ldap ptloader

+archive.info-cyrus at utdallas.edu +archive.info-cyrus at utdallas.edu
Tue Dec 23 15:13:55 EST 2003


On Tue, 23 Dec 2003, Igor Brezac wrote:

> Good luck building it!  ;)  This code needs work.  When I find some time
> I'll try to work on it...
>
> -Igor

I notice the imapd.conf man page mentions the 'memberOf' attribute.
Unless I'm mistaken, that's a bit of a controversial thing, huh?
That is, whether to use "static" groups containing all the members,
or to have a multi-valued attribute contained within the user DN
listing the groups that DN is associated with, what iPlanet/SunONE
refers to as "roles".  I guess AD also takes that approach.  I don't
know where I'm going with this, other than maybe clarification that
my interpretation is correct.

I'm still exploring this LDAP group business.  We do map the standard
UNIX group file to LDAP, but in a way I don't consider those to be
"LDAP groups".  Interestingly enough, for a while now we've been
using an attribute in the user DN to perform some access permissions
checks, so unwittingly have been using SunONE roles-like approach for
a while now.  (We are using the SunONE server.)

Amos





More information about the Info-cyrus mailing list