ldap ptloader
Igor Brezac
igor at ipass.net
Tue Dec 23 16:21:02 EST 2003
On Tue, 23 Dec 2003 +archive.info-cyrus at utdallas.edu wrote:
> On Tue, 23 Dec 2003, Igor Brezac wrote:
>
> > Good luck building it! ;) This code needs work. When I find some time
> > I'll try to work on it...
> >
> > -Igor
>
> I notice the imapd.conf man page mentions the 'memberOf' attribute.
> Unless I'm mistaken, that's a bit of a controversial thing, huh?
Why is that?
> That is, whether to use "static" groups containing all the members,
> or to have a multi-valued attribute contained within the user DN
> listing the groups that DN is associated with, what iPlanet/SunONE
You can take either one of those approaches preferebly the second one. The
code needs to get a list of groups in order to fit into the current cyrus
group functionality.
> refers to as "roles". I guess AD also takes that approach. I don't
> know where I'm going with this, other than maybe clarification that
> my interpretation is correct.
>
> I'm still exploring this LDAP group business. We do map the standard
> UNIX group file to LDAP, but in a way I don't consider those to be
> "LDAP groups". Interestingly enough, for a while now we've been
> using an attribute in the user DN to perform some access permissions
> checks, so unwittingly have been using SunONE roles-like approach for
> a while now. (We are using the SunONE server.)
>
You lose the group functionality with this approach, although you
get better performance.
--
Igor
More information about the Info-cyrus
mailing list