[tpop3d-discuss] LDAP module for tpop3D (and virtual domains)

Prune Prune at lecentre.net
Sat, 02 Feb 2002 12:14:58 +0100 

--------------080203030008090206000305
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

re,

Paul Makepeace wrote:

>On Sat, Feb 02, 2002 at 01:53:07AM +0100, Prune wrote:
>
>>   Hi,
>>   Almost done...
>>   I have to be fresh tomorrow so I'm going to sleep.
>>   I'm currently porting the auth_mysql to auth_ldap, this way :
>>   having :
>>   auth_ldap_host : hostname
>>   auth_ldap_port : port (389)
>>   -> this will go to auth_ldap_url = "ldap://localhost:389", fr example.
>>   (as soon I have time)
>>   auth_ldap_base_dn :    ex : "dc=society, dc=com"
>>   auth_ldap_login : login for admin auth
>>   auth_ldap_pass : password of admin
>>   auth_ldap_maildrop_attr : attribut containing where to put the mail
>>   (ex : maildrop)
>>   auth_ldap_mail_attr : attribut on which we do the search  (ex : mail)
>>   auth_ldap_uid_attr : the uid of the owner
>>   first, we connect to LDAP and bind as admin
>>
>
>The most obvious thing I would say is not to perform mail-related
>searches as admin, if by admin you mean LDAP root. By default, LDAP is
>an unencrypted protocol and you really don't want to expose your root,
>nor put yourself in the position of making a mistake and damaging your
>database. Further, your ACLs are not taking effect with the
>admin/root user.
>
>If by admin you mean some ordinary user with different ACLs, then
>disregard the above :-)
>
My mistake.... of course, I'll not use, personnaly, the "root" (or 
admin) account. only a privilegied one, who can search the whole 
directory. Then... as it's in the conf file, you do what you want... :)
On the next version , I'll try to implement TLS. so every dialog will be 
encrypted. Just give me some time :))


>>   then, we search for the DN of the requested mail, and all attributes
>>   of the mail
>>   We finaly bind as the user (with the provided password... this is how
>>   ldap do auth)
>>   if the bind is successful, we return attributes
>>
>
>I'm curious why you bind twice?
>
The first bind is for a directory search, to find the user DN.
the second is just a way to check for password validity. It relays on 
Ldap itself, rather than having to encrypt the password the good way and 
check it.

We can't bind directly with the user because we don't have the DN...

>>   Do you have LDAP experiences yet ?
>>
>
>http://paulmakepeace.com/resume_detail.html#slb.com altho' it's
>certainly been a while...
>
>If you're going to use LDAP URL format, you could consider putting the
>rest of the information like base dn, authentication, port etc, in
>there. LDAP URL format looks rather ugly but it's at least well known.
>
of course, I'll put everything I can in there... :)

Cheers,

Prune


--------------080203030008090206000305
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<html>
<head>
</head>
<body>
re,<br>
<br>
Paul Makepeace wrote:<br>
<blockquote type="cite" cite="mid:20020202010706.GP20379@tantrix.realprogrammers.com">
  <pre wrap="">On Sat, Feb 02, 2002 at 01:53:07AM +0100, Prune wrote:<br></pre>
  <blockquote type="cite">
    <pre wrap="">   Hi,<br>   Almost done...<br>   I have to be fresh tomorrow so I'm going to sleep.<br>   I'm currently porting the auth_mysql to auth_ldap, this way :<br>   having :<br>   auth_ldap_host : hostname<br>   auth_ldap_port : port (389)<br>   -&gt; this will go to auth_ldap_url = <a class="moz-txt-link-rfc2396E" href="ldap://localhost:389">"ldap://localhost:389"</a>, fr example.<br>   (as soon I have time)<br>   auth_ldap_base_dn :    ex : "dc=society, dc=com"<br>   auth_ldap_login : login for admin auth<br>   auth_ldap_pass : password of admin<br>   auth_ldap_maildrop_attr : attribut containing where to put the mail<br>   (ex : maildrop)<br>   auth_ldap_mail_attr : attribut on which we do the search  (ex : mail)<br>   auth_ldap_uid_attr : the uid of the owner<br>   first, we connect to LDAP and bind as admin<br></pre>
    </blockquote>
    <pre wrap=""><!----><br>The most obvious thing I would say is not to perform mail-related<br>searches as admin, if by admin you mean LDAP root. By default, LDAP is<br>an unencrypted protocol and you really don't want to expose your root,<br>nor put yourself in the position of making a mistake and damaging your<br>database. Further, your ACLs are not taking effect with the<br>admin/root user.<br><br>If by admin you mean some ordinary user with different ACLs, then<br>disregard the above :-)</pre>
    </blockquote>
My mistake.... of course, I'll not use, personnaly, the "root" (or admin)
account. only a privilegied one, who can search the whole directory. Then...
as it's in the conf file, you do what you want... :)<br>
On the next version , I'll try to implement TLS. so every dialog will be
encrypted. Just give me some time :))<br>
    <br>
    <br>
    <blockquote type="cite" cite="mid:20020202010706.GP20379@tantrix.realprogrammers.com">
      <blockquote type="cite">
        <pre wrap="">   then, we search for the DN of the requested mail, and all attributes<br>   of the mail<br>   We finaly bind as the user (with the provided password... this is how<br>   ldap do auth)<br>   if the bind is successful, we return attributes<br></pre>
        </blockquote>
        <pre wrap=""><!----><br>I'm curious why you bind twice?</pre>
        </blockquote>
The first bind is for a directory search, to find the user DN.<br>
the second is just a way to check for password validity. It relays on Ldap
itself, rather than having to encrypt the password the good way and check
it.<br>
        <br>
We can't bind directly with the user because we don't have the DN...<br>
        <blockquote type="cite" cite="mid:20020202010706.GP20379@tantrix.realprogrammers.com">
          <blockquote type="cite">
            <pre wrap="">   Do you have LDAP experiences yet ?<br></pre>
            </blockquote>
            <pre wrap=""><!----><br><a class="moz-txt-link-freetext" href="http://paulmakepeace.com/resume_detail.html#slb.com">http://paulmakepeace.com/resume_detail.html#slb.com</a> altho' it's<br>certainly been a while...<br><br>If you're going to use LDAP URL format, you could consider putting the<br>rest of the information like base dn, authentication, port etc, in<br>there. LDAP URL format looks rather ugly but it's at least well known.<br></pre>
            </blockquote>
of course, I'll put everything I can in there... :)<br>
            <br>
Cheers,<br>
            <br>
Prune<br>
            <blockquote type="cite" cite="mid:20020202010706.GP20379@tantrix.realprogrammers.com"></blockquote>
              </body>
              </html>

--------------080203030008090206000305--