On Thu, Feb 21, Birger Toedtmann wrote: > > Most mailclients would then notice, that there is no inbox -because > > imapd is now looking into "/var/imap/user/ uSer /" which currently > > does not exist. Then they issue a "create inbox" command and voila, we > > have a new directory called "/var/imap/user/ uSer /". > > > > So I wrote a small patch for the auth_canonifyid function, which > > strips off leading and trailing whitespaces and lowers alpha chars. > [...] > > With the whitespaces I'm not sure but I don't think one should enforce > case insensitivety - instead one should instruct OpenLDAP to behave case > sensitive. Yes, that's what I also thought in the past. In the OpenLDAP core schema, you can read: # OpenLDAP Core schema # # Includes LDAPv3 schema items from: # RFC2251-RFC2256 (LDAPv3) # # select standard track schema items: # RFC2079 (URI) # RFC1274 (uid/dc) [...] # # Derived from RFC1274, but with new "short names" # attributetype ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' ) DESC 'RFC1274: user identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) [...] And in RFC 1274: [...] 9.3.1. Userid The Userid attribute type specifies a computer system login name. userid ATTRIBUTE WITH ATTRIBUTE-SYNTAX caseIgnoreStringSyntax (SIZE (1 .. ub-user-identifier)) ::= {pilotAttributeType 1} [...] They all speak about caseinsensity. Maybe we should include the openldap people into this discussion. My original Mail: ------------------------------------------------------------------------ we noticed, that cyrus-imapd allows users to prepend or append whitespaces to their uid like this: . login " user " secret cyrus-imapd hand's over this string as is to the underlying authentication system. In case of pam with pam_ldap, this results in a DN like this: "uid= user ,dc=some,dc=dom" which will then be normalized by OpenLDAP to "uid=user,dc=some,dc=dom" and will give a successfull authentication... :-( Another point is, that the uid attribute is caseINsensitve as defined in the core openldap schema, which makes things even harder: . login " uSer " secret would be the same as . login " user " secret for openldap in this case. Most mailclients would then notice, that there is no inbox -because imapd is now looking into "/var/imap/user/ uSer /" which currently does not exist. Then they issue a "create inbox" command and voila, we have a new directory called "/var/imap/user/ uSer /". So I wrote a small patch for the auth_canonifyid function, which strips off leading and trailing whitespaces and lowers alpha chars. I am not exactly sure, if this is the right place to fix, but it works. ------------------------------------------------------------------------ -- With best regards, Carsten Hoeger SuSE, The Linux Experts, http://www.suse.com Key fingerprint = E3B6 7FDB 4800 0F22 DC09 EB2B 7988 B6A8 6691 C94A
Attachment:
pgp2Vn8Om6gD9.pgp
Description: PGP signature