Users Repositories

Introduction

User repositories are required to store James user information and authentication data

Consult usersrepository.xml in GIT to get some examples and hints.

A user has two attributes: username and password. A valid user should satisfy these criteria:

  • username and password cannot be null or empty
  • username should not be longer than 255 characters
  • username can not contain '/'
  • username can not contain multiple domain delimiter('@')
  • A username can have only a local part when virtualHosting is disabled. E.g.'myUser'
  • When virtualHosting is enabled, a username should have a domain part, and the domain part should be concatenated after a domain delimiter('@'). E.g. 'myuser@james.org'

A user is always considered as lower cased, so 'myUser' and 'myuser' are the same user, and can be used as well as recipient local part than as login for different protocols.

General configuration

All Users Repositories provide at least these three options

enableVirtualHosting
true or false. Add domain support for users (default: false, except for Cassandra Users Repository)
administratorId
user's name. Allow a user to access to the impersonation command, acting on the behalf of any user.
administratorIds
List of usernames. Allows multiple administrators to access the impersonation command, acting on behalf of any user by specifying multiple <administratorId> entries inside the <administratorIds> block.
Note: Only one of the above <administratorId> property or this <administratorIds> block should be used to specify the administrator(s).
verifyFailureDelay
2, 2s, 2000ms, default 0s (disabled). Delay after a failed authentication attempt with an invalid user name or password.

JPA Users Repository

JPA (database via OpenJPA) based user repository. This is the default implementation.

The usersrepository tag as 2 attributes: name="LocalUsers" and class="org.apache.james.user.file.UsersFileRepository"> The class tag should be specified for Spring, but is not taken into acount by Guice.

algorithm
Algorithm to hash passwords. Supported password algorithm are: MD5, SHA-256, SHA-512, NONE(then SHA-1 will be used), `PBKDF2`, `PBKDF2-SHA512` (default).
Note: When using `PBKDF2` or `PBKDF2-SHA512` one can specify the iteration count and the key size in bytes. You can specify it as part of the algorithm. EG: `PBKDF2-SHA512-2000-512` will use 2000 iterations with a key size of 512 bytes.
MD5 and SHA-1 are deprecated.
enableVirtualHosting
true (default) or false. Defines if the usernames must (true) or may not contain (false) a domain part (user@domain.tld).

LDAP Users Repository

Read-Only LDAP based UsersRepository

Example:

<usersrepository name="LocalUsers" class="org.apache.james.user.ldap.ReadOnlyUsersLDAPRepository" ldapHost="ldap://myldapserver:389"
    principal="uid=ldapUser,ou=system" credentials="password" userBase="ou=People,o=myorg.com,ou=system" userIdAttribute="uid">
           <enableVirtualHosting>true</enableVirtualHosting>
</usersrepository>

SSL can be enabled by using ldaps scheme. trustAllCerts option can be used to trust all LDAP client certificates (optional, defaults to false).

Example:

 <repository name="LocalUsers" class="org.apache.james.user.ldap.ReadOnlyUsersLDAPRepository" ldapHost="ldaps://myldapserver:636"
     principal="uid=ldapUser,ou=system" credentials="password" userBase="ou=People,o=myorg.com,ou=system" userIdAttribute="uid"
     trustAllCerts="true">
            <enableVirtualHosting>true</enableVirtualHosting>
</usersrepository>

Moreover, per domain base DN can be configured:

            <repository name="LocalUsers" class="org.apache.james.user.ldap.ReadOnlyUsersLDAPRepository" ldapHost="ldaps://myldapserver:636"
            principal="uid=ldapUser,ou=system" credentials="password" userBase="ou=People,o=myorg.com,ou=system" userIdAttribute="uid"
            trustAllCerts="true">
            <enableVirtualHosting>true</enableVirtualHosting>
            <domains>
                <domain.tld>ou=People,o=other.com,ou=system</domain.tld>
            </domains>
</usersrepository>

You can connect to multiple LDAP servers for better availability by using ldapHosts option (fallback to ldapHost is supported) to specify the list of LDAP Server URL with the comma , delimiter. We do support different schemas for LDAP servers.

Example:

            <usersrepository name="LocalUsers" class="org.apache.james.user.ldap.ReadOnlyUsersLDAPRepository" ldapHosts="ldap://ldapServer1:389,ldaps://ldapServer2:636"
            principal="uid=ldapUser,ou=system" credentials="password" userBase="ou=People,o=myorg.com,ou=system" userIdAttribute="uid" trustAllCerts="true">
            <enableVirtualHosting>true</enableVirtualHosting>
            </usersrepository>

When VirtualHosting is on, you can enable local part as login username by configure the resolveLocalPartAttribute. This is the LDAP attribute that allows to retrieve the local part of users. Optional, default to empty, which disables login with local part as username.

Example:

            <usersrepository name="LocalUsers" class="org.apache.james.user.ldap.ReadOnlyUsersLDAPRepository" ldapHosts="ldap://ldapServer1:389,ldaps://ldapServer2:636"
            principal="uid=ldapUser,ou=system" credentials="password" userBase="ou=People,o=myorg.com,ou=system" resolveLocalPartAttribute="uid" userIdAttribute="mail" trustAllCerts="true">
            <enableVirtualHosting>true</enableVirtualHosting>
            </usersrepository>

The "userListBase" configuration option is used to differentiate users that can login from those that are listed as regular users. This is useful for dis-activating users, for instance.

A different values from "userBase" can be used for setting up virtual logins, for instance in conjunction with "resolveLocalPartAttribute". This can also be used to manage disactivated users (in userListBased but not in userBase).

Note that "userListBase" can not be specified on a per-domain-basis.

LDAP connection pool size tuning

Apache James offers some options for configuring the LDAP connection pool used by unboundid:

  • poolSize: (optional, default = 4) The maximum number of connection in the pool. Note that if the pool is exhausted, extra connections will be created on the fly as needed.
  • maxWaitTime: (optional, default = 1000) the number of milli seconds to wait before creating off-pool connections, using a pool connection if released in time. This effectively smooth out traffic burst, thus in some case can help not overloading the LDAP
  • connectionTimeout: (optional) Sets the connection timeout on the underlying to the specified integer value
  • readTimeout: (optional) Sets property the read timeout to the specified integer value.