LDAP ptloader examples?

[Phil Pennock]

Hi,

I'm moving my personal mail-service to a new machine and have the luxury
of being able to completely redo where data is stored without having to
worry about backwards compatibility.  I'd like to be able to use LDAP
for storing groups and to allow canonicalisation of a userid to a
standard form and preferably also storing the mail password used for
DIGEST-MD5, whilst using Kerberos too.  If there's a way to map user TLS
certificates to a userid for EXTERNAL auth too, I'd be near ecstatic.

At the moment I use Kerberos, sasldb and /etc/group with Cyrus IMAP
2.2.12; the new install is running 2.3.7.  I'm happier storing cleartext
passwords to allow secure wire authentication protocols, so saslauthd is
not feasible (as I understand matters).

As near as I can figure, ptloader can handle the canonicalisation but
not the authentication, for which I can just use the built-in LDAP
support once the userid has been canonicalised by ptloader.  Is this
correct?

Does anyone have any examples of a working configuration for something
like this, which they can share, please?  Or pointers on ways to go or
things to avoid (eg, because it's deprecated).

Thanks,
-Phil