[
https://issues.apache.org/jira/browse/JAMES-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benoit Tellier closed JAMES-3930.
---------------------------------
> LDAP: support for localpart as login when virtualHosting is on
> --------------------------------------------------------------
>
> Key: JAMES-3930
> URL: https://issues.apache.org/jira/browse/JAMES-3930
> Project: James Server
> Issue Type: Improvement
> Components: ldap, UsersStore & UsersRepository
> Reporter: Tran Hong Quan
> Priority: Major
> Fix For: 3.9.0
>
> Time Spent: 2.5h
> Remaining Estimate: 0h
>
> h2. Why?
> h3. User Story 1
> We got several time the request: as a user eg {{btell...@linagora.com}} I
> want to login with just {{btellier}} but get access to my mails as
> {{{}btell...@linagora.com{}}}.
> Basically if not presented with an email, we can fallback to a uid search to
> get the LDAP entry then pick the mail attribute to identify the mailbox.
> h3. User story 2
> Also the following proposal allows for more complicated setup to have one set
> of creds per application:
> As an administrator I do not want to leak user password to any third party
> application, including IMAP/SMTP clients.
> IMAP and SMTP apps are password based: they send the LOGIN + Password upon
> auth (unless you do complex setup!)
> Thus we want to generate one couple of login-password distinct for each app.
> Let's call them {{one-app-login}} and {{{}one-app-password{}}}.
> This could easily be done with the following LDAP architecture:
> * dedicated branch for users. Eg here: {{uid: btellier + mail:
> btell...@linagora.com}}
> * dedicated branch for one-app-logins and one-app-passwords Eg here: {{uid:
> btellier-app1 + mail: btell...@linagora.com}}
> * LemonLDAP based for to generate one-app-logins and one-app-passwords, with
> one-app-passwords only shown once. Revocation possible for one-app-logins.
> The mechanism involved on James side are basically the same than US 1... So
> we kill one bird with two stones.
> h2. How?
> Step 1: Modify {{UsersRepository}} API to allow for username translation upon
> authentication. Return an Optional of username instead of a boolean upon auth.
> Step 2: Add a {{resolveLocalPartWithAttribute}} property in
> `usersrepository.xml. If specified the attribute will be used to resolve the
> user if a localPart is specified. Overwize localParts are rejected.
> Step 3: Modify LDAPUsersRepository to return the username based on the user
> obtained on step 2.
> h2. Definition of done
> Write integration tests in IMAP and SMTP for both US1 and US2 in
> james-server-memory-app using TemporaryJamesServer for on the fly
> configuration of the LDAP config file.
> h2. Risk
> If 2 LDA entries have the same UID (even on different brach) it would cause a
> breach in user isolation, allowing user A to access account of user B.
> As such the feature should be option, turned off by default:
>
> {{ ldapHost="ldap://myldapserver:389";
> principal="uid=ldapUser,ou=system"
> credentials="password"
> userBase="ou=People,o=myorg.com,ou=system"
> userIdAttribute="uid"
> userObjectClass="person">
> <enableVirtualHosting>true</enableVirtualHosting>
> <resolveLocalPartWithAttribute>uid</resolveLocalPartWithAttribute>
> <enableForwarding>true</enableForwarding>
> </usersrepository>}}
> {{revolveLocalPartWithAttribute}} is by default absent, causing local parts
> to be rejected.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
