PTS & LDAP Take 3
timp at crossthread.com
Sun Jan 18 01:52:06 EST 2004
Igor Brezac wrote:
>I do not see how this is going to work within cyrus context. You will
>need to change a lot more than just ptloader/ldap code for this to work.
Perhaps I don't understand everything involved, but ptloader now just
finds the user record via user defineable filter, and only cares about
the memberOf attributes, which it cycles through to find the users group
membership. What I am doing now is to find the user dn via definable
filter, then search for that dn in a groups container, and cycle through
all returned entries, picking the cn of each as the group name. Two ldap
queries unfortunately, but at least both are equality searches..
>I do not think such docs exist (except for the code itself). Basically,
>whenever a user logs in, cyrus fetches all groups the user is member of
>(ptloader/ldap does this in your case). This group list is later used for
>mailbox access (check lib/auth_pts.c).
Thats what I thought as well. I have already written the code the does
the user group membership check in ldap.c, but when I went to test it
via cyradm - I created a folder, and tried to set a group:xxx ACL and at
that exact point the identifier group:xxx was passed into the pts and I
don't know what to do with it (do we check to see if its a valid group??
I didn't see what to do in the original ldap.c code, afskrb.c, or any
other file. Perhaps I'm thick, but I just wanted to make sure there
wasn't anything else I was missing before going on).
>You'd be better of writing an ldap authorization module. Check
>lib/auth_unix.c for an example.
Like I said, I don't think theres any problem with my approach (other
than it being two ldap queries) but I'd sure like to know a little more
about this ptloader subsystem - like what to do with group:xxx entries,
and anything else other than just raw user/group lookups, and what the
pts cache actually does.
Also, another interesting thing - it seems that the original ldap.c code
would return null if it didn't find any memberOf attributes in the user
record and Authentication would fail!
More information about the Info-cyrus