Question about the behaviour of LDAP backend given fixed uid and variable user name

[TheLonelinessOfHS]

Hi, I am currently developing an LDAP gateway between the mail server and another web-based identify provider backend. I want it to work like this: 1. the users are authenticated with their usernames and passwords 2. the mail server sends ldap request to the gateway, 3. the gateway verifies the password. Now, the issue is that the users are associated with a variable username and a fixed uid, such that I would like the users to sign in with the current username and the mail system to use uid as an identified.

I would like to know this: What if I use cn=#username?,ou=bala,dc=example,dc=com in bind Auth, (&(|(objectClass=posixAccount)(objectClass=posixGroup))(cn=#username?)) in filter query, which will return objects with an uid attribute mapped to Name? Will this work?

This question is probably quite strange for you and I understand that it might concern implementation details and comes with no guarantee. However, I believe that this is quite relevant to those LDAP users with variable usernames and fixed IDs. Thanks for your help in advance.

[mdecimus]

Hi,

Stalwart requires a fixed username in order to work. The query could be use a variable username but the field specifying the actual account name needs point to a unique id, otherwise multiple accounts will be created.

[TheLonelinessOfHS]

Thanks for your response. Could you please clarify if it will be okay to use username for login and return a fixed uid in the object, which will be mapped to the name attribute? Will this cause any issue?

[mdecimus]

It should work but you should test this as the system was not designed to be used with dynamic ids. Also, just to clarify, this fixed uid will be used as the account name in Stalwart and the login name will be ignored.

[TheLonelinessOfHS]

It should work but you should test this as the system was not designed to be used with dynamic ids. Also, just to clarify, this fixed uid will be used as the account name in Stalwart and the login name will be ignored.

Unfortunately, this did not seem to work. My gateway allows the user to login with either :username or uid and in both cases it returns objects that contain a same uid. Two separate accounts showed up on the web panel, one with uid as username and one with :username as username. Therefore, the system creates account based on what user provided for login but not what was returned from LDAP.

[TheLonelinessOfHS]

For those who are interested in this, you need to modify lines 132-135 in mail-server/crates/directory/src/backend/ldap/lookup.rs. Not sure if you also need to change anything else to ensure that there is no other issue.