Authentication IMAP Plugin description: Difference between revisions

From Open-Xchange
(Created page with '= Open-Xchange imap authentication module = == Introduction == The Open-Xchange Server offers the ability to replace the standard database login mechanism with a custom Java log...')
 
No edit summary
 
(13 intermediate revisions by 6 users not shown)
Line 1: Line 1:
= Open-Xchange imap authentication module =
= Open-Xchange IMAP authentication module =


== Introduction ==
== Introduction ==
The Open-Xchange Server offers the ability to replace the standard database login mechanism with a custom Java login plugin. That means that this plugin is able to check the username and password entered on the login screen against any storage (in this case IMAP). In general the Open-Xchange Server hands over every information that the user has entered during the login procedure (Username@domain and Password) to this plugin, so that the plugin can use these information to verify if the user should get a valid session or if he should get a login error. To create a valid session, the plugin has to return a user id and a context id.
The Open-Xchange IMAP authentication module is used to perform the Open-Xchange authentication against a IMAP server. During login, a IMAP connection is opened with the user credentials given through the Open-Xchange API, e.g. the GUI login mask. If that IMAP connection succeeds, the user is authenticated and finally logged in to its Open-Xchange session.


=== Imap Authentication Matrix ===
The module does replace the database authentication module installed by default.


The IMAP authentication module offers some main properties which influence the result which the plugin returns to the groupware:
=== IMAP Authentication Matrix ===


com.openexchange.mail.loginSource<br/>
The IMAP authentication module has configuration parameters which do influence the username used for the IMAP connection during login.  The configuration file is:
USE_FULL_LOGIN_INFO<br/>
 
USE_MULTIPLE<br/>
/opt/open-xchange/etc/imapauth.properties
 
The parameters are:
 
* com.openexchange.mail.loginSource
* USE_FULL_LOGIN_INFO
* USE_MULTIPLE
* USE_FULL_LOGIN_INFO_FOR_USER_LOOKUP (starting with 7.8.1)
* USE_FULL_LOGIN_INFO_FOR_CONTEXT_LOOKUP (starting with 7.8.2)
 
The following examples make the behavior of that parameters visible. The login string, passed as example to the Open-Xchange login mask, is
 
user@domain.tld
 
during the user provisioning, following attributes are set for the context via the createcontext call:
 
{|
| attribute
| value
|-
| contextname
| domain.tld
|}
 
and the following parameters via the creatuser call:
 
{|
| attribute
| value
|-
| imaplogin
| user1337
|-
| username
| user
|-
| email
| exampleuser@otherdomain.tld
|}


The following will show how they influence the results. In this example we have a user who types max.muster@firma.de to the login form,
his imaplogin at the database is "maxdb", his email address at the database is mm@1337.to


com.openexchange.mail.loginSource=login<br />
com.openexchange.mail.loginSource=login<br />
Line 27: Line 63:
!rowspan="2" | '''USE_MULTIPLE'''  
!rowspan="2" | '''USE_MULTIPLE'''  
! '''true'''  
! '''true'''  
| maxdb
| user1337
| maxdb
| user1337
|-
|-
! | '''false'''  
! | '''false'''  
| max.muster@firma.de
| user@domain.tld
| max.muster
| user
|}
|}


Line 47: Line 83:
!rowspan="2" | '''USE_MULTIPLE'''  
!rowspan="2" | '''USE_MULTIPLE'''  
! '''true'''  
! '''true'''  
| mm@1337.to
| exampleuser@otherdomain.tld
| mm@1337.to
| exampleuser@otherdomain.tld
|-
|-
! | '''false'''  
! | '''false'''  
| max.muster@firma.de
| user@domain.tld
| max.muster
| user
|}
|}


Line 67: Line 103:
!rowspan="2" | '''USE_MULTIPLE'''  
!rowspan="2" | '''USE_MULTIPLE'''  
! '''true'''  
! '''true'''  
| max.muster@firma.de
| user@domain.tld
| max.muster
| user
|-
|-
! | '''false'''  
! | '''false'''  
| max.muster@firma.de
| user@domain.tld
| max.muster
| user
|}
|}


{{InstallPlugin|pluginname=open-xchange-authentication-imap|sopath=stable}}
=== IMAP Authentication Extensions ===
Since v7.8.1 the "USE_FULL_LOGIN_INFO_FOR_USER_LOOKUP" property gets introduced. According to the semantics of the "USE_FULL_LOGIN_INFO" property, the "USE_FULL_LOGIN_INFO_FOR_USER_LOOKUP" property controls whether the full login string is supposed to be considered as the internal user name. If set to "true" the full login string is used to look-up the user; e.g. uses "jane@somewhere.org" instead of only "jane".
 
This is useful for setups, in which the full E-Mail address is used for the internal user name. Please note, that to allow provisioning of full E-Mail addresses the USER_ID check in AdminUser.properties needs to be turned off or allow the '@' character. You have to add the individual E-Mail addresses which belong to a context in the loginmapping (-L for create/changecontext). You can add multiple E-Mail addresses to the loginmapping, separated by a comma.
 
 
{{InstallPlugin|pluginname=open-xchange-authentication-imap|toplevel=products|sopath=appsuite/stable/backend|version=App Suite}}

Latest revision as of 07:12, 26 January 2017

Open-Xchange IMAP authentication module

Introduction

The Open-Xchange IMAP authentication module is used to perform the Open-Xchange authentication against a IMAP server. During login, a IMAP connection is opened with the user credentials given through the Open-Xchange API, e.g. the GUI login mask. If that IMAP connection succeeds, the user is authenticated and finally logged in to its Open-Xchange session.

The module does replace the database authentication module installed by default.

IMAP Authentication Matrix

The IMAP authentication module has configuration parameters which do influence the username used for the IMAP connection during login. The configuration file is:

/opt/open-xchange/etc/imapauth.properties

The parameters are:

  • com.openexchange.mail.loginSource
  • USE_FULL_LOGIN_INFO
  • USE_MULTIPLE
  • USE_FULL_LOGIN_INFO_FOR_USER_LOOKUP (starting with 7.8.1)
  • USE_FULL_LOGIN_INFO_FOR_CONTEXT_LOOKUP (starting with 7.8.2)

The following examples make the behavior of that parameters visible. The login string, passed as example to the Open-Xchange login mask, is

user@domain.tld

during the user provisioning, following attributes are set for the context via the createcontext call:

attribute value
contextname domain.tld

and the following parameters via the creatuser call:

attribute value
imaplogin user1337
username user
email exampleuser@otherdomain.tld


com.openexchange.mail.loginSource=login

Property/Property USE_FULL_LOGIN_INFO
true false
USE_MULTIPLE true user1337 user1337
false user@domain.tld user

com.openexchange.mail.loginSource=mail

Property/Property USE_FULL_LOGIN_INFO
true false
USE_MULTIPLE true exampleuser@otherdomain.tld exampleuser@otherdomain.tld
false user@domain.tld user

com.openexchange.mail.loginSource=name

Property/Property USE_FULL_LOGIN_INFO
true false
USE_MULTIPLE true user@domain.tld user
false user@domain.tld user

IMAP Authentication Extensions

Since v7.8.1 the "USE_FULL_LOGIN_INFO_FOR_USER_LOOKUP" property gets introduced. According to the semantics of the "USE_FULL_LOGIN_INFO" property, the "USE_FULL_LOGIN_INFO_FOR_USER_LOOKUP" property controls whether the full login string is supposed to be considered as the internal user name. If set to "true" the full login string is used to look-up the user; e.g. uses "jane@somewhere.org" instead of only "jane".

This is useful for setups, in which the full E-Mail address is used for the internal user name. Please note, that to allow provisioning of full E-Mail addresses the USER_ID check in AdminUser.properties needs to be turned off or allow the '@' character. You have to add the individual E-Mail addresses which belong to a context in the loginmapping (-L for create/changecontext). You can add multiple E-Mail addresses to the loginmapping, separated by a comma.


Install on OX App Suite

Debian GNU/Linux 11.0

Add the following entry to /etc/apt/sources.list.d/open-xchange.list if not already present:

deb https://software.open-xchange.com/products/appsuite/stable/backend/DebianBullseye/ /
# if you have a valid maintenance subscription, please uncomment the 
# following and add the ldb account data to the url so that the most recent
# packages get installed
# deb https://[CUSTOMERID:PASSWORD]@software.open-xchange.com/products/appsuite/stable/backend/updates/DebianBullseye/ /

and run

$ apt-get update
$ apt-get install open-xchange-authentication-imap

Debian GNU/Linux 12.0

Add the following entry to /etc/apt/sources.list.d/open-xchange.list if not already present:

deb https://software.open-xchange.com/products/appsuite/stable/backend/DebianBookworm/ /
# if you have a valid maintenance subscription, please uncomment the 
# following and add the ldb account data to the url so that the most recent
# packages get installed
# deb https://[CUSTOMERID:PASSWORD]@software.open-xchange.com/products/appsuite/stable/backend/updates/DebianBookworm/ /

and run

$ apt-get update
$ apt-get install open-xchange-authentication-imap