[jira] [Updated] (JAMES-3930) LDAP: support for localpart as login when virtualHosting is on

[Tran Hong Quan (Jira)]

     [ 
https://issues.apache.org/jira/browse/JAMES-3930?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Tran Hong Quan updated JAMES-3930:
----------------------------------
    Description: 
h2. Why?
h3. User Story 1

We got several time the request: as a user eg {{btell...@linagora.com}} I want 
to login with just {{btellier}} but get access to my mails as 
{{{}btell...@linagora.com{}}}.

Basically if not presented with an email, we can fallback to a uid search to 
get the LDAP entry then pick the mail attribute to identify the mailbox.
h3. User story 2

Also the following proposal allows for more complicated setup to have one set 
of creds per application:

As an administrator I do not want to leak user password to any third party 
application, including IMAP/SMTP clients.

IMAP and SMTP apps are password based: they send the LOGIN + Password upon auth 
(unless you do complex setup!)

Thus we want to generate one couple of login-password distinct for each app. 
Let's call them {{one-app-login}} and {{{}one-app-password{}}}.

This could easily be done with the following LDAP architecture:
 * dedicated branch for users. Eg here: {{uid: btellier + mail: 
btell...@linagora.com}}
 * dedicated branch for one-app-logins and one-app-passwords Eg here: {{uid: 
btellier-app1 + mail: btell...@linagora.com}}
 * LemonLDAP based for to generate one-app-logins and one-app-passwords, with 
one-app-passwords only shown once. Revocation possible for one-app-logins.

The mechanism involved on James side are basically the same than US 1... So we 
kill one bird with two stones.
h2. How?

Step 1: Modify {{UsersRepository}} API to allow for username translation upon 
authentication. Return an Optional of username instead of a boolean upon auth.

Step 2: Add a {{resolveLocalPartWithAttribute}} property in 
`usersrepository.xml. If specified the attribute will be used to resolve the 
user if a localPart is specified. Overwize localParts are rejected.

Step 3: Modify LDAPUsersRepository to return the username based on the user 
obtained on step 2.
h2. Definition of done

Write integration tests in IMAP and SMTP for both US1 and US2 in 
james-server-memory-app using TemporaryJamesServer for on the fly configuration 
of the LDAP config file.
h2. Risk

If 2 LDA entries have the same UID (even on different brach) it would cause a 
breach in user isolation, allowing user A to access account of user B.

As such the feature should be option, turned off by default:

 

{{            ldapHost="ldap://myldapserver:389";
            principal="uid=ldapUser,ou=system"
            credentials="password"
            userBase="ou=People,o=myorg.com,ou=system"
            userIdAttribute="uid"
            userObjectClass="person">
          <enableVirtualHosting>true</enableVirtualHosting>
          <resolveLocalPartWithAttribute>uid</resolveLocalPartWithAttribute>
          <enableForwarding>true</enableForwarding>
        </usersrepository>}}

{{revolveLocalPartWithAttribute}} is by default absent, causing local parts to 
be rejected.

  was:
## Why?

### User Story 1

We got several time the request: as a user eg `btell...@linagora.com` I want to 
login with just `btellier` but get access to my mails as 
`btell...@linagora.com`.

Basically if not presented with an email, we can fallback to a uid search to 
get the LDAP entry then pick the mail attribute to identify the mailbox.

### User story 2

Also the following proposal allows for more complicated setup to have one set 
of creds per application:

As an administrator I do not want to leak user password to any third party 
application, including IMAP/SMTP clients.

IMAP and SMTP apps are password based: they send the LOGIN + Password upon auth 
(unless you do complex setup!)

Thus we want to generate one couple of login-password distinct for each app. 
Let's call them `one-app-login` and `one-app-password`.

This could easily be done with the following LDAP architecture:
  - dedicated branch for users. Eg here: `uid: btellier + mail: 
btell...@linagora.com`
  - dedicated branch for  one-app-logins and one-app-passwords Eg here: `uid: 
btellier-app1 + mail: btell...@linagora.com`
  - LemonLDAP based for to generate one-app-logins and one-app-passwords, with 
one-app-passwords only shown once. Revocation possible for one-app-logins.

The mechanism involved on James side are basically the same than US 1... So we 
kill one bird with two stones.

## How?

Step 1: Modify `UsersRepository` API to allow for username translation upon 
authentication. Return an Optional of username instead of a boolean upon auth.

Step 2: Add a `resolveLocalPartWithAttribute` property in `usersrepository.xml. 
If specified the attribute will be used to resolve the user if a localPart is 
specified. Overwize localParts are rejected. 

Step 3: Modify LDAPUsersRepository to  return the username  based on the user 
obtained on step 2.

## Definition of done

Write integration tests in IMAP and SMTP for both US1 and US2 in 
james-server-memory-app using TemporaryJamesServer for on the fly configuration 
of the LDAP config file.

## Risk

If 2 LDA entries have the same UID (even on different brach) it would cause a 
breach in user isolation, allowing user A to access account of user B.

As such the feature should be option, turned off by default:

```        <usersrepository name="LocalUsers"
            ldapHost="ldap://myldapserver:389";
            principal="uid=ldapUser,ou=system"
            credentials="password"
            userBase="ou=People,o=myorg.com,ou=system"
            userIdAttribute="uid"
            userObjectClass="person">
          <enableVirtualHosting>true</enableVirtualHosting>
          <resolveLocalPartWithAttribute>uid</resolveLocalPartWithAttribute>
          <enableForwarding>true</enableForwarding>
        </usersrepository>
```

`revolveLocalPartWithAttribute` is by default absent, causing local parts to be 
rejected.


> LDAP: support for localpart as login when virtualHosting is on
> --------------------------------------------------------------
>
>                 Key: JAMES-3930
>                 URL: https://issues.apache.org/jira/browse/JAMES-3930
>             Project: James Server
>          Issue Type: Improvement
>          Components: ldap, UsersStore &amp; UsersRepository
>            Reporter: Tran Hong Quan
>            Priority: Major
>
> h2. Why?
> h3. User Story 1
> We got several time the request: as a user eg {{btell...@linagora.com}} I 
> want to login with just {{btellier}} but get access to my mails as 
> {{{}btell...@linagora.com{}}}.
> Basically if not presented with an email, we can fallback to a uid search to 
> get the LDAP entry then pick the mail attribute to identify the mailbox.
> h3. User story 2
> Also the following proposal allows for more complicated setup to have one set 
> of creds per application:
> As an administrator I do not want to leak user password to any third party 
> application, including IMAP/SMTP clients.
> IMAP and SMTP apps are password based: they send the LOGIN + Password upon 
> auth (unless you do complex setup!)
> Thus we want to generate one couple of login-password distinct for each app. 
> Let's call them {{one-app-login}} and {{{}one-app-password{}}}.
> This could easily be done with the following LDAP architecture:
>  * dedicated branch for users. Eg here: {{uid: btellier + mail: 
> btell...@linagora.com}}
>  * dedicated branch for one-app-logins and one-app-passwords Eg here: {{uid: 
> btellier-app1 + mail: btell...@linagora.com}}
>  * LemonLDAP based for to generate one-app-logins and one-app-passwords, with 
> one-app-passwords only shown once. Revocation possible for one-app-logins.
> The mechanism involved on James side are basically the same than US 1... So 
> we kill one bird with two stones.
> h2. How?
> Step 1: Modify {{UsersRepository}} API to allow for username translation upon 
> authentication. Return an Optional of username instead of a boolean upon auth.
> Step 2: Add a {{resolveLocalPartWithAttribute}} property in 
> `usersrepository.xml. If specified the attribute will be used to resolve the 
> user if a localPart is specified. Overwize localParts are rejected.
> Step 3: Modify LDAPUsersRepository to return the username based on the user 
> obtained on step 2.
> h2. Definition of done
> Write integration tests in IMAP and SMTP for both US1 and US2 in 
> james-server-memory-app using TemporaryJamesServer for on the fly 
> configuration of the LDAP config file.
> h2. Risk
> If 2 LDA entries have the same UID (even on different brach) it would cause a 
> breach in user isolation, allowing user A to access account of user B.
> As such the feature should be option, turned off by default:
>  
> {{            ldapHost="ldap://myldapserver:389";
>             principal="uid=ldapUser,ou=system"
>             credentials="password"
>             userBase="ou=People,o=myorg.com,ou=system"
>             userIdAttribute="uid"
>             userObjectClass="person">
>           <enableVirtualHosting>true</enableVirtualHosting>
>           <resolveLocalPartWithAttribute>uid</resolveLocalPartWithAttribute>
>           <enableForwarding>true</enableForwarding>
>         </usersrepository>}}
> {{revolveLocalPartWithAttribute}} is by default absent, causing local parts 
> to be rejected.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org