Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
Description
Why?
User Story 1
We got several time the request: as a user eg btellier@linagora.com I want to login with just btellier but get access to my mails as btellier@linagora.com.
Basically if not presented with an email, we can fallback to a uid search to get the LDAP entry then pick the mail attribute to identify the mailbox.
User story 2
Also the following proposal allows for more complicated setup to have one set of creds per application:
As an administrator I do not want to leak user password to any third party application, including IMAP/SMTP clients.
IMAP and SMTP apps are password based: they send the LOGIN + Password upon auth (unless you do complex setup!)
Thus we want to generate one couple of login-password distinct for each app. Let's call them one-app-login and one-app-password.
This could easily be done with the following LDAP architecture:
- dedicated branch for users. Eg here: uid: btellier + mail: btellier@linagora.com
- dedicated branch for one-app-logins and one-app-passwords Eg here: uid: btellier-app1 + mail: btellier@linagora.com
- LemonLDAP based for to generate one-app-logins and one-app-passwords, with one-app-passwords only shown once. Revocation possible for one-app-logins.
The mechanism involved on James side are basically the same than US 1... So we kill one bird with two stones.
How?
Step 1: Modify UsersRepository API to allow for username translation upon authentication. Return an Optional of username instead of a boolean upon auth.
Step 2: Add a resolveLocalPartWithAttribute property in `usersrepository.xml. If specified the attribute will be used to resolve the user if a localPart is specified. Overwize localParts are rejected.
Step 3: Modify LDAPUsersRepository to return the username based on the user obtained on step 2.
Definition of done
Write integration tests in IMAP and SMTP for both US1 and US2 in james-server-memory-app using TemporaryJamesServer for on the fly configuration of the LDAP config file.
Risk
If 2 LDA entries have the same UID (even on different brach) it would cause a breach in user isolation, allowing user A to access account of user B.
As such the feature should be option, turned off by default:
{{ ldapHost="ldap://myldapserver:389"
principal="uid=ldapUser,ou=system"
credentials="password"
userBase="ou=People,o=myorg.com,ou=system"
userIdAttribute="uid"
userObjectClass="person">
<enableVirtualHosting>true</enableVirtualHosting>
<resolveLocalPartWithAttribute>uid</resolveLocalPartWithAttribute>
<enableForwarding>true</enableForwarding>
</usersrepository>}}
revolveLocalPartWithAttribute is by default absent, causing local parts to be rejected.