[POLL] Cyrus 2.2 virtdomains behavior (Was: global admin without
soulbros at noc.uoa.gr
Fri Jan 2 10:06:21 EST 2004
Ken Murchison wrote:
> Christos Soulios wrote:
>> If the domain passed in the fully qualified userid matches the domain
>> from the ipaddress, then cyrus, proceeds to authenticate user using
>> sasl. If it
>> is different, then authentication fails without even making a query to
>> authentication mechanism.
> Can you explain why this matters. Are you limited certain domains to a
> particular interface for security reasons? I assumed that byaddr is
> just a convenience for the users.
Security is one thing. More than this, my opinion is that in order cyrus
to be deployed in a true multi domain environment, and thus actually be
used by ISPs, admins must be able to distribute the virtual domains
according to the name of the server, users are connecting to. In such a
multi domain environment, users have no abillity to choose their domain
by appending a @domain to their userid. However, now they can. Of
course, one may argue that the same thing may be done using the correct
authentication policy through sasl. This is true, but this sollution
leaves part of the domain determination procedure to sasl. My opinion is
that for the shake of complicity cyrus should handle this. Besides
nobody needs the overhead of a sasl call, when cyrus can do the same thing.
Moreover, being able to determine the virtual domain solely by the ip
address the user was connected to, gives you - the cyrus developers -
the option to know the domain before the user passes an authentication
command to cyrus.
I will give a short example which shows how useful this is. If my imap
server hosts two virtual domains. And I happen to permit anonymous
logins to only one of them. Having determined the domain before the user
passes an authentication command, gives me the option to allow or deny
an anonymous login. Of course, this is not something it can be
implemented now. But I would like to see that too in some future release
of cyrus. Trying to see a little bit further, dictates me that byaddr is
not merely a convenience for users. It is a key feature to implement
full virtual domains support in cyrus.
> How do you propose to handle admins, especially the global admin? Jure's
> proposal seems to make the most sense to me at this point (admins use
> fully qualified userids)
Jure's proposal sounds fine to me too. With a small change. Which is
that domain admins do not need to pass a @domain when they authenticate.
In stead of this, the domain is determined upon connection - using the
interface they connected to - and if the user is an admin of the virtual
domain, is determined in same good old way it was determined in cyrus-2.1.x
In the config file, of course the notation may be in the form of :
admins: cyrus cyrus at domain1 cyrus at domain2
A different, cleaner (IMHO) implementation would be to have two config
options. Something like:
domainadmins: cyrus at domain1 cyrus at domain2
Christos Soulios (soulbros_at_noc.uoa.gr)
Microsoft is not the answer.
Microsoft is the question.
No is the answer.
More information about the Info-cyrus