[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [imapsync] patch for 1.366: proxyauth support (Sun, iPlanet and Netscape)


From Jorge López Pérez <jorgelp at us dot es>
Subject Re: [imapsync] patch for 1.366: proxyauth support (Sun, iPlanet and Netscape)
Date Sun, 31 Oct 2010 14:15:47 +0100

Hi Gilles,

On 31/10/10 02:09, Gilles LAMIRAL wrote:

  Please, feel free to test and use it. I hope this feature is
interesting enough to be included in official imapsync.

Thanks! Applied as is to produce imapsync 1.367

Great :-)


Can you write an entry for the FAQ file, just like you did
in your message but destinate to a user? (I'm lazy and
don't master the subject).
>
Also the usage line for online help:

--user1<string>  : user to login on host1. Mandatory.
--authuser1<string>  : user to auth with on host1 (admin user).
                          Avoid using --authmech1 SOMETHING with --authuser1.
--proxyauth1           : ????
--password1<string>  : password for the user1. Dangerous, use --passfile1

I have attached a new patch for 1.366 that shows --proxyauthX in usage() as well as the FAQ entry, aside from the full proxyauth feature.


Regards.

--
Jorge López Pérez
jabber: jorgelp at im dot us dot es
diff -urN imapsync-1.366.orig/FAQ imapsync-1.366/FAQ
--- imapsync-1.366.orig/FAQ	2010-10-30 12:24:10.951674625 +0200
+++ imapsync-1.366/FAQ	2010-10-31 14:12:40.447361182 +0100
@@ -514,6 +514,34 @@
 	--exclude '^user\.'
 
 ======================================================================
+Q: How to migrate from Sun Java Enterprise System / Sun One / iPlanet /
+Netscape servers with an admin account?
+
+R: Those imap servers don't allow the typical use of --authuser1 to use an
+administrative account. They expect the use of an IMAP command called
+proxyauth that is issued after login in as an administrative account.
+
+For example, consider the administrative account 'administrator' and your
+real user 'real_user'. The IMAP sequence would be:
+
+  OK [CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS
+  CHILDREN BINARY UNSELECT LANGUAGE STARTTLS XSENDER X-NETSCAPE XSERVERINFO
+  AUTH=PLAIN] imap.server IMAP4 service (Sun Java(tm) System Messaging
+  Server ...))
+  1 LOGIN administrator password
+  1 OK User logged in
+  2 PROXYAUTH real_user
+  2 OK Completed
+
+In imapsync, you can achieve this by using the following options:
+
+  --host1 source.imap.server \
+  --user1 real_user \
+  --authuser1 administrator \
+  --proxyauth1 \
+  --passfile admin.txt
+
+======================================================================
 Q. Is there anyway of making imapsync purge the destination folder
    when the source folder is deleted?
 
diff -urN imapsync-1.366.orig/imapsync imapsync-1.366/imapsync
--- imapsync-1.366.orig/imapsync	2010-10-30 12:24:10.965674761 +0200
+++ imapsync-1.366/imapsync	2010-10-31 13:09:59.922679699 +0100
@@ -204,6 +204,9 @@
 with --authuser1 "adminuser", it will not work.
 Same behavior with the --authuser2 option.
 
+When working on Sun/iPlanet/Netscape IMAP servers you must use 
+--proxyauth1 to enable administrative user to masquerade as another user. 
+Can also be used on destination server with --proxyauth2 
 
 =head1 EXIT STATUS
 
@@ -560,6 +563,7 @@
         $ssl1, $ssl2,
 	$tls1, $tls2,
         $authuser1, $authuser2,
+        $proxyauth1, $proxyauth2,
         $authmech1, $authmech2,
         $split1, $split2,
         $reconnectretry1, $reconnectretry2,
@@ -680,6 +684,14 @@
 $authmech1 = uc($authmech1);
 $authmech2 = uc($authmech2);
 
+if (defined $proxyauth1 && !$authuser1) {
+        missing_option("With --proxyauth1, --authuser1");
+}
+
+if (defined $proxyauth2 && !$authuser2) {
+        missing_option("With --proxyauth2, --authuser2");
+}
+
 $authuser1 ||= $user1;
 $authuser2 ||= $user2;
 
@@ -721,12 +733,14 @@
 $debugimap1 and print "Host1 connection\n";
 $imap1 = login_imap($host1, $port1, $user1, $password1, 
 		   $debugimap1, $timeout, $fastio1, $ssl1, $tls1,
-		   $authmech1, $authuser1, $reconnectretry1);
+		   $authmech1, $authuser1, $reconnectretry1,
+		   $proxyauth1);
 
 $debugimap2 and print "Host2 connection\n";
 $imap2 = login_imap($host2, $port2, $user2, $password2, 
 		 $debugimap2, $timeout, $fastio2, $ssl2, $tls2,
-		 $authmech2, $authuser2, $reconnectretry2);
+		 $authmech2, $authuser2, $reconnectretry2,
+		 $proxyauth2);
 
 #  history
 
@@ -1551,7 +1565,8 @@
 sub login_imap {
 	my($host, $port, $user, $password, 
 	   $debugimap, $timeout, $fastio, 
-	   $ssl, $tls, $authmech, $authuser, $reconnectretry) = @_;
+	   $ssl, $tls, $authmech, $authuser, $reconnectretry,
+	   $proxyauth) = @_;
 	my ($imap);
 	
 	$imap = Mail::IMAPClient->new();
@@ -1591,13 +1606,25 @@
 		}
 	}
 	
-	$imap->Authmechanism($authmech) unless ($authmech eq 'LOGIN');
+        if ($proxyauth) {
+                $imap->Authmechanism("");
+        } else {
+                $imap->Authmechanism($authmech) unless ($authmech eq 'LOGIN');
+        }
+
 	$imap->Authcallback(\&plainauth) if $authmech eq "PLAIN";
 	
 
-	$imap->User($user);
-	$imap->Authuser($authuser);
-	$imap->Password($password);
+        if ($proxyauth) {
+                $imap->User($authuser);
+                $imap->Authuser($authuser);
+                $imap->Password($password);
+        } else {
+                $imap->User($user);
+                $imap->Authuser($authuser);
+                $imap->Password($password);
+        }
+
 	unless ($imap->login()) {
 		my $info  = "Error login: [$host] with user [$user] auth";
 		my $einfo = $imap->LastError || @{$imap->History}[-1];
@@ -1610,6 +1637,8 @@
 		$imap->login() or
 		  die_clean("$info [LOGIN]: ", $imap->LastError, "\n");
 	}
+	$proxyauth && $imap->proxyauth($user);
+
 	print "Success login on [$host] with user [$user] auth [$authmech]\n";
 	return($imap);
 }
@@ -2423,6 +2452,8 @@
 				   "authmech2=s" => \$authmech2,
 				   "authuser1=s" => \$authuser1,
 				   "authuser2=s" => \$authuser2,
+				   "proxyauth1"        => \$proxyauth1,
+				   "proxyauth2"        => \$proxyauth1,
 				   "split1=i"    => \$split1,
 				   "split2=i"    => \$split2,
 				   "reconnectretry1=i" => \$reconnectretry1,
@@ -2722,12 +2753,18 @@
 --user1       <string> : user to login on host1. Mandatory.
 --authuser1   <string> : user to auth with on host1 (admin user). 
                          Avoid using --authmech1 SOMETHING with --authuser1.
+--proxyauth1           : Use proxyauth on host1. Requires --authuser1.
+                         Required by Sun/iPlanet/Netscape IMAP servers to
+                         be able to use an administrative user
 --password1    PWCHANGED : password for the user1. Dangerous, use --passfile1
 --passfile1   <string> : password file for the user1. Contains the password.
 --host2       <string> : "destination" imap server. Mandatory.
 --port2       <int>    : port to connect on host2. Default is 143.
 --user2       <string> : user to login on host2. Mandatory.
 --authuser2   <string> : user to auth with on host2 (admin user).
+--proxyauth2           : Use proxyauth on host2. Requires --authuser2.
+                         Required by Sun/iPlanet/Netscape IMAP servers to
+                         be able to use an administrative user
 --password2    PWCHANGED : password for the user2. Dangerous, use --passfile2
 --passfile2   <string> : password file for the user2. Contains the password.
 --noauthmd5            : don't use MD5 authentification.