[tpop3d-discuss] Re: LDAP authentication model

[Prune]

Chris Lightfoot wrote:

>OK, I'm getting closer to the point where I'm going to do
>a pre-release with LDAP support, but I'm not quite certain
>how to organise the operation of auth-ldap.
>
>Presently, based on the contributed code, what I have is:
>
>    auth-ldap-url, -username, -password
>        base URL and credentials for doing search phase of
>        authentication;
>
>    auth-ldap-filter
>        filter substitution string used to find a
>        record[1] corresponding to a user;
>
>So. We substitute for $(local_part) and $(domain) in
>-filter, do the search and if there is exactly one result,
>we try to bind under with the user's supplied credentials.
>If this succeeds, we have authenticated successfully and
>can proceed. Now we need to know the parameters for
>accessing the mailbox. These might come from the config
>file, or the directory--
>
>    auth-ldap-mailbox-attr
>              mboxtype-attr
>        names of LDAP attributes which contain the name of
>        a mailbox and its type; if the latter is not
>        specified, then guess based on the filename.
>
>  (or)
>
>    auth-ldap-mailbox
>        mailbox to use for LDAP users
>
>    ----
>
>    auth-ldap-mail-user-attr
>    auth-ldap-mail-group-attr
>        names of LDAP attributes which give the UID and
>        GID under which to access the mailbox.
>
>  (or)
>
>    auth-ldap-mail-user
>    auth-ldap-mail-group
>        UID and GID under which to access mailboxes
>
>
>This mirrors the behaviour of the existing patch, but
>cleans up a couple of issues and makes things more
>configurable.
>
>What I'm not certain about is how fallbacks should work.
>Consider as a specific example the UID. There are several
>combinations:
>
>    - auth-ldap-mail-user specified
>    - auth-ldap-mail-user-attr specified
>    - directory contains an entry under that attribute
>
>        Presumably we should use the value from the
>        directory.
>
not sure, see below

>
>
>    - auth-ldap-mail-user specified
>    - auth-ldap-mail-user-attr specified
>    - directory does not contain an entry for that
>      attribute
>
>        Not clear. Do we fail authentication or use the
>        value from the config file?
>
What I've done in the module is : if auth-ldap-mail-user is specified, 
then it is used, whenever the attribut is defined in ldap or not.
This is because sometime the user informations are not only used for 
pop, and the uid/gid may be different.
Postfix can store every mails in mailbox which belong to 
postfix:postdrop (or postfix:mail).
So as long as auth-ldap-mail-user is defines, it must be used.

>
>
>    - auth-ldap-mail-user not specified
>    - auth-ldap-mail-user-attr specified
>    - directory contains an entry under that attribute
>
>        Fine.
>
>    - auth-ldap-mail-user not specified
>    - auth-ldap-mail-user-attr specified
>    - directory does not contain an entry for that
>      attribute
>
>        Nothing we can do; authentication fails.
>
>    - auth-ldap-mail-user not specified
>    - auth-ldap-mail-user-attr specified
>
>        Use value from config file.
>
???
which one as it's not specified....
if auth-ldap-mail-user is not defined, we suspect to get it from the 
auth-ldap-mail-attr attribute. if it's not the case, auth must fail.

>
>
>    - auth-ldap-mail-user not specified
>    - auth-ldap-mail-user-attr not specified
>
>        Nothing we can do here; not enough information to
>        proceed.
>
>My inclination is to say that such pairs of directives are
>incompatible: you can specify that some parameter is
>obtained from the config file, or from the directory, but
>not both. However, this is not the behaviour of the
>original patch, in particular for mailbox locations (where
>is guesses a location in /var/mail).
>
the default mail location should be set the same way as in other 
plugins. It's not the case now as I did not work on this yet. I just set 
a default to "/var/mail" for testing purpose.
Then, you can ask : why having a default ?
and you're right !
For integrity, the mailbox path have to be defined in ldap, or account 
is not valid.
going ahead, what I call the maildrop attribut for now, which contains 
the path to the mailbox, is defined from /
This is partially false, as postfix add a path before adding what is 
defined in ldap.
We need to have a "global_path" variable in conf (which can be define to 
/) defining a prepend path to the mailbox.
The mailbox is then  : "/global_path/ldap_mailbox_path"
what do you think of that ?

>
>
>Do the more LDAP-experienced members of the audience think
>that it's reasonable to make the behaviour exclusive per
>the above, or is having some sort of fallback operation
>important?
>
>    ---
>    1. Is that the right terminology?
>
As I said, I think we musn't mix these. If auth-ldap-mail-user is 
defines, it have to be the only one used. else, we must use the 
auth-ldap-mail-user-attr. If the attribute is not defined in the ldap 
account, the auth must fail.

Is this ok for you ?

I'm sorry if it's not the behaviour of my code yet, but I think it's 
what we must do. I'm ok to change all this as soon as the ldap plugin is 
integrated in the distrib, so I can directly send patch instead of 
working alone with my ldap code called mysql.c :/


Cheers,
Prune