User identifiers

From Messaging Server Technical Reference Wiki
Jump to: navigation, search


A user in a mail store can have multiple user identifiers for different purposes; this section provides a summary of some of the possible identifiers for a user:

Canonical Identifier
The canonical identifier for a user is typically derived from an LDAP lookup. In a default configuration, this is the value of the LDAP entry's uid followed by "@" and the domain name containing the user. The ldap_permid option (or if that's not set, the ldap_uid option) determine which LDAP attribute is used to construct this identifier. The domainUidSeparator domain LDAP attribute also alters how this attribute is constructed. This is also the value used for %s in the canonicalsearchfilter option.
External Identifier
For Cassandra store, this is the identifier used in IMAP ACL commands and when referencing shared folders through IMAP. Both ACL identifiers and shared folder names are internally stored using the store user identifer, but that is converted to and from the external identifier (if one exists) when IMAP is used. The ldap_extid option must be set to specify the LDAP attribute containing the external identifier, otherwise the store user identifier will be used.
LDAP Distinguished Name (DN)
The LDAP distinguished name provides a unique reference to a user entry in LDAP. Messaging Server does not have any specific requirements on which attributes are present in a user LDAP DN, although it is recommended that a subtree is created in LDAP for each set of users associated with one or more domain names. Messaging Server does not support multi-valued RDNs.
Original Login Identifier
The original login identifier is the identifier the user sends over the wire when performing a login or authentication operation. It may or may not be qualified by a domain name. There can be multiple valid login identifiers for the same user, but a given login identifier should uniquely match an LDAP entry. For LDAP search filter template options such as searchformat and replayformat, this identifier is referred to with the %o substitution. The inetDomainSearchFilter LDAP domain attribute typically determines how this is translated into a specific user's LDAP entry.
Permanent or Persistent User Identifier
Another name for the store user identifier, but explicitly noting that the identifier should be permanent and/or persistent. The ldap_permid option controls the LDAP attribute that contains this identifier for a given user.
Pre-Lookup Login Identifier
The pre-lookup login identifier is derived from the original login identifier by making sure it is qualified by the appropriate domain name. This includes converting any non-default domain delimiter (specified by the loginseparator option) into the canonical delimiter (typically '@' or the first character listed in that option). This is determined prior to performing LDAP lookups for authentication purposes.
Store User Identifier
The store user identifier is the same as the canonical identifier, except that if the domain name is the default domain, then the domain portion of the identifier is omitted. Message store command line tools use this identifier when referring to users. For the classic message store, mboxutil can be used to migrate the content of a store user identifier's account to a new user identifier (due to IMAP ACLs and shared folder subscriptions, the process is not fast and will cause problems when the user being renamed is logged in). For Cassandra store, this identifier can not be changed; instead an external identifier should be used as that can be changed easily.