Auth pop

From Qmail-LDAP Wiki

NAME

auth_pop - Authenticates POP3 clients against LDAP directory

SYNOPSIS

auth_pop subprogram [ args... ]

DESCRIPTION

auth_pop will be invoked by qmail-popup to authenticate pop3 users against user information stored into the LDAP directory.

auth_pop receives 'login_name', 'password' and 'timestamp' on descriptor 3 from qmail-popup.

auth_pop can increase or decrease the amount of information logged according to LOGLEVEL environment variable.

auth_pop can support clustering, see CLUSTERING SUPPORT bellow.

THE AUTHENTICATION PROCESS

auth_pop will authenticate the users by checking if the received 'login_name' and 'password' match what is stored in the directory.

To find the LDAP entry for 'login_name', auth_pop will search the directory for an entry having the attibute LDAP_UID = 'login_name'. When it finds this entry, it checks if the attribute LDAP_PASSWD = 'password'.

The user password can be stored in the directory using a cryptography algorithm. See LDAP_PASSWD for info on this. And see digest to create cryptographed passwords.

If the control file ldaprebind is set to 1 auth_pop will not authenticate the user by retrieving his information from the directory, instead, auth_pop will try to rebind to the LDAP server with the received 'login_name' and 'password'. If the rebind was successfull the user was authenticated.

CLUSTERING SUPPORT

If ldapcluster is set to 1, the clustering support is enabled in qmail-ldap.

When clustering support is enabled, auth_pop can retrieve messages for the POP3 clients even if the messages are stored in another cluster member server, i.e., auth_pop, in behalf of the POP3 client, can connect to the cluster server and retrieve the messages from it, passing them back to the POP3 client. This is called "session forwarding".

auth_pop session forwarding is explained in the following scheme.

Session Forwarding Scheme

auth_pop on server1 does the ldap lookup
                       |
                       v
is the account active? If yes go further else bounce
                       |
                       v
get the mailHost field, if there is such a field compare
it with file ~control/me. If they do not differ do
everything as usual. Else forward the connection and try to
login on the other server (mailHost) with uid and passwd.
If OK:
                       |
                       v
auth_pop on server2 does the ldap lookup compares mailHost
with ~control/me and should be happy. 
Now the imapd or qmail-pop3d is started and the session
is forwarded.

Notes:

• the "is the account active?" is made by checking the value on LDAP_ISACTIVE attribute.
• The mailHost field actually is compared with me and ldapclusterhosts control files. If mailHost matches any FQDN listed in me or ldapclusterhosts it's assumed that the Maildir for that user is in the current machine.

CONTROL FILES

defaultquotacount, defaultquotasize, dirmaker, ldapbasedn, ldapcluster, ldapclusterhosts, ldapdefaultdotmode, ldapgid, ldaplocaldelivery, ldaplogin, ldapmessagestore, ldapobjectclass, ldappassword, ldaprebind, ldapserver, ldaptimeout, ldapuid

ENVIRONMENT VARIABLES

LOGLEVEL