ptclient & ldap changes

Wesley Craig wes at umich.edu
Thu May 29 15:36:55 EDT 2008 

I have a number of ptclient & ldap bug fixes and improvements to make:

	1) In 2.3.12p2, if ldap_sasl is enabled, user DNs are obtained  
through SASL authN/Z proxying.  This assumes that the LDAP server  
supports authN/Z proxying and that ptclient/ldap has authorization to  
proxy for all users.  I've moved this option under a new  
configuration option, ldap_proxy_authz, since the authZ proxying is  
more or less orthogonal to using SASL for LDAP authN.

	2) Groups have two LDAP configurations, one for populating the  
groups a user belongs to and a second for validating a (new) group  
name.  In 2.3.12p2, those two configurations suffer from non-parallel  
construction.  In particular, ldap_member_method allows both  
"attribute" and "filter", while the ldap_group_* configuration has no  
"_method" configuration, implicitly assuming "filter" instead.  I've  
added a ldap_group_method configuration, with three options,  
"filter", "attribute" and "none".  "none" allows any string that can  
be canonicalized to be used.  "filter" works just like ldap_group_*  
was working -- exactly one DN may be returned.  "attribute" looks for  
at least one DN to be returned.  A correct "attribute" configuration  
searches for the attribute used in ldap_member_attribute.  The  
assumption is that if anyone has the group attribute, it is a valid  
group name.

	3) I changed the default ldap_size_limit to 2.  I also inserted some  
additional checks in the code to specifically look for cases where  
size limit is exceeded.  These may or may not be errors, depending on  
what you're looking for.

	4) I fixed two small bugs in ptloader.c, one where unused memory to  
syslog'd and another where the error message returned from the  
ptloader module isn't null terminated when being passed to auth_pts.c.

Please find the patch attached.  Comments?

:wes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cyrus-imapd-ldap.diff
Type: application/octet-stream
Size: 8406 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/cyrus-devel/attachments/20080529/9b75b88c/attachment.obj

More information about the Cyrus-devel mailing list