ptclient & ldap changes

Igor Brezac igor at ypass.net
Fri May 30 13:50:41 EDT 2008 

1) I suggest that you keep ldap_sasl for backward configuration 
compatibility.  ldap_sasl  name is used for sasl vs non sasl binds.   
Note that 'ldap_id' needs to have authorization to proxy.

2)  I suppose you can have ldap_group_method: attribute, but this is not 
how ldap data is typically used for groups.  Also, I suggest that 
ldap_group_attribute be used instead of ldap_member_attribute.  As you 
correctly described ldap_group and ldap_member do two different things 
and your implementation would be a bit confusing.   You can possibly 
default ldap_group_attribute to the value of ldap_member_attribute.
I personally do not like ldap_group_method: none, mabe Kan can chime 
in.  This option basically allows for an arbitrary group identifier 
(potentially non existing one) to be assigned to a mailbox.

3) This seems unnecessary, but can you explain a little more?

-Igor

Wesley Craig wrote:
> I have a number of ptclient & ldap bug fixes and improvements to make:
>
>     1) In 2.3.12p2, if ldap_sasl is enabled, user DNs are obtained 
> through SASL authN/Z proxying.  This assumes that the LDAP server 
> supports authN/Z proxying and that ptclient/ldap has authorization to 
> proxy for all users.  I've moved this option under a new configuration 
> option, ldap_proxy_authz, since the authZ proxying is more or less 
> orthogonal to using SASL for LDAP authN.
>
>     2) Groups have two LDAP configurations, one for populating the 
> groups a user belongs to and a second for validating a (new) group 
> name.  In 2.3.12p2, those two configurations suffer from non-parallel 
> construction.  In particular, ldap_member_method allows both 
> "attribute" and "filter", while the ldap_group_* configuration has no 
> "_method" configuration, implicitly assuming "filter" instead.  I've 
> added a ldap_group_method configuration, with three options, "filter", 
> "attribute" and "none".  "none" allows any string that can be 
> canonicalized to be used.  "filter" works just like ldap_group_* was 
> working -- exactly one DN may be returned.  "attribute" looks for at 
> least one DN to be returned.  A correct "attribute" configuration 
> searches for the attribute used in ldap_member_attribute.  The 
> assumption is that if anyone has the group attribute, it is a valid 
> group name.
>
>     3) I changed the default ldap_size_limit to 2.  I also inserted 
> some additional checks in the code to specifically look for cases 
> where size limit is exceeded.  These may or may not be errors, 
> depending on what you're looking for.
>
>     4) I fixed two small bugs in ptloader.c, one where unused memory 
> to syslog'd and another where the error message returned from the 
> ptloader module isn't null terminated when being passed to auth_pts.c.
>
> Please find the patch attached.  Comments?
>
> :wes

More information about the Cyrus-devel mailing list