[prev in list] [next in list] [prev in thread] [next in thread]
List: info-cyrus
Subject: R: groups, members, LDAP and ptloader
From: "Toschi Pietro" <Pietro.Toschi () actalis ! it>
Date: 2007-05-31 10:30:47
Message-ID: FF374A5075949C4D87367831AAAFD4215E879F () POSTA02 ! itmaster ! local
[Download RAW message or body]
[Attachment #2 (unknown)]
Thanks Milen,
your answer is VERY useful to me and hopefully to many others!
I just added some comments to yours, describing my current vision on those arguments. \
I'm asking to check if it's correct or not.
Last question: what "ptloader" stands for? What is pts?
> -----Messaggio originale-----
> Da: info-cyrus-bounces@lists.andrew.cmu.edu
> [mailto:info-cyrus-bounces@lists.andrew.cmu.edu]Per conto di
> Milen Dimov
> Inviato: mercoledì 30 maggio 2007 22.31
> A: info-cyrus@lists.andrew.cmu.edu
> Oggetto: Re: groups, members, LDAP and ptloader
>
>
> Warren Turkal wrote:
> > On Wednesday 30 May 2007 09:04, Toschi Pietro wrote:
> > > Is there somebody on this list so kind and please try to
> explain me what
> > > I'm missing?
> >
> > You're not the only one lost with all of this. I hope
> someone can at least
> > post a working configuration that shows using LDAP without
> saslauthd so that
> > I would at least know what a working config looks like.
>
> Hi,
>
> We successfully run cyrus 2.2.12 and 2.3.8 both with LDAP users
> authentication and authorization utilizing respectively saslauthd and
> ptloader with LDAP support.
First: you mean that cyrus uses saslauthd to manage user authentication (basically \
check password in order to verify who the user is) and then uses ptloader to manage \
user authorization (get the list of groups the user is a member of, so that we can \
set per-group ACLs other than per-user ACLs). Right? What other use of groups I can \
do in cyrus?
Second: Saslauthd comes with SASL libs and utils and is not strictly part of cyrus, \
while ptloader is developed as part of cyrus, and that's why ptloader config options \
are written in imapd.conf while saslauthd config options are written in \
saslautd.conf, even if both options appear very similar, maybe because both saslauthd \
and ptloader internally use SASL? Right?
>
> The documentation that comes with Cyrus IMAP contains very good
> explanation of the terms authentication and authorization and the
> different authorization mechanisms that Cyrus IMAP provides.
> Please take
> a look at cyrus-imapd-2.3.8/doc/text/overview
Unfortunately, I read those documents very carefully before bothering the list but I \
didn't find very useful, maybe because I'm still missing many base concepts and the \
big picture of how Cyrus works and interacts with external components (SASL first of \
all).
>
> As an example I provide a part of configuration file of our production
> Cyrus IMAP server with only the settings regarding ptloader LDAP user
> authorization module:
>
> /etc/imapd.conf
>
> ...
>
> virtdomains: yes
>
> # default value of %d for ldap_filter and ldap_base
>
> # %% = %
> # %u = user
> # %U = user portion of %u (%U = test when %u =
> test@domain.tld)
> # %d = domain portion of %u if available (%d =
> domain.tld when
> # %u = %test@domain.tld),
> # otherwise same as %r
> # %r = realm
> # %D = user dn. (use when ldap_member_method: filter)
> # %1-9 = domain tokens (%1 = tld, %2 = domain when %d = domain.tld)
>
> defaultdomain: systemdomain.tld
>
> ldap_uri: ldap://ldaphost
> ldap_version: 3
> ldap_sasl: 0
>
> ldap_bind_dn:
> uid=sys_user,ou=People,ou=systemdomain.tld,o=ControlPanel
> ldap_password: somepass
>
> ldap_base: ou=People,ou=%d,o=ControlPanel
> ldap_filter: uid=%U
>
> ldap_group_base: ou=Group,ou=%d,o=ControlPanel
> ldap_group_filter: cn=%U
Third: I can't figure out the use of two above ldap_base(s) and filter(s): I guess \
you have an attribute bizBlueboardMemberOf in every user entry under <ldap_base>, \
listing every group the user is a member of, so that ptloader gets the list of groups \
within this attribute. If so, what are ldap_group_base and ldap_group_filter used \
for? Maybe you have duplicate user entries, one (uid=%U) under People branch and \
another (cn=%U) under Group branch? What is that second LDAP search used for?
>
> ldap_member_method: attribute
> ldap_member_attribute: bizBlueboardMemberOf
>
> unix_group_enable: no
> auth_mech: pts
> pts_module: ldap
>
> ...
>
> The attribute bizBlueboardMemberOf is defined in BlueBoard propriety
> LDAP objectClass. It is multi value attribute that contains
> the names of
> the groups the user is member of.
>
> We have branches of "ou" entries under "o=ControlPanel" for every
> virtual domain we support.
>
> o=ControlPanel
> ou=systemdomain.tld,o=ControlPanel
> ...
> ou=domain1.tld,o=ControlPanel
> ...
> ou=domain2.tld,o=ControlPanel
> ...
>
Currently, our LDAP appears very similar to yours, but we actually don't manage a \
multivalue attribute for user groups. That will be a minor change that we can afford.
> Hope this example will help you and others to understand how LDAP
> ptloader works.
>
> Cheers,
> Milen
>
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic