[POLL] Cyrus 2.2 virtdomains behavior (Was: global admin without defaultdomain?)

Jure Pečar pegasus at nerv.eu.org
Tue Dec 30 20:47:51 EST 2003 

On Tue, 30 Dec 2003 13:33:37 -0500
Ken Murchison <ken at oceana.com> wrote:

> Its not a problem to implement it.  I'd like to get some more discussion 
> on how the two methods can/should interact.

Let me share my point of view:

virtdomains=off:

server accepts & authenticates usernames without @domain on any interface it
is configured to listen on. this is basically the 2.1 behaviour, so let say
the handling of user at domain kind of usernames is undefined (because there
were some early 3rd party patches to handle them). admin is only one, so no
need for global admins.

virtomains=userid

server server accepts & authenticates usernames without @domain on any
interface it is configured to listen on only if the defaultdomain is set.
without defaultdomain server accepts & authenticates only usernames in the
form user at domain, where domain specifies the hirearchy tree the user belongs
to. global admin should be specified without the @domain and admin users
with @domain should only have rights over their domain tree.

virtdomains=ipaddr (or something)

here we need to teach server the ip->domain mapping. reverse dns? most
likely.
server accepts & authenticates usernames without @domain on appropriate
interfaces (ip adresses) and it searches for username only in the domain the
ip adress the user is coming from belongs. user at domain usernames should be
rejected IMHO. global admin should be specified without the @domain and
authenticated on any ip address. per domain admin users should be specified
with @domain and should only authenticate when coming to the right ip
address.

virtdomains=on

server first looks for user at domain, then in case of user the ip address and
then the defaultdomain setting. reject if none are available. global admin
should be specified without the @domain and admin users with @domain should
only have rights over their domain tree.



This is how i would lay out things ... dont know if it matches current
status accurately. Are here any obvious shortcomings and problems i'm not
seeing?

-- 

Jure Pečar

More information about the Info-cyrus mailing list