I have a number of ptclient & ldap bug fixes and improvements to make:
1) In 2.3.12p2, if ldap_sasl is enabled, user DNs are obtained through SASL authN/Z proxying. This assumes that the LDAP server supports authN/Z proxying and that ptclient/ldap has authorization to proxy for all users. I've moved this option under a new configuration option, ldap_proxy_authz, since the authZ proxying is more or less orthogonal to using SASL for LDAP authN.
2) Groups have two LDAP configurations, one for populating the groups a user belongs to and a second for validating a (new) group name. In 2.3.12p2, those two configurations suffer from non-parallel construction. In particular, ldap_member_method allows both "attribute" and "filter", while the ldap_group_* configuration has no "_method" configuration, implicitly assuming "filter" instead. I've added a ldap_group_method configuration, with three options, "filter", "attribute" and "none". "none" allows any string that can be canonicalized to be used. "filter" works just like ldap_group_* was working -- exactly one DN may be returned. "attribute" looks for at least one DN to be returned. A correct "attribute" configuration searches for the attribute used in ldap_member_attribute. The assumption is that if anyone has the group attribute, it is a valid group name.
3) I changed the default ldap_size_limit to 2. I also inserted some additional checks in the code to specifically look for cases where size limit is exceeded. These may or may not be errors, depending on what you're looking for.
4) I fixed two small bugs in ptloader.c, one where unused memory to syslog'd and another where the error message returned from the ptloader module isn't null terminated when being passed to auth_pts.c.
Please find the patch attached. Comments? :wes
cyrus-imapd-ldap.diff
Description: Binary data
