On Thu, 12 Jan 2006, Sven Mueller wrote: > >>-{ "virtdomains", "off", ENUM("off", "userid", "on") } > >>+{ "virtdomains", "off", ENUM("off", "userid", "ldap", "on") } > > > > THAT I didn't like at all. If it is an authz module, it should have been > > plugged to the ptloader. Looks more like a hack to the vir. domain system. > > >From what I saw in the patch, it uses the LDAP userid (uid field) to > look up the primary email address of the user. It then returns that > email address canonified for authentication (i.e. the user logs in with > his uid, but mail is stored and passwords looked up in sasl according to > his primary email address.
That ain't how it works with Cyrus. The user logs in with his *mailbox*, which is [EMAIL PROTECTED] To change that, you add a canonization plugin that gets whatever was sent to Cyrus as the mailbox, and changes it to the real user and domain. But AFAIK, canonization is *global*. Which means you DELIVER through LMTP to the pre-canonized account, do IMAP logins and POP3 logins to the pre-canonized account... Depending on how early SASL is called, SASL may have do deal with the pre-canonized account as well, I didn't check. > Besides thinking that the patch is somewhat incomplete (it doesn't > handle alternate addresses at all AFAICT), I don't see how it could harm > normal cyrus operation. I am afraid it might cause subtle bugs, but that's not the worst problem IMHO. It is that we have no reason to believe it will be easily forward-portable to 2.3, and 2.3 requires one to be very careful as the entire murder code has been unified with the normal daemons, and there is the whole replication system to take into account. > Well, I don't really see how to map LDAP uids (which are normally also > login names for servers/workstations) to email addresses (on which cyrus > operates. The only alternative would be to not use vdomains in cyrus and > use the MTA to deliver mails to any of the mail addresses of a user to > <uid>. IF you are logging in (imap, pop) using [EMAIL PROTECTED], or using different listening interfaces to automatically detect vdomain, in which case you _can_ just use userid instead: Email, you deliver to [EMAIL PROTECTED] using LMTP. This is done by teaching the MTA to ask LDAP about the accounts, and where to deliver mail for an account; that's how everyone doing email delivery of any sort using LDAP have been doing things for years. Cyrus logins are [EMAIL PROTECTED], mapped to SASL as userid=userid, REALM=vdomain, and used internally by Cyrus as user userid, in domain vdomain. *SASL* has to map that back to LDAP dn to check the credentials, usually doing some string substitution to get a dn. If you need to do it using LDAP *searches*, you have to improve the SASL LDAP auxprop module -- actually, I think the latest one can do it already, it has been a LONG time since I mucked with cyrus+ldap. After the authentication (SASL), Cyrus needs to ask stuff on LDAP only to expand group ACLs (during authorization). That is supposed to be done through a ptloader LDAP plugin, and definately not a new vdomain scheme. Heck, tweaking cyrus so that it can canonize each type of service login differently, and to use dynamically selected canonization schemes would have been a nice and clean way to do what kolab seems to need done (if I understood things correctly). I hope this makes a bit more clear my misgivings about including the patch. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]