PTS & LDAP Take 3

[Igor Brezac]

On Sat, 17 Jan 2004, Tim Pushor wrote:

> Igor Brezac wrote:
>
> >I do not see how this is going to work within cyrus context.  You will
> >need to change a lot more than just ptloader/ldap code for this to work.
> >
> >
> >
> Perhaps I don't understand everything involved, but ptloader now just
> finds the user record via user defineable filter,  and only cares about
> the memberOf attributes, which it cycles through to find the users group
> membership. What I am doing now is to find the user dn via definable
> filter, then search for that dn in a groups container, and cycle through
> all returned entries, picking the cn of each as the group name. Two ldap
> queries unfortunately, but at least both are equality searches..

I see.  I did not realize you were going to retrieve groups with another
search filter.  This should work.

>
> >I do not think such docs exist (except for the code itself).  Basically,
> >whenever a user logs in, cyrus fetches all groups the user is member of
> >(ptloader/ldap does this in your case).  This group list is later used for
> >mailbox access (check lib/auth_pts.c).
> >
> >
> >
> Thats what I thought as well. I have already written the code the does
> the user group membership check in ldap.c, but when I went to test it
> via cyradm - I created a folder, and tried to set a group:xxx ACL and at
> that exact point the identifier group:xxx was passed into the pts and I
> don't know what to do with it (do we check to see if its a valid group??
> I didn't see what to do in the original ldap.c code, afskrb.c, or any
> other file. Perhaps I'm thick, but I just wanted to make sure there
> wasn't anything else I was missing before going on).

You do not need to do anything with this.  The identifier is passed to pts
for canonicalization, the group is not validated.

-- 
Igor