[tpop3d-discuss] ldap virtual auth plugin : near release
Prune
prune at lecentre.net
Thu, 21 Feb 2002 09:47:08 +0100
--------------040905000008000804030606
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
hi,
Chris Lightfoot wrote:
>On Mon, Feb 18, 2002 at 05:08:52PM +0100, Prune wrote:
> [ auth-ldap stuff ]
>
>I've been workin on integrating this-- there are a couple
>of things I'm not happy with in the existing code, for
>instance the use of fixed-length buffers, which I'm
>changing, but in the meantime, I have a couple of
>questions:
>
> - Firstly, can you give me some example data against
> which the plugin should be able to authenticate (in
> LDIF format or whatever). I'm not very familiar with
> LDAP and it's not quite clear to me what the code is
> expecting to find in the directory.
>
my test user is :
more ~/ldapbrowser/toto.ldif
dn: uid=toto, ou=users, ou=copain2000.com, dc=lecentre, dc=net
sn: totoo
userPassword:: dG90bw==
uidNumber: 10000
gidNumber: 6
mail: toto@ici
objectClass: inetOrgPerson
objectClass: mailRecipient
uid: toto
cn: toto
maildrop: /var/mail/test1/
>
>
>>/* auth_mysql_new_user_pass */
>>
>>authcontext auth_mysql_new_user_pass(const char *user, const char *pass, const char *host /* unused */) {
>> authcontext a = NULL;
>> char *local_part = NULL;
>> const char *domain;
>> char *filter = NULL;
>>
> [...]
>
>> /* we split the login and the domain from the email style login given by the user */
>> domain = user + strcspn(user, "@%!");
>> if (domain == user || !*domain) return NULL;
>> ++domain;
>> local_part = xmalloc(domain - user);
>> if (!local_part) return NULL;
>> memset(local_part, 0, domain - user);
>> strncpy(local_part, user, domain - user - 1);
>>
>
> - Secondly, you never use the domain in constructing the
> query against the directory. How do you specify the
> existence of accounts in more than one domain?
>
you're right.
I search for the email address (unique, containing the domain). I use
'user' to build ldap filter. 'user' is the mail+domain or whatever is
typed by the user.
Maybe my search is not what people may want.
In the config file you can choose which attribut to search against. the
'login' given by the user is stored in 'user'.
Ldap does not work as a DB do. you don't search for 'user=foo AND
domain=bar.com'. The domain is contained in the DN, and can't really be
searched. but instead we use unique attributs like email, or uid.
My problem, by now, is that you have to give a login with a '@', or
you'll be treated as a 'lier!' :)
maybe some people would like to have logins as 'toto%domain' or
"toto_domain_com". This is not actually possible... (old netscape does
not allow @ in usernames, for example).
I think it's the same problem with other plugins ?
Release the new tpop3d, and I'll work on this. it's simple to change.
Maybe you would like to have access to my test ldap server ?
>
>
>
>I think I understand broadly what your code does, though,
>so I should be able to finish integrating it and do
>another pre-release within the next few days.
>
Fine. I'll then modify some few things, and it will be ready.
Cheers,
Prune
--------------040905000008000804030606
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<html>
<head>
</head>
<body>
hi,<br>
<br>
Chris Lightfoot wrote:<br>
<blockquote type="cite" cite="mid:20020221002022.GA14064@caesious.cold.local">
<pre wrap="">On Mon, Feb 18, 2002 at 05:08:52PM +0100, Prune wrote:<br> [ auth-ldap stuff ]<br><br>I've been workin on integrating this-- there are a couple<br>of things I'm not happy with in the existing code, for<br>instance the use of fixed-length buffers, which I'm<br>changing, but in the meantime, I have a couple of<br>questions:<br><br> - Firstly, can you give me some example data against<br> which the plugin should be able to authenticate (in<br> LDIF format or whatever). I'm not very familiar with<br> LDAP and it's not quite clear to me what the code is<br> expecting to find in the directory.</pre>
</blockquote>
my test user is :<br>
<br>
more ~/ldapbrowser/toto.ldif<br>
dn: uid=toto, ou=users, ou=copain2000.com, dc=lecentre, dc=net<br>
sn: totoo<br>
userPassword:: dG90bw==<br>
uidNumber: 10000<br>
gidNumber: 6<br>
mail: toto@ici<br>
objectClass: inetOrgPerson<br>
objectClass: mailRecipient<br>
uid: toto<br>
cn: toto<br>
maildrop: /var/mail/test1/<br>
<blockquote type="cite" cite="mid:20020221002022.GA14064@caesious.cold.local">
<pre wrap=""><br><br></pre>
<blockquote type="cite">
<pre wrap="">/* auth_mysql_new_user_pass */<br><br>authcontext auth_mysql_new_user_pass(const char *user, const char *pass, const char *host /* unused */) {<br> authcontext a = NULL;<br> char *local_part = NULL;<br> const char *domain;<br> char *filter = NULL;<br></pre>
</blockquote>
<pre wrap=""><!----> [...]<br></pre>
<blockquote type="cite">
<pre wrap=""> /* we split the login and the domain from the email style login given by the user */<br> domain = user + strcspn(user, "@%!");<br> if (domain == user || !*domain) return NULL;<br> ++domain;<br> local_part = xmalloc(domain - user);<br> if (!local_part) return NULL;<br> memset(local_part, 0, domain - user);<br> strncpy(local_part, user, domain - user - 1);<br></pre>
</blockquote>
<pre wrap=""><!----><br> - Secondly, you never use the domain in constructing the<br> query against the directory. How do you specify the<br> existence of accounts in more than one domain?</pre>
</blockquote>
you're right.<br>
I search for the email address (unique, containing the domain). I use 'user'
to build ldap filter. 'user' is the mail+domain or whatever is typed by the
user.<br>
Maybe my search is not what people may want.<br>
In the config file you can choose which attribut to search against. the 'login'
given by the user is stored in 'user'.<br>
Ldap does not work as a DB do. you don't search for 'user=foo AND domain=bar.com'.
The domain is contained in the DN, and can't really be searched. but instead
we use unique attributs like email, or uid.<br>
<br>
<br>
My problem, by now, is that you have to give a login with a '@', or you'll
be treated as a 'lier!' :)<br>
maybe some people would like to have logins as 'toto%domain' or "toto_domain_com".
This is not actually possible... (old netscape does not allow @ in usernames,
for example).<br>
I think it's the same problem with other plugins ?<br>
<br>
Release the new tpop3d, and I'll work on this. it's simple to change.<br>
Maybe you would like to have access to my test ldap server ?<br>
<blockquote type="cite" cite="mid:20020221002022.GA14064@caesious.cold.local">
<pre wrap=""><br><br><br>I think I understand broadly what your code does, though,<br>so I should be able to finish integrating it and do<br>another pre-release within the next few days.<br><br></pre>
</blockquote>
Fine. I'll then modify some few things, and it will be ready.<br>
<br>
Cheers,<br>
Prune<br>
</body>
</html>
--------------040905000008000804030606--