Misc question about LDAP and admin stuff

Igor Brezac igor at ipass.net
Wed Jul 27 06:59:29 EDT 2005


On Mon, 25 Jul 2005, Per-Olov [iso-8859-1] Sjöholm wrote:

> On Saturday 23 July 2005 17.37, Igor Brezac wrote:
>> On Fri, 22 Jul 2005, Per-Olov [iso-8859-1] Sjöholm wrote:
>>> On Thursday 21 July 2005 16.17, Igor Brezac wrote:
>>>> On Thu, 21 Jul 2005, Per-Olov [iso-8859-1] Sjöholm wrote:
>>>>> Hi list
>>>>>
>>>>> Does anybody know if there are any work going on to implement the stuff
>>>>> that the third party cyrusmaster requires to work and extend the LDAP
>>>>> support in cyrus imapd? If not... Is there any work at all going on to
>>>>> add good LDAP or MySQL support? I really love cyrus imapd but think it
>>>>> lacks some stuff when it comes to LDAP or MySQL support.
>>>>
>>>> Can you be more specific?
>>>
>>> Your'e right...
>>>
>>> I am not just talking  about LDAP auth using any PAM stuff.
>>> Cyrus imapd in not directly LDAP friendly.
>>
>> From the authentication/authorizaion stand point it is very friendly.
>> Perhaps it is not easily configured.
>>
>> Take a look at ptloader/ldap and cyrus sasl documentation (there are
>> several different ways to configure ldap based authentication).
>>
>
> I am *not* talking about LDAP auth. I know that this is easily configured... I
> have already used it *a lot*. Me and my colleague have actually extended
> Cyrus sasl with extra Oracle auth through SQL*Net for a large Telecom/ISP
> customer. So yes... I know Cyrus SASL...
>
>
>>> Let's say you want to put quota
>>> info in LDAP.
>>> And in huge installations you maybe want to put as much info as
>>> possible into a central repository using LDAP protocol. And not just
>>> quota,
>>
>> It is fairly trivial to develop an ldap based cyrus db backend.  But in a
>> 'huge' installation I do not believe you can achieve desired performance
>> and reliability.  ldap just does not do well when you have to write to it
>> often.
>>
> Yes it is fairly trivial for a person with the correct programming skills (not
> me)... But it is not in the product today. And that is why I ask...
>
> Hmmm. I do know understand your LDAP performance comment.... Why should you
> write often to LDAP in a scenario like this??? You configure the attributes
> rarely  and then read them often. I can only see writes during user password
> change or any other admin changes of user attributes. *One* of the golden
> rules to use LDAP is to have *many* more reads for each write (example
> 1000:1). I work with LDAP in my daily work. But I maybe missunderstood you...
>

You said you wanted quotas stored in ldap, this will require frequent 
writes to ldap

>
>>> maybe alternate e-mail adresses and more.
>>
>> You can do this now.
>>
> Did not know that....Sorry. Thanks for telling me.
>
> But what I meant by "more" above could for example be quota, acl , virtual
> domain stuff etc.

Again, some of these features may have serious implication on the 
performance of cyrus imap.

> Between the lines I can read a try to defend cyrus as "it is good as it is" in

No, at least it was not my intention.  I do not think this is a trivial 
task and so far no one has come up with a workable solution.

> the LDAP area. But there is definitely no need to do that, because I already
> think Cyrus imapd is the best OpenSource product in this area. And also
> better than many commercial ones. I have it in some customer installations,
> and it works really well.
>
> The cyrusmaster project looks nice. It looks like the most powerful admin
> software for cyrus and great for big installations. If we start to use it, we
> have to wait for LDAP extension patches from the cyrusmaster project after
> each cyrus update. Simple LDAP extension patches for basic (well.. almost)
> ldap features that could already have been in the product. And believe me...
> I would have helped the Cyrus project extending the LDAP support if I was a
> real programmer.
>
> But I am maybe the only person ansking for some more centralized "LDAPified"
> config stuff for Cyrus. If so. Let's skip the LDAP discussion. As said
> earlier, it's not important to me today. Just asked because of curiosity to
> see what is in the Cyrus developers pipe....
>

More things can be done, I agree.  At the same time I think most everyhing 
is in place to develop a centralized administrative system especially a 
web based one.  I use ldap and imap protocol to develop a such system.

>
>>> My question is just because I am interested to know if there is any 
>>> work going on to make is more LDAP friendly. And the main reason for 
>>> asking is because the cyrusmaster project has extended cyrus to 
>>> contain some of this stuff.
>
>
>
> And the last... Excuse me if I totally missed something important here.
>
>
> Regards
> Per-Olov
>

-- 
Igor


More information about the Info-cyrus mailing list