Input on patch for ptclient/ldap requested
Ben Poliakoff
benp at reed.edu
Tue Aug 9 12:30:51 EDT 2011
* Clement Hermann (nodens) <nodens2099 at gmail.com> [20110809 04:04]:
> Le 09/08/2011 02:08, Jeroen van Meeuwen (Kolab Systems) a écrit :
> > Hi there,
> >
> Hi,
>
> > I wanted to ask who is actively using ptclient/ldap, as I have some inhouse
> > patch pending on the canonification using some sort of result_attribute, if
> > you will.
> >
> > We currently have under consideration whether everything, life and the
> > universe should be configurable before the patch is accepted upstream, which
> > is to say (pardon my postfix lingo);
> >
> > - result_attribute_format,
> > - leaf_result_attribute,
> >
> > but also;
> >
> > - group_filter_scope,
> > - group_result_attribute
> >
> > Which is to say, we have a deployment extensively using 'nsroledn' -which
> > functionally behaves like a 'memberOf', and the question then becomes if you
> > want to use the 'cn' attribute for groups -which most often is not enforced to
> > be a unique attribute value for groups, but is automatically unique is the
> > search scope for groups is 'one' and the 'cn' attribute builds the 'rdn'.
> >
> > Long story short, I would like to know of other people who use ptclient/ldap,
> > or have attempted to do so but failed, and the various use-case / deployment
> > scenarios.
>
> We use it for shared folders / mailboxes, on a Stock debian install (so
> 2.2.x), we only repackaged cyrus to include pts support. Works great so far
>
We use it extensively (in our current 2.3.x murder and soon in 2.4) for
controlling access to shared folders.
In addition we use ldap/pts as a general purpose authorization service
for our Cyrus Murder installation; we've got a lot of people in our LDAP
directory and Kerberos KDC, but only a subset of that population get
IMAP service.
We haven't had an issue with non-uniqueness of "cn" for group names as
we use a dedicated search base for groups and our groups have their cn
built into their dn...
We have noticed some weirdness when ptloader is configured to
authenticate to the LDAP server, it appears to want to do a SASL proxy
authz *as* the end user. This seems unnecessarily complex and it fails
in a non-graceful way in our environment, consequently we've configured
ptloader to do anonymous ldap queries.
Ben
--
________________________________________________________________________
PGP (318B6A97): 3F23 EBC8 B73E 92B7 0A67 705A 8219 DCF0 318B 6A97
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
Url : http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20110809/82ff548a/attachment.bin
More information about the Info-cyrus
mailing list