'R: groups, members, LDAP and ptloader'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       info-cyrus
Subject:    R: groups, members, LDAP and ptloader
From:       "Toschi Pietro" <Pietro.Toschi () actalis ! it>
Date:       2007-05-31 10:30:47
Message-ID: FF374A5075949C4D87367831AAAFD4215E879F () POSTA02 ! itmaster ! local
[Download RAW message or body]

[Attachment #2 (unknown)]

Thanks Milen,
your answer is VERY useful to me and hopefully to many others!
I just added some comments to yours, describing my current vision on those arguments. \
 I'm asking to check if it's correct or not.

Last question: what "ptloader" stands for? What is pts?

> -----Messaggio originale-----
> Da: info-cyrus-bounces@lists.andrew.cmu.edu
> [mailto:info-cyrus-bounces@lists.andrew.cmu.edu]Per conto di 
> Milen Dimov
> Inviato: mercoledì 30 maggio 2007 22.31
> A: info-cyrus@lists.andrew.cmu.edu
> Oggetto: Re: groups, members, LDAP and ptloader
> 
> 
> Warren Turkal wrote:
> > On Wednesday 30 May 2007 09:04, Toschi Pietro wrote:
> > > Is there somebody on this list so kind and please try to 
> explain me what
> > > I'm missing? 
> > 
> > You're not the only one lost with all of this. I hope 
> someone can at least 
> > post a working configuration that shows using LDAP without 
> saslauthd so that 
> > I would at least know what a working config looks like.
> 
> Hi,
> 
> We successfully run cyrus 2.2.12 and 2.3.8 both with LDAP users
> authentication and authorization utilizing respectively saslauthd and
> ptloader with LDAP support.

First: you mean that cyrus uses saslauthd to manage user authentication (basically \
check password in order to verify who the user is) and then uses ptloader to manage \
user authorization (get the list of groups the user is a member of, so that we can \
set per-group ACLs other than per-user ACLs). Right? What other use of groups I can \
do in cyrus?

Second: Saslauthd comes with SASL libs and utils and is not strictly part of cyrus, \
while ptloader is developed as part of cyrus, and that's why ptloader config options \
are written in imapd.conf while saslauthd config options are written in \
saslautd.conf, even if both options appear very similar, maybe because both saslauthd \
and ptloader internally use SASL? Right?

> 
> The documentation that comes with Cyrus IMAP contains very good
> explanation of the terms authentication and authorization and the
> different authorization mechanisms that Cyrus IMAP provides. 
> Please take
> a look at cyrus-imapd-2.3.8/doc/text/overview

Unfortunately, I read those documents very carefully before bothering the list but I \
didn't find very useful, maybe because I'm still missing many base concepts and the \
big picture of how Cyrus works and interacts with external components (SASL first of \
all).
> 
> As an example I provide a part of configuration file of our production
> Cyrus IMAP server with only the settings regarding ptloader LDAP user
> authorization module:
> 
> /etc/imapd.conf
> 
> ...
> 
> virtdomains: yes
> 
> # default value of %d for ldap_filter and ldap_base
> 
> #  %%   =  %
> #  %u   =  user
> #  %U   =  user portion of %u (%U  =  test  when  %u  = 
> test@domain.tld)
> #  %d   =  domain  portion  of  %u  if  available  (%d = 
> domain.tld when
> #          %u = %test@domain.tld),
> #          otherwise same as %r
> #  %r   =  realm
> #  %D   =  user dn.   (use  when  ldap_member_method: filter)
> #  %1-9 =  domain tokens (%1 = tld, %2 = domain when %d = domain.tld)
> 
> defaultdomain: systemdomain.tld
> 
> ldap_uri: ldap://ldaphost
> ldap_version: 3
> ldap_sasl: 0
> 
> ldap_bind_dn: 
> uid=sys_user,ou=People,ou=systemdomain.tld,o=ControlPanel
> ldap_password: somepass
> 
> ldap_base: ou=People,ou=%d,o=ControlPanel
> ldap_filter: uid=%U
> 
> ldap_group_base: ou=Group,ou=%d,o=ControlPanel
> ldap_group_filter: cn=%U

Third: I can't figure out the use of two above ldap_base(s) and filter(s): I guess \
you have an attribute bizBlueboardMemberOf in every user entry under <ldap_base>, \
listing every group the user is a member of, so that ptloader gets the list of groups \
within this attribute. If so, what are ldap_group_base and ldap_group_filter used \
for? Maybe you have duplicate user entries, one (uid=%U) under People branch and \
another (cn=%U) under Group branch? What is that second LDAP search used for? 
> 
> ldap_member_method: attribute
> ldap_member_attribute: bizBlueboardMemberOf
> 
> unix_group_enable: no
> auth_mech: pts
> pts_module: ldap
> 
> ...
> 
> The attribute bizBlueboardMemberOf is defined in BlueBoard propriety
> LDAP objectClass. It is multi value attribute that contains 
> the names of
> the groups the user is member of.
> 
> We have branches of "ou" entries under "o=ControlPanel" for every
> virtual domain we support.
> 
> o=ControlPanel
> ou=systemdomain.tld,o=ControlPanel
> ...
> ou=domain1.tld,o=ControlPanel
> ...
> ou=domain2.tld,o=ControlPanel
> ...
> 

Currently, our LDAP appears very similar to yours, but we actually don't manage a \
multivalue attribute for user groups. That will be a minor change that we can afford.

> Hope this example will help you and others to understand how LDAP
> ptloader works.
> 
> Cheers,
> Milen
> 
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
> 



----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic