ldap ptloader

Igor Brezac igor at ipass.net
Tue Dec 23 16:21:02 EST 2003


On Tue, 23 Dec 2003 +archive.info-cyrus at utdallas.edu wrote:

> On Tue, 23 Dec 2003, Igor Brezac wrote:
>
> > Good luck building it!  ;)  This code needs work.  When I find some time
> > I'll try to work on it...
> >
> > -Igor
>
> I notice the imapd.conf man page mentions the 'memberOf' attribute.
> Unless I'm mistaken, that's a bit of a controversial thing, huh?

Why is that?

> That is, whether to use "static" groups containing all the members,
> or to have a multi-valued attribute contained within the user DN
> listing the groups that DN is associated with, what iPlanet/SunONE

You can take either one of those approaches preferebly the second one. The
code needs to get a list of groups in order to fit into the current cyrus
group functionality.

> refers to as "roles".  I guess AD also takes that approach.  I don't
> know where I'm going with this, other than maybe clarification that
> my interpretation is correct.
>
> I'm still exploring this LDAP group business.  We do map the standard
> UNIX group file to LDAP, but in a way I don't consider those to be
> "LDAP groups".  Interestingly enough, for a while now we've been
> using an attribute in the user DN to perform some access permissions
> checks, so unwittingly have been using SunONE roles-like approach for
> a while now.  (We are using the SunONE server.)
>

You lose the group functionality with this approach, although you
get better performance.

-- 
Igor




More information about the Info-cyrus mailing list