Uploaded image for project: 'James Server'
  1. James Server
  2. JAMES-3930

LDAP: support for localpart as login when virtualHosting is on

    XMLWordPrintableJSON

Details

    Description

      Why?

      User Story 1

      We got several time the request: as a user eg btellier@linagora.com I want to login with just btellier but get access to my mails as btellier@linagora.com.

      Basically if not presented with an email, we can fallback to a uid search to get the LDAP entry then pick the mail attribute to identify the mailbox.

      User story 2

      Also the following proposal allows for more complicated setup to have one set of creds per application:

      As an administrator I do not want to leak user password to any third party application, including IMAP/SMTP clients.

      IMAP and SMTP apps are password based: they send the LOGIN + Password upon auth (unless you do complex setup!)

      Thus we want to generate one couple of login-password distinct for each app. Let's call them one-app-login and one-app-password.

      This could easily be done with the following LDAP architecture:

      • dedicated branch for users. Eg here: uid: btellier + mail: btellier@linagora.com
      • dedicated branch for one-app-logins and one-app-passwords Eg here: uid: btellier-app1 + mail: btellier@linagora.com
      • LemonLDAP based for to generate one-app-logins and one-app-passwords, with one-app-passwords only shown once. Revocation possible for one-app-logins.

      The mechanism involved on James side are basically the same than US 1... So we kill one bird with two stones.

      How?

      Step 1: Modify UsersRepository API to allow for username translation upon authentication. Return an Optional of username instead of a boolean upon auth.

      Step 2: Add a resolveLocalPartWithAttribute property in `usersrepository.xml. If specified the attribute will be used to resolve the user if a localPart is specified. Overwize localParts are rejected.

      Step 3: Modify LDAPUsersRepository to return the username based on the user obtained on step 2.

      Definition of done

      Write integration tests in IMAP and SMTP for both US1 and US2 in james-server-memory-app using TemporaryJamesServer for on the fly configuration of the LDAP config file.

      Risk

      If 2 LDA entries have the same UID (even on different brach) it would cause a breach in user isolation, allowing user A to access account of user B.

      As such the feature should be option, turned off by default:

       

      {{ ldapHost="ldap://myldapserver:389"
      principal="uid=ldapUser,ou=system"
      credentials="password"
      userBase="ou=People,o=myorg.com,ou=system"
      userIdAttribute="uid"
      userObjectClass="person">
      <enableVirtualHosting>true</enableVirtualHosting>
      <resolveLocalPartWithAttribute>uid</resolveLocalPartWithAttribute>
      <enableForwarding>true</enableForwarding>
      </usersrepository>}}

      revolveLocalPartWithAttribute is by default absent, causing local parts to be rejected.

      Attachments

        Activity

          People

            Unassigned Unassigned
            QuanTH Tran Hong Quan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 2.5h
                2.5h