ptclient & ldap changes
murch at andrew.cmu.edu
Mon Jun 2 22:50:26 EDT 2008
Wesley Craig wrote:
> On 31 May 2008, at 17:25, Igor Brezac wrote:
>> Wesley Craig wrote:
>>> On 31 May 2008, at 00:06, Igor Brezac wrote:
>>>> sasl used to be required for ldap proxy authz, but I do not think
>>>> this is the case any more. I suggested that both ldap_sasl and
>>>> ldap_proxy_authz do the same thing.
>>> Perhaps I misunderstand you. Since SASL authN and proxy authZ are
>>> more or less completely orthogonal, why would you have them do the
>>> same thing? I propose that ldap_sasl control the way bind is done.
>>> And ldap_proxy_authz is used to control how user DNs are obtained.
>> Your patch breaks existing configurations, we usually try to preserve
>> configuration compatibility when possible. Otherwise I am fine with
>> your approach. Maybe automatically set ldap_proxy_authz to true when
>> ldap_sasl is turned on and when ldap_proxy_authz is not explicitly
>> specified in the config?
> Well, that's an issue. We could make ldap_proxy_authz tri-valued:
> legacy, on, and off. Legacy would be the default and would revert to
> the old behavior. Of course, that means that it wouldn't support
> imapd.conf's typical 0/1, on/off, t/f "switch" syntax.
vritdomains is tri-valued, so I wouldn't have a problem with your proposal.
Project Cyrus Developer/Maintainer
Carnegie Mellon University
More information about the Cyrus-devel