collected-reply to not have to "split" the discussion into too many
subthreads.
+ Henning Brauer <[EMAIL PROTECTED]> [26.02.2002 10:47]
> On Mon, Feb 25, 2002 at 09:04:06PM +0100, Thomas -Balu- Walter wrote:
> > are there any know problems/issues for using email-addresses
> > as "uid" so that a user has to login to pop/imap using his email?
> > I wonder if there are clients or other things that might make problems
> > when using this kind of setup.
>
> yes.
okay - got it :)
+ Dan Melomedman <[EMAIL PROTECTED]> [25.02.02 22:01]:
> The "uid" attribute is used by many other LDAP-aware applications and
> services, which cause clashes. Furthermore, "uid" is a very common naming
> attribute, which again causes a conflict when naming LDAP entries. A good
> idea is to compile qmail-ldap to use a different attribute for POP3
> authentication.
Ok - I agree with you here, I have to admit that I didn't think that
far. My setup is going to be an LDAP-Server on it's own where only
qmail-ldap is going to get access to. But you'll never now - if someday
it has to be extended I might have done something very bad.
> I don't like "uid" as the chosen attribute for POP3 authentication, I wish
> the developers went with a different attribute from the start of the
> project, but "Oh Well". qmail-ldap already has a number of proprietary
> attributes in its schema, so why not have an alternative for "uid" in the
> shipped schema? Furthermore, why not make that alternative attribute the
> standard in the future versions. "uid" is almost guaranteeing a conflict
> with some other software. Would anyone like to respond to this?
I don't think this is creating a conflict with other software. At least
it's a "standardized" attribute that has just the purpose to be a uid.
If you don't do crazy things like I wanted to do to the uid you should
be safe. Also - one thing LDAP is being used for is to make sure your
users have _one_ login for all services. If this is good or bad is
another question, but if we used a proprietary one this would make it
more difficult.
+ Brendon Colby <[EMAIL PROTECTED]> [25.02.02 22:12]:
> For our customers, I've set up a special OU just for mail accounts
> where the
> uid is their e-mail address. This is so that they can use one login /
> password
> for, so far, mail (pop3 / imap) and web (ftp). I can see expanding this to
> many other LDAP aware services. So far it's worked very well for us.
That's the method I was thinking of myself, but it goes a little against
the idea of LDAP - much data would be redundant.
+ Ricardo Cerqueira <[EMAIL PROTECTED]> [25.02.02 23:44]:
> On Mon, 2002-02-25 at 20:50, Dan Melomedman wrote:
> > The "uid" attribute is used by many other LDAP-aware applications and
> > services, which cause clashes. Furthermore, "uid" is a very common naming
> > attribute, which again causes a conflict when naming LDAP entries. A good
> > idea is to compile qmail-ldap to use a different attribute for POP3
> > authentication.
> >
>
> Why not both? LDAP does take search-filters :-)
Your idea [extending the searchfilter] is by far the best solution IMHO.
> No, not really. I use LDAP for a lot of services around here, and each
> user has a single profile. The only change I made to qmail-ldap's
> default attributes (at qmail-ldap.h) was setting LDAP_QMAILUID to
> uidNumber instead of qmailUID, precisely because I _do_ want to use the
> same attribute in all services, whenever possible.
> In this case, FTP and mail both use "uidNumber" to determine the UID of
> the user.
> FTP, pop3, imap4, HTTP, radius, and a few other apps all use "uid" as
> the login. Additionally, POP3 and IMAP also use the mail address
> "user@domain" _and_ the alias (localpart) whenever it is possible.
> It's all in the filters. For instance, qmail-ldap originally uses:
>
> * assume $user == <USER given at POP3>
>
> (uid=$user)
>
> and I hacked it so the searchfilter is
>
> (| (uid=$user) (mail=$user) (mail=$user+"@"+<content of control/me>) )
(| (uid=$user) (mail=$user) (mailAlternateAddress=$user) )
to make it possible for my users to use
1) a username (uid)
2) their mail-address or
3) an alternate address
as POP/IMAP-Login?
One thing that got me into thinking of this was that sqwebmail uses the
"mail"-attribute as login by default. I wanted to make it possible for
my users to use the mail-addy as login for pop and imap too.
+ Ben Gertzfield <[EMAIL PROTECTED]> [26.02.02 02:40]:
> Make the user's uid the email address with '@' changed to '_'.
>
> Thus, the user with mail: [EMAIL PROTECTED] would have uid: foo_bar.com.
>
> This works beautifully with all applications I've seen, and since
> domain names cannot have '_' in them, there's no possibility of a
> clash.
Another nice idea, but if you have _real life_ users you should know
that many of them would keep asking why @ doesn't work and what the hell
they are supposed to use instead of it all day long.
Balu
