ldap groups and ptloader

Duncan Gibb Duncan.Gibb at SiriusIT.co.uk
Thu May 27 06:38:44 EDT 2010 

Jos De Graeve wrote:

JDG> I use saslauthd to auth against ldap (bind auth) and I am trying
JDG> to use ptloader to fetch group information from LDAP so that group
JDG> based ACL's can be used for shared folders.

We have several similar systems in production.

JDG> If I look with ptdump each user is listed with the correct number
JDG> of groups he is member of, but the group name is wrong.  Instead
JDG> of the group name (cn attribute) it shows some random attribute
JDG> such as another group member (a value of the memberUid attribute),
JDG> or "top" ( a value of the objectclass attribute ).  Sometimes, the
JDG> group name is correct.

JDG> I am running cyrus 2.2.13, on debian lenny amd64

> auth_mech: pts
> unix_group_enable: no
> ptloader_sock: /var/run/cyrus/socket/ptsock
> ldap_base: ou=people,dc=example,dc=org
> ldap_filter: (uid=%U)
> ldap_version: 3
> ldap_sasl: 0
> ldap_size_limit: 100
> ldap_group_base: ou=groups,dc=example,dc=org
> ldap_group_scope: sub
> ldap_group_filter: cn=%u
> ldap_member_scope: sub
> ldap_member_base: ou=groups,dc=example,dc=org
> # ldap_member_method: attribute
> # ldap_member_attribute: memberUid
> ldap_member_method: filter
> ldap_member_filter: memberUid=%U
> ldap_uri: ldap://netinfo.example.org/
> pts_module: ldap

JDG> My groups are "posixGroup" with the uid's of the members listed
JDG> in the memberUid attribute, the group name is listed in the cn
JDG> attribute:

If you add

  ldap_member_attribute: cn

to your config, it should work.  Certainly something very similar works
on our Lenny/amd64 2.3.14++ builds:

auth_mech:              pts
pts_module:             ldap
ptscache_timeout:       60
ptloader_sock:          /srv/imap/var/run/cyrus/socket/ptsock
ldap_uri:               ldapi:///var/run/ldapi \
                        ldaps://ldap3.this-site.client.com \
                        ldaps://ldap2.this-site.client.com \
                        ldaps://ldap4.this-site.client.com \
                        ldaps://ldap1.this-site.client.com
ldap_tls_cacert_file:   /etc/ssl/certs/client-ca.pem
ldap_tls_check_peer:    yes
ldap_base:              dc=client,dc=com
ldap_group_base:        dc=client,dc=com
ldap_member_base:       dc=client,dc=com
ldap_sasl:              no
ldap_bind_dn:           cn=this-cyrus,ou=agents,dc=client,dc=com
ldap_password:          verylongrandomstring
ldap_filter:
(|(&(objectclass=gosaMailAccount)(gosaMailServer=imap.client.com)(uid=%u))(&(objectclass=simpleSecurityObject)(cn=%u)(|(cn=cyrus)(cn=spamteach))))
ldap_group_filter:      (&(objectclass=posixGroup)(cn=%u))
ldap_member_method:     filter
ldap_member_filter:     (&(objectclass=posixGroup)(memberUid=%u))
ldap_member_attribute:  cn
# size limit determines the max number of groups a user may be
# in before authentication fails
ldap_size_limit:        1024
ldap_external_ids:      mupdate.client.com fe1.client.com \
                        fe2.client.com feN.client.com \
                        be1.client.com be2.client.com \
                        beN.client.com

JDG> The man pages are somewhat sparse on details on how the
JDG> parameters are interpreted and how they will get the ldap
JDG> information interpreted.  I tried serveral variations on
JDG> the configuration file without any success.

Yes.  It would be nice when someone has time to make the configuration
of pts_ldap more similar to other things likely to be using the same
data (eg pam/nss/samba as well as saslauthd).


Cheers


Duncan

-- 
Duncan Gibb - Technical Director
Sirius Corporation plc - control through freedom
http://www.siriusit.co.uk/ || t: +44 870 608 0063
Debian Cyrus Team - https://alioth.debian.org/projects/pkg-cyrus-imapd/

More information about the Info-cyrus mailing list