Re: spaces around uid
On Thu, Feb 21, Henrique de Moraes Holschuh wrote: > The RFCs ask for case insensitiveness. MTAs are often configured to be > case-insensitive as well. Right. > Actually, I welcome that patch very very much. It will put an end to our > lusers doing braindead stuff in their imap clients. > > I would like (and I will probably code it sooner or later) Cyrus to force > ALL folder and usernames to lowercase, always. If I code it, it will be a > config option, of course :) Yes. Would be better, to make that configurable. -- With best regards, Carsten Hoeger SuSE, The Linux Experts, http://www.suse.com Key fingerprint = E3B6 7FDB 4800 0F22 DC09 EB2B 7988 B6A8 6691 C94A msg06151/pgp0.pgp Description: PGP signature
Re: spaces around uid
On Thu, 21 Feb 2002, Carsten Hoeger wrote: > On Thu, Feb 21, Birger Toedtmann wrote: > > > So I wrote a small patch for the auth_canonifyid function, which > > > strips off leading and trailing whitespaces and lowers alpha chars. > > [...] > > > > With the whitespaces I'm not sure but I don't think one should enforce > > case insensitivety - instead one should instruct OpenLDAP to behave case > > sensitive. The RFCs ask for case insensitiveness. MTAs are often configured to be case-insensitive as well. Actually, I welcome that patch very very much. It will put an end to our lusers doing braindead stuff in their imap clients. I would like (and I will probably code it sooner or later) Cyrus to force ALL folder and usernames to lowercase, always. If I code it, it will be a config option, of course :) -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
Re: spaces around uid
On Thu, Feb 21, Birger Toedtmann wrote: > > Most mailclients would then notice, that there is no inbox -because > > imapd is now looking into "/var/imap/user/ uSer /" which currently > > does not exist. Then they issue a "create inbox" command and voila, we > > have a new directory called "/var/imap/user/ uSer /". > > > > So I wrote a small patch for the auth_canonifyid function, which > > strips off leading and trailing whitespaces and lowers alpha chars. > [...] > > With the whitespaces I'm not sure but I don't think one should enforce > case insensitivety - instead one should instruct OpenLDAP to behave case > sensitive. Yes, that's what I also thought in the past. In the OpenLDAP core schema, you can read: # OpenLDAP Core schema # # Includes LDAPv3 schema items from: # RFC2251-RFC2256 (LDAPv3) # # select standard track schema items: # RFC2079 (URI) # RFC1274 (uid/dc) [...] # # Derived from RFC1274, but with new "short names" # attributetype ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' ) DESC 'RFC1274: user identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) [...] And in RFC 1274: [...] 9.3.1. Userid The Userid attribute type specifies a computer system login name. userid ATTRIBUTE WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax (SIZE (1 .. ub-user-identifier)) ::= {pilotAttributeType 1} [...] They all speak about caseinsensity. Maybe we should include the openldap people into this discussion. My original Mail: we noticed, that cyrus-imapd allows users to prepend or append whitespaces to their uid like this: . login " user " secret cyrus-imapd hand's over this string as is to the underlying authentication system. In case of pam with pam_ldap, this results in a DN like this: "uid= user ,dc=some,dc=dom" which will then be normalized by OpenLDAP to "uid=user,dc=some,dc=dom" and will give a successfull authentication... :-( Another point is, that the uid attribute is caseINsensitve as defined in the core openldap schema, which makes things even harder: . login " uSer " secret would be the same as . login " user " secret for openldap in this case. Most mailclients would then notice, that there is no inbox -because imapd is now looking into "/var/imap/user/ uSer /" which currently does not exist. Then they issue a "create inbox" command and voila, we have a new directory called "/var/imap/user/ uSer /". So I wrote a small patch for the auth_canonifyid function, which strips off leading and trailing whitespaces and lowers alpha chars. I am not exactly sure, if this is the right place to fix, but it works. -- With best regards, Carsten Hoeger SuSE, The Linux Experts, http://www.suse.com Key fingerprint = E3B6 7FDB 4800 0F22 DC09 EB2B 7988 B6A8 6691 C94A msg06119/pgp0.pgp Description: PGP signature
Re: spaces around uid
Carsten Hoeger schrieb am Thu, Feb 21, 2002 at 02:43:40PM +0100: [...] > > Most mailclients would then notice, that there is no inbox -because > imapd is now looking into "/var/imap/user/ uSer /" which currently > does not exist. Then they issue a "create inbox" command and voila, we > have a new directory called "/var/imap/user/ uSer /". > > So I wrote a small patch for the auth_canonifyid function, which > strips off leading and trailing whitespaces and lowers alpha chars. [...] With the whitespaces I'm not sure but I don't think one should enforce case insensitivety - instead one should instruct OpenLDAP to behave case sensitive. Regards, - Birger
spaces around uid
Hi, we noticed, that cyrus-imapd allows users to prepend or append whitespaces to their uid like this: . login " user " secret cyrus-imapd hand's over this string as is to the underlying authentication system. In case of pam with pam_ldap, this results in a DN like this: "uid= user ,dc=some,dc=dom" which will then be normalized by OpenLDAP to "uid=user,dc=some,dc=dom" and will give a successfull authentication... :-( Another point is, that the uid attribute is caseINsensitve as defined in the core openldap schema, which makes things even harder: . login " uSer " secret would be the same as . login " user " secret for openldap in this case. Most mailclients would then notice, that there is no inbox -because imapd is now looking into "/var/imap/user/ uSer /" which currently does not exist. Then they issue a "create inbox" command and voila, we have a new directory called "/var/imap/user/ uSer /". So I wrote a small patch for the auth_canonifyid function, which strips off leading and trailing whitespaces and lowers alpha chars. I am not exactly sure, if this is the right place to fix, but it works. I attached the patch to this mail. -- With best regards, Carsten Hoeger SuSE, The Linux Experts, http://www.suse.com Key fingerprint = E3B6 7FDB 4800 0F22 DC09 EB2B 7988 B6A8 6691 C94A diff -urN cyrus-imapd-2.0.16/lib/auth_unix.c cyrus-imapd-2.0.16.SuSE/lib/auth_unix.c --- cyrus-imapd-2.0.16/lib/auth_unix.c Tue May 23 22:56:12 2000 +++ cyrus-imapd-2.0.16.SuSE/lib/auth_unix.c Wed Feb 20 15:32:44 2002 @@ -154,9 +154,11 @@ const char *identifier; { static char retbuf[81]; +char backup[81]; struct group *grp; char sawalpha; char *p; +int ic,rbc; if (strcasecmp(identifier, "anonymous") == 0) { return "anonymous"; @@ -210,6 +212,21 @@ *p = 0; if (!sawalpha) return NULL; /* has to be one alpha char */ + +strcpy(backup,retbuf); +/* remove leading blanks */ +for(ic=0; isblank(backup[ic]); ic++); +for(rbc=0; backup[ic]; ic++) { + retbuf[rbc] = ( isalpha(backup[ic]) ? + tolower(backup[ic]) : backup[ic] ); + rbc++; +} +retbuf[rbc] = '\0'; +/* remove trailing blanks */ +for(--rbc; isblank(retbuf[rbc]); rbc--) { + retbuf[rbc] = '\0'; +} + return retbuf; } msg06101/pgp0.pgp Description: PGP signature