ptloader and ldap_member_method: filter problem

Sava Chankov sava at blueboard.biz
Thu Jul 28 06:10:25 EDT 2005 

Igor Brezac wrote:
> 
> On Wed, 27 Jul 2005, Sava Chankov wrote:
> 
>> Hi,
>> I'm using cyrus-imapd-2.2.12 with ptloader patch from Igor Brezac that
>> fixes the
>> SASL authz bug. Groups are read from LDAP by ptloader properly, but group
>> authorization doesn't work with this configuration:
>>
>> virtdomains: yes
>> ldap_version: 3
>> ldap_sasl: 0
>> ldap_size_limit: 500
>> ldap_bind_dn: uid=proxy_user,o=ControlPanel
>> ldap_base: ou=People,ou=%d,o=ControlPanel
>> ldap_filter: uid=%U
>> ldap_group_base: ou=Group,ou=%d,o=ControlPanel
>> ldap_group_filter: cn=%U
>> ldap_member_method: filter
>> ldap_member_base: ou=Group,ou=%d,o=ControlPanel
>> ldap_member_attribute: cn
> 
> This assumes ldap_member_filter: (member=%D).  Correct?

Yes.

>> A little example - user mincho at dve.bg is member of groups punk and
>> ordinary_user. When the domain admin creates a shared folder named
>> "test" and
>> assigns read right to group punk with the command
>>
>> sam test group:punk at dve.bg read
>>
>> the result is that user mincho at dve.bg doesn't see the shared folder.
>> ptdump
>> output is:
>> user: group:punk at dve.bg time: 1122481905 groups: 0
>> user: mincho at dve.bg time: 1122481327 groups: 2
>>  ordinary_user
>>  punk
> 
> ptdump shows punk instead of punk at dve.bg.  Keep in mind that ptdump
> shows pts cache content.  Can you show a sample ldap entry for each
> identifier?
> 
This is the user:

dn: uid=mincho, ou=People, ou=dve.bg, o=ControlPanel
loginShell: /bin/false
uidNumber: 1001
gidNumber: 1001
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
uid: mincho
cn: Mincho

and the group:

dn: cn=punk, ou=Group, ou=dve.bg, o=ControlPanel
gidNumber: 1004
objectClass: top
objectClass: posixGroup
member: uid=mincho,ou=People,ou=dve.bg,o=ControlPanel
memberUid: mincho
cn: punk

I also tried renaming the group to
cn=punk at dve.bg,ou=Group,ou=dve.bg,o=ControlPanel and it didn't work either.
However, changing the group name to
cn=group:punk at dve.bg,ou=Group,ou=dve.bg,o=ControlPanel and
ldap_group_filter: cn=%u
made it work.

A similiar behaviour is observed when using
ldap_member_method:attribute
ldap_member_attribute:memberOf
It only works when memberOf attribute of the user contains value
"group:punk at dve.bg".

-- 
Sava Chankov                                     Сава Чанков
software developer                     софтуерен разработчик
http://www.blueboard.biz                             блуборд
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list