Authorization with ptloader: Linux and LDAP backend combined

Duncan Gibb Duncan.Gibb at SiriusIT.co.uk
Wed Jan 13 10:51:06 EST 2010


nodens2099 wrote:

EA> I want to be able to store the Cyrus IMAP admin credentials
EA> locally on the Linux server, while all other users are
EA> using LDAP backend for login. [..]
EA> this does not work, because I also use ptloader on the Cyrus IMAP
EA> server and hence all the authentication is working well, but the
EA> authorization fails (because ptloader always tries to query LDAP).

CH> We use a similar setup here. LDAP authentication with ptloader,
CH> and sasldb access for admin. PTS is used for user / group lookups.
CH> So you need to have a match for your admin user in the ldap
CH> database, even if it has no password and another authentication
CH> mean is called upon admin login.

We found that feature of PTS quite annoying, especially when we started
building Murders using SSL PKI to authenticate the servers to eachother,
so I wrote the attached patch to avoid the need to have dummy LDAP
entries for the CNs of each machine's client certificate.

The patch adds an imapd.conf option called "ldap_external_ids" which
lists identifiers you want PTS to assume are OK.  In your case that
would the the admin username.

This version applies to our 2.3.14++ tree and I haven't tested it for
dependencies on other patches.  Update to 2.3.16 is on the To Do list...

Admittedly it's a matter of taste whether to put these things in LDAP
(possibly hidden from everything except PTS by ACLs) or in the config
files.  My personal preference would be all things end-user-related in
LDAP, all things structural to the systems in config files.


Cheers


Duncan

-- 
Duncan Gibb - Technical Director
Sirius Corporation plc - control through freedom
http://www.siriusit.co.uk/ || t: +44 870 608 0063
Debian Cyrus Team - https://alioth.debian.org/projects/pkg-cyrus-imapd/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 96-pts_ldap_external.dpatch
Url: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20100113/59bce037/attachment.ksh 


More information about the Info-cyrus mailing list