Ptloader configuration in Cyrus IMAP

[Duncan Gibb]

Evgeniy Arbatov wrote:

EA> pts_module: ldap

This module is currently very difficult to configure, IMHO.  I've posted
previously that there's scope for a mini-project to make it behave more
similarly to other LDAP-group-orientated things such as nss_ldap or
saslauthd.


EA> ldap_member_method: attribute

This method doesn't work they way you might expect.  It finds the user
object and wants to see the names of the groups of which the user is a
member in the named attribute of the user.  For example:

dn: cn=Evgeniy Arbatov,ou=users,ou=people,dc=example,dc=com
cn: Evgeniy Arbatov
ou: admins
ou: othergroup
ou: thirdgroup

If you want to put the names of the members into the group objects, you
probably need to use the filter method.

> dn: cn=admins,ou=groups,ou=people,dc=example,dc=com
> uid: admins
> member: cn=Evgeniy Arbatov,ou=users,ou=people,dc=example,dc=com

I don't believe the current implementation supports this style of group
membership (groupOfUniqueNames and similar).  It's much more orientated
towards posixGroup-style groups.  Can you make your data look like

dn: cn=admins,ou=groups,ou=people,dc=example,dc=com
cn: admins
memberuid: earbatov
memberuid: otherperson

Then configure

ldap_member_method:    filter
ldap_member_filter:    (memberUid=%u)
ldap_member_attribute: cn


EA> Via cyradm I add needed permissions for admins group:

>>> sam user/postmaster admins lrswipkxte

"group:admins" ?

EA> Moreover, I do not see any attempts of Cyrus IMAP to query
EA> LDAP for authorization information. I know that TLS is
EA> working for this LDAP connection.

The ptdump utility will show you the current state of the cache, eg:

user: earbatov time: NNNNNN groups: 1
  group: admins


Cheers


Duncan


-- 
Duncan Gibb - Technical Director
Sirius Corporation plc - control through freedom
http://www.siriusit.co.uk/ || t: +44 870 608 0063
Debian Cyrus Team - https://alioth.debian.org/projects/pkg-cyrus-imapd/