ldap groups and ptloader

Jos De Graeve Jos.DeGraeve at gmail.com
Thu May 27 06:13:31 EDT 2010

Dear list,

I use saslauthd to auth against ldap (bind auth) and I am trying to use
ptloader to fetch group information from LDAP so that group based ACL's
can be used for shared folders.

The ldap auth works fine, but the group information gets screwed up
somewhere.  With tcpdump I see my directory server sending the correct
group information to ptloader, but ptloader seems to interpret this
information wrong.

If I look with ptdump each user is listed with the correct number of
groups he is member of, but the group name is wrong.  Instead of the
group name (cn attribute) it shows some random attribute such as another
group member (a value of the memberUid attribute), or "top" ( a value of
the objectclass attribute ).  Sometimes, the group name is correct.

I am running cyrus 2.2.13, on debian lenny amd64, compiled from the
debian lenny source package to include ptloader support ( the default
debian binary package does not include ptloader support ).


auth_mech: pts
unix_group_enable: no
ptloader_sock: /var/run/cyrus/socket/ptsock
ldap_base: ou=people,dc=example,dc=org
ldap_filter: (uid=%U)
ldap_version: 3
ldap_sasl: 0
ldap_size_limit: 100
ldap_group_base: ou=groups,dc=example,dc=org
ldap_group_scope: sub
ldap_group_filter: cn=%u
ldap_member_scope: sub
ldap_member_base: ou=groups,dc=example,dc=org
# ldap_member_method: attribute
# ldap_member_attribute: memberUid
ldap_member_method: filter
ldap_member_filter: memberUid=%U
ldap_uri: ldap://netinfo.example.org/
pts_module: ldap

My group information is in ou=groups,dc=example,dc=org.  My groups are
"posixGroup" with the uid's of the members listed in the memberUid
attribute, the group name is listed in the cn attribute:

dn: cn=domainusers,ou=groups,dc=example,dc=org
gidNumber: 513
description: Netbios Domain Users
sambaSID: S-1-5-21-xxxx-xxxx-513
sambaGroupType: 2
displayName: Domain Users
cn: domainusers
memberUid: anja
memberUid: someuid1
memberUid: someuid20
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping

this is a typical user entry:

dn: cn=Anja Smith,ou=people,dc=example,dc=org
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
givenName: Anja
sn: Smith
cn: Anja Smith
uid: anja
uidNumber: 2018
sambaSID: S-1-5-21-xxxx
sambaLMPassword: xxxx
sambaNTPassword: xxxx
loginShell: /bin/bash
gidNumber: 513
sambaPrimaryGroupSID: S-1-5-21-xxxx
homeDirectory: /home/anja
sambaAcctFlags: [UX]
userPassword: xxxx
mail: anja at example.org
mail: Anja.Smith at example.org
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
shadowMax: 99999

The man pages are somewhat sparse on details on how the parameters are
interpreted and how they will get the ldap information interpreted.  I
tried serveral variations on the configuration file without any success.

Any tips on how to fix this ?

Kind regards,

More information about the Info-cyrus mailing list