PTS & LDAP Take 3
Igor Brezac
igor at ipass.net
Sat Jan 17 22:13:00 EST 2004
On Sat, 17 Jan 2004, Tim Pushor wrote:
>
> >>I have determined that the way its currently setup (the ldap ptloader)
> >>won't do what I want, so I am in the process of rewriting it for my needs.
> >>
> >>
> >
> >Interesting. Why is that? (Not using it myself right now, but would
> >like to at some point.)
> >
> >
> >
> Because it relies on a user having multiple memberof attributes to
> describe their group membership. This is OK if thats how you do group
> membersip, but I already protect various bits of the directory using
> OpenLDAP's group scheme - a seperate group object that contains multiple
> member attributes, each being the DN of the 'subscriber'. I don't want
> to support multiple group schemes if I can at all avoid it.
I do not see how this is going to work within cyrus context. You will
need to change a lot more than just ptloader/ldap code for this to work.
> I hope I didn't come off sounding like a jerk. I really don't mind doing
> the work. It'd be twice as nice if others were interested, but if not
> thats ok too ;-) I'd just like to see the API docs, or at least some
> notes, if they exist. This is one of the major things that I really
> wanted to see in Cyrus (external authorization). I'm excited!
I do not think such docs exist (except for the code itself). Basically,
whenever a user logs in, cyrus fetches all groups the user is member of
(ptloader/ldap does this in your case). This group list is later used for
mailbox access (check lib/auth_pts.c).
You'd be better of writing an ldap authorization module. Check
lib/auth_unix.c for an example.
--
Igor
More information about the Info-cyrus
mailing list