[POLL] Cyrus 2.2 virtdomains behavior (Was: global admin without defaultdomain?)
cs at schulte.it
Wed Dec 31 10:09:47 EST 2003
Am Mittwoch, 31. Dezember 2003 02:47 schrieb Jure Pečar:
> On Tue, 30 Dec 2003 13:33:37 -0500
> Ken Murchison <ken at oceana.com> wrote:
> > Its not a problem to implement it. I'd like to get some more discussion
> > on how the two methods can/should interact.
> Let me share my point of view:
> server accepts & authenticates usernames without @domain on any interface
> it is configured to listen on. this is basically the 2.1 behaviour, so let
> say the handling of user at domain kind of usernames is undefined (because
> there were some early 3rd party patches to handle them). admin is only one,
> so no need for global admins.
Handling of user at domain kind of usernames is defined by:
loginrealms: <empty string>
The list of remote realms whose users may log in
using cross-realm authentications. Seperate each
realm name by a space. (A cross-realm identity is
considered any identity returned by SASL with an "@"
So every fully-qualified username gets its @domain part stripped no matter
what it contains if its mentioned in loginrealms otherwise the username is
rejected. This makes @domain logins possible without the need for virtdomains
so that someone planning to migrate to virtdomains already has fully
qualified usernames in use which will make things easier during the update.
> server server accepts & authenticates usernames without @domain on any
> interface it is configured to listen on only if the defaultdomain is set...
All unqualified usernames are treated as @defaultdomain. Usernames
@loginrealms are also treated as @defaultdomain (@loginrealms part gets also
stripped to un-qualify the userid) ?
> without defaultdomain server accepts & authenticates only usernames in the
> form user at domain, where domain specifies the hirearchy tree the user
> belongs to. global admin should be specified without the @domain and admin
> users with @domain should only have rights over their domain tree.
Here the only existing un-qualified usernames are global admins ? loginrealms
has no effect ?
> virtdomains=ipaddr (or something)
> here we need to teach server the ip->domain mapping. reverse dns? most
> server accepts & authenticates usernames without @domain on appropriate
> interfaces (ip adresses) and it searches for username only in the domain
> the ip adress the user is coming from belongs. user at domain usernames should
> be rejected IMHO. global admin should be specified without the @domain and
> authenticated on any ip address. per domain admin users should be specified
> with @domain and should only authenticate when coming to the right ip
...where they will login with an un-qualified username. Completely no @domain
usernames nowhere but in the admins line. loginrealms also has no effect ?
How are loginrealms handled if virtdomain-support gets enabled when it was in
use before without virtdomains ?
More information about the Info-cyrus