R: groups, members, LDAP and ptloader

Toschi Pietro Pietro.Toschi at actalis.it
Thu May 31 06:30:47 EDT 2007

Thanks Milen,
your answer is VERY useful to me and hopefully to many others!
I just added some comments to yours, describing my current vision on those arguments. 
I'm asking to check if it's correct or not.

Last question: what "ptloader" stands for? What is pts?

> -----Messaggio originale-----
> Da: info-cyrus-bounces at lists.andrew.cmu.edu
> [mailto:info-cyrus-bounces at lists.andrew.cmu.edu]Per conto di 
> Milen Dimov
> Inviato: mercoledì 30 maggio 2007 22.31
> A: info-cyrus at lists.andrew.cmu.edu
> Oggetto: Re: groups, members, LDAP and ptloader
> Warren Turkal wrote:
> > On Wednesday 30 May 2007 09:04, Toschi Pietro wrote:
> >> Is there somebody on this list so kind and please try to 
> explain me what
> >> I'm missing? 
> > 
> > You're not the only one lost with all of this. I hope 
> someone can at least 
> > post a working configuration that shows using LDAP without 
> saslauthd so that 
> > I would at least know what a working config looks like.
> Hi,
> We successfully run cyrus 2.2.12 and 2.3.8 both with LDAP users
> authentication and authorization utilizing respectively saslauthd and
> ptloader with LDAP support.

First: you mean that cyrus uses saslauthd to manage user authentication (basically check password in order to verify who the user is) and then uses ptloader to manage user authorization (get the list of groups the user is a member of, so that we can set per-group ACLs other than per-user ACLs). Right? What other use of groups I can do in cyrus?

Second: Saslauthd comes with SASL libs and utils and is not strictly part of cyrus, while ptloader is developed as part of cyrus, and that's why ptloader config options are written in imapd.conf while saslauthd config options are written in saslautd.conf, even if both options appear very similar, maybe because both saslauthd and ptloader internally use SASL? Right?

> The documentation that comes with Cyrus IMAP contains very good
> explanation of the terms authentication and authorization and the
> different authorization mechanisms that Cyrus IMAP provides. 
> Please take
> a look at cyrus-imapd-2.3.8/doc/text/overview

Unfortunately, I read those documents very carefully before bothering the list but I didn't find very useful, maybe because I'm still missing many base concepts and the big picture of how Cyrus works and interacts with external components (SASL first of all).
> As an example I provide a part of configuration file of our production
> Cyrus IMAP server with only the settings regarding ptloader LDAP user
> authorization module:
> /etc/imapd.conf
> ...
> virtdomains: yes
> # default value of %d for ldap_filter and ldap_base
> #  %%   =  %
> #  %u   =  user
> #  %U   =  user portion of %u (%U  =  test  when  %u  = 
> test at domain.tld)
> #  %d   =  domain  portion  of  %u  if  available  (%d = 
> domain.tld when
> #          %u = %test at domain.tld),
> #          otherwise same as %r
> #  %r   =  realm
> #  %D   =  user dn.   (use  when  ldap_member_method: filter)
> #  %1-9 =  domain tokens (%1 = tld, %2 = domain when %d = domain.tld)
> defaultdomain: systemdomain.tld
> ldap_uri: ldap://ldaphost
> ldap_version: 3
> ldap_sasl: 0
> ldap_bind_dn: 
> uid=sys_user,ou=People,ou=systemdomain.tld,o=ControlPanel
> ldap_password: somepass
> ldap_base: ou=People,ou=%d,o=ControlPanel
> ldap_filter: uid=%U
> ldap_group_base: ou=Group,ou=%d,o=ControlPanel
> ldap_group_filter: cn=%U

Third: I can't figure out the use of two above ldap_base(s) and filter(s): I guess you have an attribute bizBlueboardMemberOf in every user entry under <ldap_base>, listing every group the user is a member of, so that ptloader gets the list of groups within this attribute. If so, what are ldap_group_base and ldap_group_filter used for? Maybe you have duplicate user entries, one (uid=%U) under People branch and another (cn=%U) under Group branch? What is that second LDAP search used for? 
> ldap_member_method: attribute
> ldap_member_attribute: bizBlueboardMemberOf
> unix_group_enable: no
> auth_mech: pts
> pts_module: ldap
> ...
> The attribute bizBlueboardMemberOf is defined in BlueBoard propriety
> LDAP objectClass. It is multi value attribute that contains 
> the names of
> the groups the user is member of.
> We have branches of "ou" entries under "o=ControlPanel" for every
> virtual domain we support.
> o=ControlPanel
> ou=systemdomain.tld,o=ControlPanel
> ...
> ou=domain1.tld,o=ControlPanel
> ...
> ou=domain2.tld,o=ControlPanel
> ...

Currently, our LDAP appears very similar to yours, but we actually don't manage a multivalue attribute for user groups. That will be a minor change that we can afford.

> Hope this example will help you and others to understand how LDAP
> ptloader works.
> Cheers,
> Milen
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list