Benoit Tellier closed JAMES-3930.

> LDAP: support for localpart as login when virtualHosting is on
> --------------------------------------------------------------
>                 Key: JAMES-3930
>                 URL: https://issues.apache.org/jira/browse/JAMES-3930
>             Project: James Server
>          Issue Type: Improvement
>          Components: ldap, UsersStore & UsersRepository
>            Reporter: Tran Hong Quan
>            Priority: Major
>             Fix For: 3.9.0
>          Time Spent: 2.5h
>  Remaining Estimate: 0h
> h2. Why?
> h3. User Story 1
> We got several time the request: as a user eg {{btell...@linagora.com}} I 
> want to login with just {{btellier}} but get access to my mails as 
> {{{}btell...@linagora.com{}}}.
> Basically if not presented with an email, we can fallback to a uid search to 
> get the LDAP entry then pick the mail attribute to identify the mailbox.
> h3. User story 2
> Also the following proposal allows for more complicated setup to have one set 
> of creds per application:
> As an administrator I do not want to leak user password to any third party 
> application, including IMAP/SMTP clients.
> IMAP and SMTP apps are password based: they send the LOGIN + Password upon 
> auth (unless you do complex setup!)
> Thus we want to generate one couple of login-password distinct for each app. 
> Let's call them {{one-app-login}} and {{{}one-app-password{}}}.
> This could easily be done with the following LDAP architecture:
>  * dedicated branch for users. Eg here: {{uid: btellier + mail: 
> btell...@linagora.com}}
>  * dedicated branch for one-app-logins and one-app-passwords Eg here: {{uid: 
> btellier-app1 + mail: btell...@linagora.com}}
>  * LemonLDAP based for to generate one-app-logins and one-app-passwords, with 
> one-app-passwords only shown once. Revocation possible for one-app-logins.
> The mechanism involved on James side are basically the same than US 1... So 
> we kill one bird with two stones.
> h2. How?
> Step 1: Modify {{UsersRepository}} API to allow for username translation upon 
> authentication. Return an Optional of username instead of a boolean upon auth.
> Step 2: Add a {{resolveLocalPartWithAttribute}} property in 
> `usersrepository.xml. If specified the attribute will be used to resolve the 
> user if a localPart is specified. Overwize localParts are rejected.
> Step 3: Modify LDAPUsersRepository to return the username based on the user 
> obtained on step 2.
> h2. Definition of done
> Write integration tests in IMAP and SMTP for both US1 and US2 in 
> james-server-memory-app using TemporaryJamesServer for on the fly 
> configuration of the LDAP config file.
> h2. Risk
> If 2 LDA entries have the same UID (even on different brach) it would cause a 
> breach in user isolation, allowing user A to access account of user B.
> As such the feature should be option, turned off by default:
> {{            ldapHost="ldap://myldapserver:389";
>             principal="uid=ldapUser,ou=system"
>             credentials="password"
>             userBase="ou=People,o=myorg.com,ou=system"
>             userIdAttribute="uid"
>             userObjectClass="person">
>           <enableVirtualHosting>true</enableVirtualHosting>
>           <resolveLocalPartWithAttribute>uid</resolveLocalPartWithAttribute>
>           <enableForwarding>true</enableForwarding>
>         </usersrepository>}}
> {{revolveLocalPartWithAttribute}} is by default absent, causing local parts 
> to be rejected.

This message was sent by Atlassian Jira

To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Reply via email to