PTS & LDAP Take 3
timp at crossthread.com
Sun Jan 18 13:23:27 EST 2004
Igor Brezac wrote:
>I see. I did not realize you were going to retrieve groups with another
>search filter. This should work.
Yeah, I'm sure it will. I wish I could do it in one query though.. How
often does the ptloader get called on? Will the pts cache here help at
all? What exactly does the pts cache do? ( I realize that it probably
caches authorizaton info, but is it always consulted first, before
asking the ptloader to look up the information again?)
>>Thats what I thought as well. I have already written the code the does
>>the user group membership check in ldap.c, but when I went to test it
>>via cyradm - I created a folder, and tried to set a group:xxx ACL and at
>>that exact point the identifier group:xxx was passed into the pts and I
>>don't know what to do with it (do we check to see if its a valid group??
>>I didn't see what to do in the original ldap.c code, afskrb.c, or any
>>other file. Perhaps I'm thick, but I just wanted to make sure there
>>wasn't anything else I was missing before going on).
>You do not need to do anything with this. The identifier is passed to pts
>for canonicalization, the group is not validated.
I don't see this in ldap.c. The identifier group:xxx gets passed into
pts as the identifier and rejected by the canonicalizer because of the
colon. So the canonicalized identifer is null throughout the rest of the
code. I don't see a test for group: anywhere ( or in afskrb.c either ).
So assuming that we just want to make sure that the group name is valid,
and that the canonicalizer should be fixed to recognize group:xxx
syntax, what then am I suppose to do with it? Returning NULL seems to Do
Bad Things, and I don't see an entry for canonicalized group in the
More information about the Info-cyrus