then pick the mail attribute to identify the mailbox. ### User story 2 Also the following proposal allows for more complicated setup to have one set of creds per application: As an administrator I do not want to leak user password to any third party application, including IMAP/SMTP clients. IMAP and SMTP apps are password based: they send the LOGIN + Password upon auth (unless you do complex setup!) Thus we want to generate one couple of login-password distinct for each app. Let's call them `one-app-login` and `one-app-password`. This could easily be done with the following LDAP architecture: - dedicated branch for users. Eg here: `uid: btellier + mail: btell...@linagora.com` - dedicated branch for one-app-logins and one-app-passwords Eg here: `uid: btellier-app1 + mail: btell...@linagora.com` - LemonLDAP based for to generate one-app-logins and one-app-passwords, with one-app-passwords only shown once. Revocation possible for one-app-logins. The mechanism involved on James side are basically the same than US 1... So we kill one bird with two stones. ## How? Step 1: Modify `UsersRepository` API to allow for username translation upon authentication. Return an Optional of username instead of a boolean upon auth. Step 2: Add a `resolveLocalPartWithAttribute` property in `usersrepository.xml. If specified the attribute will be used to resolve the user if a localPart is specified. Overwize localParts are rejected. Step 3: Modify LDAPUsersRepository to return the username based on the user obtained on step 2. ## Definition of done Write integration tests in IMAP and SMTP for both US1 and US2 in james-server-memory-app using TemporaryJamesServer for on the fly configuration of the LDAP config file. ## Risk If 2 LDA entries have the same UID (even on different brach) it would cause a breach in user isolation, allowing user A to access account of user B. As such the feature should be option, turned off by default: ``` <usersrepository name="LocalUsers" ldapHost="ldap://myldapserver:389" principal="uid=ldapUser,ou=system" credentials="password" userBase="ou=People,o=myorg.com,ou=system" userIdAttribute="uid" userObjectClass="person"> <enableVirtualHosting>true</enableVirtualHosting> <resolveLocalPartWithAttribute>uid</resolveLocalPartWithAttribute> <enableForwarding>true</enableForwarding> </usersrepository> ``` `revolveLocalPartWithAttribute` is by default absent, causing local parts to be rejected. > LDAP: support for localpart as login when virtualHosting is on > -------------------------------------------------------------- > > Key: JAMES-3930 > URL: https://issues.apache.org/jira/browse/JAMES-3930 > Project: James Server > Issue Type: Improvement > Components: ldap, UsersStore & UsersRepository > Reporter: Tran Hong Quan > Priority: Major > > h2. Why? > h3. User Story 1 > We got several time the request: as a user eg {{btell...@linagora.com}} I > want to login with just {{btellier}} but get access to my mails as > {{{}btell...@linagora.com{}}}. > Basically if not presented with an email, we can fallback to a uid search to > get the LDAP entry then pick the mail attribute to identify the mailbox. > h3. User story 2 > Also the following proposal allows for more complicated setup to have one set > of creds per application: > As an administrator I do not want to leak user password to any third party > application, including IMAP/SMTP clients. > IMAP and SMTP apps are password based: they send the LOGIN + Password upon > auth (unless you do complex setup!) > Thus we want to generate one couple of login-password distinct for each app. > Let's call them {{one-app-login}} and {{{}one-app-password{}}}. > This could easily be done with the following LDAP architecture: > * dedicated branch for users. Eg here: {{uid: btellier + mail: > btell...@linagora.com}} > * dedicated branch for one-app-logins and one-app-passwords Eg here: {{uid: > btellier-app1 + mail: btell...@linagora.com}} > * LemonLDAP based for to generate one-app-logins and one-app-passwords, with > one-app-passwords only shown once. Revocation possible for one-app-logins. > The mechanism involved on James side are basically the same than US 1... So > we kill one bird with two stones. > h2. How? > Step 1: Modify {{UsersRepository}} API to allow for username translation upon > authentication. Return an Optional of username instead of a boolean upon auth. > Step 2: Add a {{resolveLocalPartWithAttribute}} property in > `usersrepository.xml. If specified the attribute will be used to resolve the > user if a localPart is specified. Overwize localParts are rejected. > Step 3: Modify LDAPUsersRepository to return the username based on the user > obtained on step 2. > h2. Definition of done > Write integration tests in IMAP and SMTP for both US1 and US2 in > james-server-memory-app using TemporaryJamesServer for on the fly > configuration of the LDAP config file. > h2. Risk > If 2 LDA entries have the same UID (even on different brach) it would cause a > breach in user isolation, allowing user A to access account of user B. > As such the feature should be option, turned off by default: > > {{ ldapHost="ldap://myldapserver:389" > principal="uid=ldapUser,ou=system" > credentials="password" > userBase="ou=People,o=myorg.com,ou=system" > userIdAttribute="uid" > userObjectClass="person"> > <enableVirtualHosting>true</enableVirtualHosting> > <resolveLocalPartWithAttribute>uid</resolveLocalPartWithAttribute> > <enableForwarding>true</enableForwarding> > </usersrepository>}} > {{revolveLocalPartWithAttribute}} is by default absent, causing local parts > to be rejected. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org