ActiveSync credential separation and disabled users

Jeroen van Meeuwen (Kolab Systems) vanmeeuwen at kolabsys.com
Sat Feb 9 14:42:25 CET 2013 

On 2013-02-09 01:04, Onno Hensgen wrote:
>> Said IMAP frontend(s) - you would hit these specifically from the
>> ActiveSync web-servers only - can use a different LDAP attribute 
>> (than
>> userPassword) using a fast_bind(), or not use LDAP at all (and 
>> instead
>> do sasldb2, or SQL, or ...). Frontends connect to IMAP backends using
>> proxy authorization, and so no user credentials are required further
>> down the line.
> 
> I'm having trouble adding an attribute to the 99kolab2.ldif schema in
> 'dirsrv/slapd-mail/schema'.
> I added an attribute:
> 
> attributeTypes: ( 1.3.6.1.4.1.19414.99.50.1
>   NAME 'externalImapAllowed'
>   DESC 'User is allowed to use imap/smtp from outside the company'
>   EQUALITY booleanMatch
>   SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
>   SINGLE-VALUE )
> 

You really, really don't want to do this.

Consider the following filter:

   (&(objectClass=kolabInetOrgPerson)(externalImapAllowed=TRUE))

vs:

   
(&(objectClass=kolabInetOrgPerson)(nsRoleDn=cn=external-imap-user,dc=example,dc=org))

I think the means to achieve what you want are readily available in the 
form of roles.

>> An alternative approach (I'm not a fan of) is to use proxy
>> authorization right from the start - this would avoid the need to 
>> proxy
>> the IMAP connection, as well as avoid the need to run a Cyrus IMAP
>> Murder topology, but makes a compromise in that of course, for
>> day-to-day individual user's operations the use of administrative
>> credentials should be avoided.
> 
> I'm wondering if I understood your suggestion right, but I'm not sure
> if I got the 'proxy authentication part' right:
> 
> I realized a nginx mail proxy which authenticates the user against
> the ldap directory (using imap with ssl).
> The proxy than forwards to the real imap server (plain, no ssl/tls,
> nginx seems to not support ssl/tls for the backend). So the user is
> authenticated with his own credentials again.
> Does that setup implement what you said would be good practice (your
> first suggestion) or am I getting something wrong?
> 

Proxy authentication is a mechanism that works for a Cyrus IMAP 
(Murder) proxy. Proxy authentication is a mechanism in which you use a 
particular set of credentials allowed to perform proxy authentication, 
so that a connection authenticated with these credentials can 
"authorize" itself as another user. Think of logging in over SSH as root 
and instantly performing a "su - <user>", if you will.

With NGINX, you would have to be able to get your hands on an original 
plaintext copy of the "corporate" password that will allow the user to 
authenticate to the IMAP server.

One means to do so is to use the first password (the user sends you) to 
decrypt the value of what you can get your hands on leading you to the 
second password to use against IMAP. This is spoofing more so than proxy 
authentication, if you will.

> And I had to set allowplaintext to 'yes' in the imapd.conf to make
> nginx work.

NGINX's modules indeed do not support TLS/SSL connections to backend 
IMAP/POP services, as it is intended to be deployed right in front the 
IMAP servers, in a non-hostile / trusted networking environment.

This, in my opinion, is one of the major advantages of a Cyrus IMAP 
(frontend) proxy over NGINX.

Other advantages include, that should you run multiple backends, while 
NGINX would only be able to proxy user->backend, whereas a Cyrus IMAP 
Murder frontend would be able to proxy the IMAP connection across 
backends (i.e. "selected mailbox"->"correct backend on which folder is 
located").

If user john.doe at example.org's mailbox were on backend1, and 
jane.doe at example.org's were on backend2, Cyrus IMAP would allow John and 
Jane to share mailboxes, whereas an environment with only NGINX in front 
of it would not.

> BTW: I'm documenting all my steps and if someone's interested, I
> would be glad to publish it.
> 

I would definitely appreciate your notes and thoughts!

Kind regards,

Jeroen van Meeuwen

-- 
Systems Architect, Kolab Systems AG

e: vanmeeuwen at kolabsys.com
m: +44 74 2516 3817
w: http://www.kolabsys.com

pgp: 9342 BF08

More information about the users mailing list