Cyrus ACLs and groups from LDAP
Dan White
dwhite at olp.net
Wed Nov 26 17:24:16 EST 2008
Christopher DeMarco wrote:
> I want to put a group: into an ACL, but I want to expand the group
> using LDAP rather than /etc/groups.
>
> A thread from this list circa 2006 seems to indicate that if PAM uses
> LDAP (or NIS for that matter), that Cyrus will use LDAP without even
> knowing it.
>
> I'd actually prefer that Cyrus do this explicitly -- for clarity's
> sake and because I don't want to switch the mail server over to
> LDAP-via-PAM authentication just yet. Is it possible, and if so, how?
>
> Thanks!
>
Christopher,
The option unix_group_enable controls how cyrus searches groups. If
enabled, cyrus will search using the system getgrent call and, depending
on your OS, can make use of various NSS modules to retrieve group
information. It doesn't use ldap-pam, but can use nss-ldap, nss-ldapd,
nss-mysql etc. (on at least Linux and Solaris). This wouldn't affect how
you currently to authentication, only how group ACL authorization performs.
You should also be able to use the ldap ptloader module to perform
authorization, but I have not tried that.
- Dan
More information about the Info-cyrus
mailing list