PTS & LDAP Take 3

Igor Brezac igor at
Sun Jan 18 09:16:16 EST 2004

On Sat, 17 Jan 2004, Tim Pushor wrote:

> Igor Brezac wrote:
> >I do not see how this is going to work within cyrus context.  You will
> >need to change a lot more than just ptloader/ldap code for this to work.
> >
> >
> >
> Perhaps I don't understand everything involved, but ptloader now just
> finds the user record via user defineable filter,  and only cares about
> the memberOf attributes, which it cycles through to find the users group
> membership. What I am doing now is to find the user dn via definable
> filter, then search for that dn in a groups container, and cycle through
> all returned entries, picking the cn of each as the group name. Two ldap
> queries unfortunately, but at least both are equality searches..

I see.  I did not realize you were going to retrieve groups with another
search filter.  This should work.

> >I do not think such docs exist (except for the code itself).  Basically,
> >whenever a user logs in, cyrus fetches all groups the user is member of
> >(ptloader/ldap does this in your case).  This group list is later used for
> >mailbox access (check lib/auth_pts.c).
> >
> >
> >
> Thats what I thought as well. I have already written the code the does
> the user group membership check in ldap.c, but when I went to test it
> via cyradm - I created a folder, and tried to set a group:xxx ACL and at
> that exact point the identifier group:xxx was passed into the pts and I
> don't know what to do with it (do we check to see if its a valid group??
> I didn't see what to do in the original ldap.c code, afskrb.c, or any
> other file. Perhaps I'm thick, but I just wanted to make sure there
> wasn't anything else I was missing before going on).

You do not need to do anything with this.  The identifier is passed to pts
for canonicalization, the group is not validated.


More information about the Info-cyrus mailing list