[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: spaces around uid



On Thu, Feb 21, Birger Toedtmann wrote:

> > Most mailclients would then notice, that there is no inbox -because
> > imapd is now looking into "/var/imap/user/   uSer  /" which currently
> > does not exist. Then they issue a "create inbox" command and voila, we
> > have a new directory called "/var/imap/user/   uSer  /".
> > 
> > So I wrote a small patch for the auth_canonifyid function, which
> > strips off leading and trailing whitespaces and lowers alpha chars.
> [...]
> 
> With the whitespaces I'm not sure but I don't think one should enforce
> case insensitivety - instead one should instruct OpenLDAP to behave case 
> sensitive.

Yes, that's what I also thought in the past.
In the OpenLDAP core schema, you can read:

# OpenLDAP Core schema
#
# Includes LDAPv3 schema items from:
#       RFC2251-RFC2256 (LDAPv3)
#
# select standard track schema items:
#       RFC2079 (URI)
#       RFC1274 (uid/dc)

[...]

#
# Derived from RFC1274, but with new "short names"
#
attributetype ( 0.9.2342.19200300.100.1.1
        NAME ( 'uid' 'userid' )
        DESC 'RFC1274: user identifier'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )

[...]

And in RFC 1274:

[...]

9.3.1.  Userid

   The Userid attribute type specifies a computer system login name.

     userid ATTRIBUTE
         WITH ATTRIBUTE-SYNTAX
             caseIgnoreStringSyntax
             (SIZE (1 .. ub-user-identifier))
     ::= {pilotAttributeType 1}

[...]

They all speak about caseinsensity.

Maybe we should include the openldap people into this discussion.

My original Mail:

------------------------------------------------------------------------
we noticed, that cyrus-imapd allows users to prepend or append
whitespaces to their uid like this:

. login "   user  " secret

cyrus-imapd hand's over this string as is to the underlying
authentication system. In case of pam with pam_ldap, this results in a
DN like this:

"uid=   user  ,dc=some,dc=dom"

which will then be normalized by OpenLDAP to

"uid=user,dc=some,dc=dom"

and will give a successfull authentication... :-(

Another point is, that the uid attribute is caseINsensitve as defined
in the core openldap schema, which makes things even harder:

. login "   uSer  " secret

would be the same as

. login "   user  " secret

for openldap in this case.

Most mailclients would then notice, that there is no inbox -because
imapd is now looking into "/var/imap/user/   uSer  /" which currently
does not exist. Then they issue a "create inbox" command and voila, we
have a new directory called "/var/imap/user/   uSer  /".

So I wrote a small patch for the auth_canonifyid function, which
strips off leading and trailing whitespaces and lowers alpha chars.

I am not exactly sure, if this is the right place to fix, but it
works.
------------------------------------------------------------------------


-- 
With best regards,

Carsten Hoeger

SuSE, The Linux Experts, http://www.suse.com

Key fingerprint = E3B6 7FDB 4800 0F22 DC09  EB2B 7988 B6A8 6691 C94A

Attachment: pgp2Vn8Om6gD9.pgp
Description: PGP signature