[tpop3d-discuss] LDAP authentication model

Chris Lightfoot chris at ex-parrot.com
Fri, 22 Feb 2002 11:21:54 +0000 

OK, I'm getting closer to the point where I'm going to do
a pre-release with LDAP support, but I'm not quite certain
how to organise the operation of auth-ldap.

Presently, based on the contributed code, what I have is:

    auth-ldap-url, -username, -password
        base URL and credentials for doing search phase of
        authentication;

    auth-ldap-filter
        filter substitution string used to find a
        record[1] corresponding to a user;

So. We substitute for $(local_part) and $(domain) in
-filter, do the search and if there is exactly one result,
we try to bind under with the user's supplied credentials.
If this succeeds, we have authenticated successfully and
can proceed. Now we need to know the parameters for
accessing the mailbox. These might come from the config
file, or the directory--

    auth-ldap-mailbox-attr
              mboxtype-attr
        names of LDAP attributes which contain the name of
        a mailbox and its type; if the latter is not
        specified, then guess based on the filename.

  (or)

    auth-ldap-mailbox
        mailbox to use for LDAP users

    ----

    auth-ldap-mail-user-attr
    auth-ldap-mail-group-attr
        names of LDAP attributes which give the UID and
        GID under which to access the mailbox.

  (or)

    auth-ldap-mail-user
    auth-ldap-mail-group
        UID and GID under which to access mailboxes


This mirrors the behaviour of the existing patch, but
cleans up a couple of issues and makes things more
configurable.

What I'm not certain about is how fallbacks should work.
Consider as a specific example the UID. There are several
combinations:

    - auth-ldap-mail-user specified
    - auth-ldap-mail-user-attr specified
    - directory contains an entry under that attribute

        Presumably we should use the value from the
        directory.

    - auth-ldap-mail-user specified
    - auth-ldap-mail-user-attr specified
    - directory does not contain an entry for that
      attribute

        Not clear. Do we fail authentication or use the
        value from the config file?

    - auth-ldap-mail-user not specified
    - auth-ldap-mail-user-attr specified
    - directory contains an entry under that attribute

        Fine.

    - auth-ldap-mail-user not specified
    - auth-ldap-mail-user-attr specified
    - directory does not contain an entry for that
      attribute

        Nothing we can do; authentication fails.

    - auth-ldap-mail-user not specified
    - auth-ldap-mail-user-attr specified

        Use value from config file.

    - auth-ldap-mail-user not specified
    - auth-ldap-mail-user-attr not specified

        Nothing we can do here; not enough information to
        proceed.

My inclination is to say that such pairs of directives are
incompatible: you can specify that some parameter is
obtained from the config file, or from the directory, but
not both. However, this is not the behaviour of the
original patch, in particular for mailbox locations (where
is guesses a location in /var/mail).

Do the more LDAP-experienced members of the audience think
that it's reasonable to make the behaviour exclusive per
the above, or is having some sort of fallback operation
important?

    ---
    1. Is that the right terminology?

-- 
 ``Speculation, by definition, is untrue.''
   (Peter Mandelson, in a BBC radio interview)