PTS & LDAP Take 3

Igor Brezac igor at
Sat Jan 17 22:13:00 EST 2004

On Sat, 17 Jan 2004, Tim Pushor wrote:

> >>I have determined that the way its currently setup (the ldap ptloader)
> >>won't do what I want, so I am in the process of rewriting it for my needs.
> >>
> >>
> >
> >Interesting.  Why is that?  (Not using it myself right now, but would
> >like to at some point.)
> >
> >
> >
> Because it relies on a user having multiple memberof attributes to
> describe their group membership. This is OK if thats how you do group
> membersip, but I already protect various bits of the directory using
> OpenLDAP's group scheme - a seperate group object that contains multiple
> member attributes, each being the DN of the 'subscriber'. I don't want
> to support multiple group schemes if I can at all avoid it.

I do not see how this is going to work within cyrus context.  You will
need to change a lot more than just ptloader/ldap code for this to work.

> I hope I didn't come off sounding like a jerk. I really don't mind doing
> the work. It'd be twice as nice if others were interested, but if not
> thats ok too ;-) I'd just like to see the API docs, or at least some
> notes, if they exist. This is one of the major things that I really
> wanted to see in Cyrus (external authorization). I'm excited!

I do not think such docs exist (except for the code itself).  Basically,
whenever a user logs in, cyrus fetches all groups the user is member of
(ptloader/ldap does this in your case).  This group list is later used for
mailbox access (check lib/auth_pts.c).

You'd be better of writing an ldap authorization module.  Check
lib/auth_unix.c for an example.


More information about the Info-cyrus mailing list