Ptloader configuration in Cyrus IMAP
Duncan Gibb
duncan.gibb at siriusit.co.uk
Sun Aug 23 09:34:24 EDT 2009
> On 8 20, 2009 8:10 PM, "Wil Cooley" <wcooley at nakedape.cc> wrote:
WC> Do I understand correctly [..] that the LDAP ptloader
WC> module can be used to manage group ACLs with
WC> "auth_mech=pts/pts_module=ldap", instead of
WC> "auth_mech=unix/unix_group_enable=1"?
Yes.
WC> Does this solve the slowness caused by UNIX groups in LDAP?
I haven't benchmarked it, but I wouldn't be surprised if pts ldap were
faster than unix groups + nss_ldap. Neither should be /slow/ though,
given a good underlying LDAP setup.
IMHO the advantage of pts ldap is that the groups needed for mailbox
ACLs don't leak out into the operating system, which is much more in
keeping with the Cyrus "black box" design.
WC> Does "auth_mech" affect anything else?
Clément Hermann (nodens) wrote:
CH> What is not clearly stated in the doc is that if you use
CH> auth_mech: pts , every user need to exist in the pts
CH> database (ldap in your case).
...which has advantages and disadvantages. It catches typos in user and
group names in ACLs, but it's very annoying in a Murder where
server-to-server authentication is not via LDAP.
Attached is a hack which allows pts ldap to accept a list of identifiers
as valid without actually doing an LDAP lookup. We use this to list
certificates for Murder authentication (see also client certs patch at
https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=3133).
Cheers
Duncan
--
Duncan Gibb - Technical Director
Sirius Corporation plc - control through freedom
http://www.siriusit.co.uk/ || t: +44 870 608 0063
Debian Cyrus Team - https://alioth.debian.org/projects/pkg-cyrus-imapd/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 96-pts_ldap_external.dpatch
Url: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090823/1908a161/attachment.ksh
More information about the Info-cyrus
mailing list