groups, members, LDAP and ptloader

Milen Dimov milen at blueboard.biz
Wed May 30 16:30:43 EDT 2007 

Warren Turkal wrote:
> On Wednesday 30 May 2007 09:04, Toschi Pietro wrote:
>> Is there somebody on this list so kind and please try to explain me what
>> I'm missing? 
> 
> You're not the only one lost with all of this. I hope someone can at least 
> post a working configuration that shows using LDAP without saslauthd so that 
> I would at least know what a working config looks like.

Hi,

We successfully run cyrus 2.2.12 and 2.3.8 both with LDAP users
authentication and authorization utilizing respectively saslauthd and
ptloader with LDAP support.

The documentation that comes with Cyrus IMAP contains very good
explanation of the terms authentication and authorization and the
different authorization mechanisms that Cyrus IMAP provides. Please take
a look at cyrus-imapd-2.3.8/doc/text/overview

As an example I provide a part of configuration file of our production
Cyrus IMAP server with only the settings regarding ptloader LDAP user
authorization module:

/etc/imapd.conf

...

virtdomains: yes

# default value of %d for ldap_filter and ldap_base

#  %%   =  %
#  %u   =  user
#  %U   =  user portion of %u (%U  =  test  when  %u  = test at domain.tld)
#  %d   =  domain  portion  of  %u  if  available  (%d = domain.tld when
#          %u = %test at domain.tld),
#          otherwise same as %r
#  %r   =  realm
#  %D   =  user dn.   (use  when  ldap_member_method: filter)
#  %1-9 =  domain tokens (%1 = tld, %2 = domain when %d = domain.tld)

defaultdomain: systemdomain.tld

ldap_uri: ldap://ldaphost
ldap_version: 3
ldap_sasl: 0

ldap_bind_dn: uid=sys_user,ou=People,ou=systemdomain.tld,o=ControlPanel
ldap_password: somepass

ldap_base: ou=People,ou=%d,o=ControlPanel
ldap_filter: uid=%U

ldap_group_base: ou=Group,ou=%d,o=ControlPanel
ldap_group_filter: cn=%U

ldap_member_method: attribute
ldap_member_attribute: bizBlueboardMemberOf

unix_group_enable: no
auth_mech: pts
pts_module: ldap

...

The attribute bizBlueboardMemberOf is defined in BlueBoard propriety
LDAP objectClass. It is multi value attribute that contains the names of
the groups the user is member of.

We have branches of "ou" entries under "o=ControlPanel" for every
virtual domain we support.

o=ControlPanel
ou=systemdomain.tld,o=ControlPanel
...
ou=domain1.tld,o=ControlPanel
...
ou=domain2.tld,o=ControlPanel
...

Hope this example will help you and others to understand how LDAP
ptloader works.

Cheers,
Milen

More information about the Info-cyrus mailing list