[POLL] Cyrus 2.2 virtdomains behavior (Was: global admin without defaultdomain?)

Christos Soulios soulbros at noc.uoa.gr
Fri Jan 2 10:06:21 EST 2004 

Ken Murchison wrote:
> Christos Soulios wrote:
> 
>>
>> If the domain passed in the fully qualified userid matches the domain 
>> selected
>> from the ipaddress, then cyrus, proceeds to authenticate user using 
>> sasl. If it
>> is different, then authentication fails without even making a query to 
>> the
>> authentication mechanism. 
> 
> 
> Can you explain why this matters.  Are you limited certain domains to a 
> particular interface for security reasons?  I assumed that byaddr is 
> just a convenience for the users.

Security is one thing. More than this, my opinion is that in order cyrus 
to be deployed in a true multi domain environment, and thus actually be 
used by ISPs, admins must be able to distribute the virtual domains 
according to the name of the server, users are connecting to. In such a 
multi domain environment, users have no abillity to choose their domain 
by appending a @domain to their userid. However, now they can. Of 
course, one may argue that the same thing may be done using the correct 
authentication policy through sasl. This is true, but this sollution 
leaves part of the domain determination procedure to sasl. My opinion is 
that for the shake of complicity cyrus should handle this. Besides 
nobody needs the overhead of a sasl call, when cyrus can do the same thing.

Moreover, being able to determine the virtual domain solely by the ip 
address the user was connected to, gives you - the cyrus developers - 
the option to know the domain before the user passes an authentication 
command to cyrus.

I will give a short example which shows how useful this is. If my imap 
server hosts two virtual domains. And I happen to permit anonymous 
logins to only one of them. Having determined the domain before the user 
passes an authentication command, gives me the option to allow or deny 
an anonymous login. Of course, this is not something it can be 
implemented now. But I would like to see that too in some future release 
of cyrus. Trying to see a little bit further, dictates me that byaddr is 
not merely a convenience for users. It is a key feature to implement 
full virtual domains support in cyrus.

> 
> How do you propose to handle admins, especially the global admin? Jure's 
> proposal seems to make the most sense to me at this point (admins  use 
> fully qualified userids)
> 
Jure's proposal sounds fine to me too. With a small change. Which is 
that domain admins do not need to pass a @domain when they authenticate. 
In stead of this, the domain is determined upon connection - using the 
interface they connected to - and if the user is an admin of the virtual 
domain, is determined in same good old way it was determined in cyrus-2.1.x

In the config file, of course the notation may be in the form of :
admins: cyrus cyrus at domain1 cyrus at domain2

A different, cleaner (IMHO) implementation would be to have two config 
options. Something like:
globaladmins: cyrus
domainadmins: cyrus at domain1 cyrus at domain2

Regards,
Christos



-- 
Christos Soulios (soulbros_at_noc.uoa.gr)

Microsoft is not the answer.
Microsoft is the question.
No is the answer.

More information about the Info-cyrus mailing list