Re: spaces around uid
On Thu, Feb 21, Henrique de Moraes Holschuh wrote: > The RFCs ask for case insensitiveness. MTAs are often configured to be > case-insensitive as well. Right. > Actually, I welcome that patch very very much. It will put an end to our > lusers doing braindead stuff in their imap clients. > > I would like (and I will probably code it sooner or later) Cyrus to force > ALL folder and usernames to lowercase, always. If I code it, it will be a > config option, of course :) Yes. Would be better, to make that configurable. -- With best regards, Carsten Hoeger SuSE, The Linux Experts, http://www.suse.com Key fingerprint = E3B6 7FDB 4800 0F22 DC09 EB2B 7988 B6A8 6691 C94A msg06151/pgp0.pgp Description: PGP signature
Re: spaces around uid
On Thu, 21 Feb 2002, Carsten Hoeger wrote: > On Thu, Feb 21, Birger Toedtmann wrote: > > > So I wrote a small patch for the auth_canonifyid function, which > > > strips off leading and trailing whitespaces and lowers alpha chars. > > [...] > > > > With the whitespaces I'm not sure but I don't think one should enforce > > case insensitivety - instead one should instruct OpenLDAP to behave case > > sensitive. The RFCs ask for case insensitiveness. MTAs are often configured to be case-insensitive as well. Actually, I welcome that patch very very much. It will put an end to our lusers doing braindead stuff in their imap clients. I would like (and I will probably code it sooner or later) Cyrus to force ALL folder and usernames to lowercase, always. If I code it, it will be a config option, of course :) -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
Re: spaces around uid
On Thu, Feb 21, Birger Toedtmann wrote:
> > Most mailclients would then notice, that there is no inbox -because
> > imapd is now looking into "/var/imap/user/ uSer /" which currently
> > does not exist. Then they issue a "create inbox" command and voila, we
> > have a new directory called "/var/imap/user/ uSer /".
> >
> > So I wrote a small patch for the auth_canonifyid function, which
> > strips off leading and trailing whitespaces and lowers alpha chars.
> [...]
>
> With the whitespaces I'm not sure but I don't think one should enforce
> case insensitivety - instead one should instruct OpenLDAP to behave case
> sensitive.
Yes, that's what I also thought in the past.
In the OpenLDAP core schema, you can read:
# OpenLDAP Core schema
#
# Includes LDAPv3 schema items from:
# RFC2251-RFC2256 (LDAPv3)
#
# select standard track schema items:
# RFC2079 (URI)
# RFC1274 (uid/dc)
[...]
#
# Derived from RFC1274, but with new "short names"
#
attributetype ( 0.9.2342.19200300.100.1.1
NAME ( 'uid' 'userid' )
DESC 'RFC1274: user identifier'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
[...]
And in RFC 1274:
[...]
9.3.1. Userid
The Userid attribute type specifies a computer system login name.
userid ATTRIBUTE
WITH ATTRIBUTE-SYNTAX
caseIgnoreStringSyntax
(SIZE (1 .. ub-user-identifier))
::= {pilotAttributeType 1}
[...]
They all speak about caseinsensity.
Maybe we should include the openldap people into this discussion.
My original Mail:
we noticed, that cyrus-imapd allows users to prepend or append
whitespaces to their uid like this:
. login " user " secret
cyrus-imapd hand's over this string as is to the underlying
authentication system. In case of pam with pam_ldap, this results in a
DN like this:
"uid= user ,dc=some,dc=dom"
which will then be normalized by OpenLDAP to
"uid=user,dc=some,dc=dom"
and will give a successfull authentication... :-(
Another point is, that the uid attribute is caseINsensitve as defined
in the core openldap schema, which makes things even harder:
. login " uSer " secret
would be the same as
. login " user " secret
for openldap in this case.
Most mailclients would then notice, that there is no inbox -because
imapd is now looking into "/var/imap/user/ uSer /" which currently
does not exist. Then they issue a "create inbox" command and voila, we
have a new directory called "/var/imap/user/ uSer /".
So I wrote a small patch for the auth_canonifyid function, which
strips off leading and trailing whitespaces and lowers alpha chars.
I am not exactly sure, if this is the right place to fix, but it
works.
--
With best regards,
Carsten Hoeger
SuSE, The Linux Experts, http://www.suse.com
Key fingerprint = E3B6 7FDB 4800 0F22 DC09 EB2B 7988 B6A8 6691 C94A
msg06119/pgp0.pgp
Description: PGP signature
Re: spaces around uid
Carsten Hoeger schrieb am Thu, Feb 21, 2002 at 02:43:40PM +0100: [...] > > Most mailclients would then notice, that there is no inbox -because > imapd is now looking into "/var/imap/user/ uSer /" which currently > does not exist. Then they issue a "create inbox" command and voila, we > have a new directory called "/var/imap/user/ uSer /". > > So I wrote a small patch for the auth_canonifyid function, which > strips off leading and trailing whitespaces and lowers alpha chars. [...] With the whitespaces I'm not sure but I don't think one should enforce case insensitivety - instead one should instruct OpenLDAP to behave case sensitive. Regards, - Birger
spaces around uid
Hi,
we noticed, that cyrus-imapd allows users to prepend or append
whitespaces to their uid like this:
. login " user " secret
cyrus-imapd hand's over this string as is to the underlying
authentication system. In case of pam with pam_ldap, this results in a
DN like this:
"uid= user ,dc=some,dc=dom"
which will then be normalized by OpenLDAP to
"uid=user,dc=some,dc=dom"
and will give a successfull authentication... :-(
Another point is, that the uid attribute is caseINsensitve as defined
in the core openldap schema, which makes things even harder:
. login " uSer " secret
would be the same as
. login " user " secret
for openldap in this case.
Most mailclients would then notice, that there is no inbox -because
imapd is now looking into "/var/imap/user/ uSer /" which currently
does not exist. Then they issue a "create inbox" command and voila, we
have a new directory called "/var/imap/user/ uSer /".
So I wrote a small patch for the auth_canonifyid function, which
strips off leading and trailing whitespaces and lowers alpha chars.
I am not exactly sure, if this is the right place to fix, but it
works.
I attached the patch to this mail.
--
With best regards,
Carsten Hoeger
SuSE, The Linux Experts, http://www.suse.com
Key fingerprint = E3B6 7FDB 4800 0F22 DC09 EB2B 7988 B6A8 6691 C94A
diff -urN cyrus-imapd-2.0.16/lib/auth_unix.c cyrus-imapd-2.0.16.SuSE/lib/auth_unix.c
--- cyrus-imapd-2.0.16/lib/auth_unix.c Tue May 23 22:56:12 2000
+++ cyrus-imapd-2.0.16.SuSE/lib/auth_unix.c Wed Feb 20 15:32:44 2002
@@ -154,9 +154,11 @@
const char *identifier;
{
static char retbuf[81];
+char backup[81];
struct group *grp;
char sawalpha;
char *p;
+int ic,rbc;
if (strcasecmp(identifier, "anonymous") == 0) {
return "anonymous";
@@ -210,6 +212,21 @@
*p = 0;
if (!sawalpha) return NULL; /* has to be one alpha char */
+
+strcpy(backup,retbuf);
+/* remove leading blanks */
+for(ic=0; isblank(backup[ic]); ic++);
+for(rbc=0; backup[ic]; ic++) {
+ retbuf[rbc] = ( isalpha(backup[ic]) ?
+ tolower(backup[ic]) : backup[ic] );
+ rbc++;
+}
+retbuf[rbc] = '\0';
+/* remove trailing blanks */
+for(--rbc; isblank(retbuf[rbc]); rbc--) {
+ retbuf[rbc] = '\0';
+}
+
return retbuf;
}
msg06101/pgp0.pgp
Description: PGP signature
