[tpop3d-discuss] ldap virtual auth plugin : near release

Chris Lightfoot chris at ex-parrot.com
Mon, 18 Feb 2002 15:13:00 +0000 

On Mon, Feb 18, 2002 at 03:44:11PM +0100, Prune wrote:
> So.....
> the plugins is finaly finished. I just need to clear things like logs 
> and be sure no memory leaks stays around.
> I added many things in the configuration file, so everything is 
> customisable :
> 
>  "auth-ldap-username" : manager username to bind ldap
>  "auth-ldap-password" : manager's password
>  "auth-ldap-mail-user" : predefined username to chown when fork
>  "auth-ldap-mail-group" : predefined group to chgrp to when fork
>  "auth-ldap-filter-attr" : attribut to compare to the mail account
>  "auth-ldap-filter-addon" : some more attributes a user would like to 
>                             add to the filter
>  "auth-ldap-url" : ldap url formated string giving host, port and base 
>                    ldap server
>  "auth-ldap-use-TLS" : on/off, activate TLS (encryption of data 
>                        between the pop and the ldap server
>  "auth-ldap-mailbox-attr" : ldap attribut to return as mailbox path 
>                             (default to "maildrop", but must be changed to
>                             "mailbox" according to RFC's)
>  "auth-ldap-uid-attr" : ldap attribut to return as uid when pop3d 
>                         forks (if not define in "auth-ldap-mail-user")
>  "auth-ldap-gid-attr" : ldap attribut to return as gid when pop3d 
>                         forks (if not define in "auth-ldap-mail-group" )
> 
> 
> What it does :
> 
> -do auth agains an ldap server
> -get the location of the mailbox (or maildir) from LDAP
> -get the uid/gid of the mailbox from LDAP

OK, this all looks sensible. I take it that the way that
authentication is done is defined by LDAP, so that you
don't have to retrieve a password from the directory
explicitly?

> what does it needs : openldap 2.x (not tested with any other ldap SDK). 
> Your openldap must support TLS if you want to be able to use this function.
> 
> how it works :
> -the way tpop3d deals with mailbox types is not the same postfix does. 
> This plugin have been developped for using tpop3d with postfix :
>    postifx virtual delivery agent gets the mailbox path from ldap like 
> :  "/var/mail/virtuals/user1/"
>    the / at the end means it is a maildir format.
>    tpop3d wanted it like "maildir:/var/mail/virtuals/user1"
>   
>    As the mysql plugin force to "bsd" mailbox, I chosed to force my 
> ldap plugin to check the last char of the mailbox path.
>    The plugin so work in postfix's way.

Hmm. Better, I think, to stat the path given and choose a
mailbox type based upon whether it's a file or a
directory. Is the model used by postfix typical of how
other MTAs work?

> -the apop function is not (yet) integrated. In fact it seems to be the 
> same as the normal pop. Am I right ?

Not quite. For APOP you need to be able to retrieve a
plaintext password which is used in a challenge-response
dialogue. If you can't get a plaintext password out of the
directory, then you can't do APOP, but this is not a very
serious problem as APOP is not widely used and there are
better ways to secure the POP3 protocol.

> -the server connects only once. If the connection ends up, it will be 
> re-opened next time someone try to authenticate.

OK.

>    -I'll check to see how to do asynchronous searches, so multiple 
> requests could be done at a time.

tpop3d is not organised in such a way as to make this
easy, so it's probably not worth doing.

> -the server can only use one server. I would like to add support for 
> multi server and failover.

That's sensible.

> Finaly :
> 
> 
> -who would like to test ?
> -who (chris ?) will plainly add my module to the distrib ?
>    as for now I can give auth_ldap.c and auth_ldap.h. we need to modify 
> the makefile to add -I/-L  and -lldap for openldap libs.
> 
> For testing, at the moment, files still name "auth_mysql.c", Makefile is 
> changed by hand, but everything works fine.
> 
> who want to integrate it to the actual pre-release ?

If you send me the code, I will integrate it into a new
pre-release.

> chris : I would like to know what is the difference between the "home" 
> and the "mailbox" in a authcontext ? my plugin return the same, as user 
> are only present in the LDAP, and not in the system's password file....

In this case you probably don't care about the value of
a->home. This value is used to allow path-specs for
mailboxes to be relative to user home directories.

-- 
 Transported to a surreal landscape, a young girl kills the first woman
 she meets, then teams up with three complete strangers to kill again.
 (Rick Polito, describing the film `The Wizard Of Oz')