1) I suggest that you keep ldap_sasl for backward configuration
compatibility. ldap_sasl name is used for sasl vs non sasl binds.
Note that 'ldap_id' needs to have authorization to proxy.
2) I suppose you can have ldap_group_method: attribute, but this is not
how ldap data is typically used for groups. Also, I suggest that
ldap_group_attribute be used instead of ldap_member_attribute. As you
correctly described ldap_group and ldap_member do two different things
and your implementation would be a bit confusing. You can possibly
default ldap_group_attribute to the value of ldap_member_attribute.
I personally do not like ldap_group_method: none, mabe Kan can chime
in. This option basically allows for an arbitrary group identifier
(potentially non existing one) to be assigned to a mailbox.
3) This seems unnecessary, but can you explain a little more?
-Igor
Wesley Craig wrote:
I have a number of ptclient & ldap bug fixes and improvements to make:
1) In 2.3.12p2, if ldap_sasl is enabled, user DNs are obtained
through SASL authN/Z proxying. This assumes that the LDAP server
supports authN/Z proxying and that ptclient/ldap has authorization to
proxy for all users. I've moved this option under a new configuration
option, ldap_proxy_authz, since the authZ proxying is more or less
orthogonal to using SASL for LDAP authN.
2) Groups have two LDAP configurations, one for populating the
groups a user belongs to and a second for validating a (new) group
name. In 2.3.12p2, those two configurations suffer from non-parallel
construction. In particular, ldap_member_method allows both
"attribute" and "filter", while the ldap_group_* configuration has no
"_method" configuration, implicitly assuming "filter" instead. I've
added a ldap_group_method configuration, with three options, "filter",
"attribute" and "none". "none" allows any string that can be
canonicalized to be used. "filter" works just like ldap_group_* was
working -- exactly one DN may be returned. "attribute" looks for at
least one DN to be returned. A correct "attribute" configuration
searches for the attribute used in ldap_member_attribute. The
assumption is that if anyone has the group attribute, it is a valid
group name.
3) I changed the default ldap_size_limit to 2. I also inserted
some additional checks in the code to specifically look for cases
where size limit is exceeded. These may or may not be errors,
depending on what you're looking for.
4) I fixed two small bugs in ptloader.c, one where unused memory
to syslog'd and another where the error message returned from the
ptloader module isn't null terminated when being passed to auth_pts.c.
Please find the patch attached. Comments?
:wes
