[tpop3d-discuss] ldap virtual auth plugin : near release
Chris Lightfoot
chris at ex-parrot.com
Thu, 21 Feb 2002 10:11:04 +0000
On Thu, Feb 21, 2002 at 09:47:08AM +0100, Prune wrote:
[...]
> my test user is :
>
> more ~/ldapbrowser/toto.ldif
> dn: uid=toto, ou=users, ou=copain2000.com, dc=lecentre, dc=net
> sn: totoo
> userPassword:: dG90bw==
> uidNumber: 10000
> gidNumber: 6
> mail: toto@ici
> objectClass: inetOrgPerson
> objectClass: mailRecipient
> uid: toto
> cn: toto
> maildrop: /var/mail/test1/
OK.
> >>/* auth_mysql_new_user_pass */
> >>
> >>authcontext auth_mysql_new_user_pass(const char *user, const char *pass,
> >>const char *host /* unused */) {
> >> authcontext a = NULL;
> >> char *local_part = NULL;
> >> const char *domain;
> >> char *filter = NULL;
> >>
> > [...]
> >
> >> /* we split the login and the domain from the email style login given
> >> by the user */
> >> domain = user + strcspn(user, "@%!");
> >> if (domain == user || !*domain) return NULL;
> >> ++domain;
> >> local_part = xmalloc(domain - user);
> >> if (!local_part) return NULL;
> >> memset(local_part, 0, domain - user);
> >> strncpy(local_part, user, domain - user - 1);
> >>
> >
> > - Secondly, you never use the domain in constructing the
> > query against the directory. How do you specify the
> > existence of accounts in more than one domain?
> >
> you're right.
> I search for the email address (unique, containing the domain). I use
> 'user' to build ldap filter. 'user' is the mail+domain or whatever is
> typed by the user.
Ah, OK. Is this the normal procedure with LDAP? I had
understood that you were expected to build heirachical
directories....
> Maybe my search is not what people may want.
> In the config file you can choose which attribut to search against. the
> 'login' given by the user is stored in 'user'.
> Ldap does not work as a DB do. you don't search for 'user=foo AND
> domain=bar.com'. The domain is contained in the DN, and can't really be
> searched. but instead we use unique attributs like email, or uid.
OK.
> My problem, by now, is that you have to give a login with a '@', or
> you'll be treated as a 'lier!' :)
> maybe some people would like to have logins as 'toto%domain' or
> "toto_domain_com". This is not actually possible... (old netscape does
> not allow @ in usernames, for example).
> I think it's the same problem with other plugins ?
No-- they allow the use of @, % or !. The simplest way to
fix this in your code is something like
char *user2 = NULL, *p;
/* ... */
user2 = xstrdup(user);
p = user2 + strcspn(user2, "@%!");
if (p == user2 || !*p)
goto fail;
else
*p = '@';
/* ... */
/* do search against user2 */
/* ... */
xfree(user2);
Is LDAP case-sensitive?
You establish whether the user has credentials on the
mailbox by seeing whether they can bind (roughly
equivalent to `log in', right?) to the LDAP server. Is
this the normal approach? (I had assumed that one would
have an attribute which contains a password hash -- as
auth-mysql does -- and then test that explicitly.)
> Release the new tpop3d, and I'll work on this. it's simple to change.
> Maybe you would like to have access to my test ldap server ?
I have OpenLDAP up and running, but if you could send me
(not to the list I think...) twenty or so account
specifications in the form above, that would be helpful.
--
``Any person who knowingly causes a nuclear weapon test explosion
or any other nuclear explosion is guilty of an offence....''
(Nuclear Explosions Act, 1998)