[POLL] Cyrus 2.2 virtdomains behavior (Was: global admin without defaultdomain?)

Christian Schulte cs at schulte.it
Wed Dec 31 10:09:47 EST 2003


Am Mittwoch, 31. Dezember 2003 02:47 schrieb Jure Pečar:
> On Tue, 30 Dec 2003 13:33:37 -0500
>
> Ken Murchison <ken at oceana.com> wrote:
> > Its not a problem to implement it.  I'd like to get some more discussion
> > on how the two methods can/should interact.
>
> Let me share my point of view:
>
> virtdomains=off:
>
> server accepts & authenticates usernames without @domain on any interface
> it is configured to listen on. this is basically the 2.1 behaviour, so let
> say the handling of user at domain kind of usernames is undefined (because
> there were some early 3rd party patches to handle them). admin is only one,
> so no need for global admins.

Handling of user at domain kind of usernames is defined by:

loginrealms: <empty string>
            The  list  of  remote  realms  whose users may log in
            using  cross-realm  authentications.   Seperate  each
            realm  name  by  a space.  (A cross-realm identity is
            considered any identity returned by SASL with an  "@"
            in it.)

So every fully-qualified username gets its @domain part stripped no matter 
what it contains if its mentioned in loginrealms otherwise the username is 
rejected. This makes @domain logins possible without the need for virtdomains 
so that someone planning to migrate to virtdomains already has fully 
qualified usernames in use which will make things easier during the update.

>
> virtomains=userid
>
> server server accepts & authenticates usernames without @domain on any
> interface it is configured to listen on only if the defaultdomain is set...

All unqualified usernames are treated as @defaultdomain. Usernames 
@loginrealms are also treated as @defaultdomain (@loginrealms part gets also 
stripped to un-qualify the userid) ?
 
> without defaultdomain server accepts & authenticates only usernames in the
> form user at domain, where domain specifies the hirearchy tree the user
> belongs to. global admin should be specified without the @domain and admin
> users with @domain should only have rights over their domain tree.

Here the only existing un-qualified usernames are global admins ? loginrealms 
has no effect ?

>
> virtdomains=ipaddr (or something)
>
> here we need to teach server the ip->domain mapping. reverse dns? most
> likely.
> server accepts & authenticates usernames without @domain on appropriate
> interfaces (ip adresses) and it searches for username only in the domain
> the ip adress the user is coming from belongs. user at domain usernames should
> be rejected IMHO. global admin should be specified without the @domain and
> authenticated on any ip address. per domain admin users should be specified
> with @domain and should only authenticate when coming to the right ip
> address...

...where they will login with an un-qualified username. Completely no @domain 
usernames nowhere but in the admins line. loginrealms also has no effect ?

How are loginrealms handled if virtdomain-support gets enabled when it was in 
use before without virtdomains ?

--
Christian






More information about the Info-cyrus mailing list