Page MenuHomekolab.org

ptloader support for groups, not roles
Closed, ResolvedPublic5 Story Points

Description

Canonification doesn't work through non-role groups (or, non-memberOf group membership).

The existing code path does not allow for both group membership as well as canonification to exist in parallel / sequentially.

ldap_group_base: dc=example,dc=org
ldap_group_filter: (&(cn=%U)(objectclass=groupofnames)(|(objectclass=groupofuniquenames)(objectclass=groupofurls)))
ldap_group_scope: sub
ldap_member_base: dc=example,dc=org
ldap_member_method: filter
ldap_member_filter: (uniqueMember=%D)
ldap_member_attribute: cn

Details

Ticket Type
Task

Event Timeline

petersen assigned this task to vanmeeuwen.
petersen raised the priority of this task from 20 to High.
petersen added a project: Sprint 201622.
vanmeeuwen renamed this task from Change to how ptloader do user canonification to ptloader support for groups, not roles.Jun 1 2016, 6:34 PM
vanmeeuwen lowered the priority of this task from High to 40.
vanmeeuwen updated the task description. (Show Details)
vanmeeuwen removed a project: Architecture & Design.
vanmeeuwen removed a subscriber: vincent.
vanmeeuwen updated the task description. (Show Details)Jun 1 2016, 6:37 PM
vanmeeuwen set the point value for this task to 5.Jun 2 2016, 10:44 AM
vanmeeuwen moved this task from Backlog to Doing on the Sprint 201622 board.

The current patch allows authentication with uid (realmed, unrealmed), mail or alias, and results in the following membership determinations.

Below are the results from /usr/lib/cyrus-imapd/ptdump, with the following syntax:

user: AUTHN_ID (originally supplied login username) -> AUTHZ_ID (result of user canonification)
user: cyrus-admin -> cyrus-admin
    time: 1464857045
    groups: 0
user: geek -> john.geek@example.org
    time: 1464856896
    groups: 1
    group:testers@example.org
user: geek@example.org -> john.geek@example.org
    time: 1464856927
    groups: 1
    group:testers@example.org
user: j.geek@example.org -> john.geek@example.org
    time: 1464857044
    groups: 1
    group:testers@example.org
user: john.geek@example.org -> john.geek@example.org
    time: 1464856943
    groups: 1
    group:testers@example.org

The changes to the Cyrus IMAP configuration look as follows (current defaults commented out):

auth_mech: pts
pts_module: ldap
ldap_servers: ldap://localhost:389
ldap_sasl: 0
ldap_base: dc=example,dc=org
ldap_bind_dn: uid=kolab-service,ou=Special Users,dc=example,dc=org
ldap_password: 1PLXa1m66wETqVO
#ldap_filter: (|(&(|(uid=cyrus-admin)(uid=cyrus-murder))(uid=%U))(&(|(uid=%U)(mail=%U@%d)(mail=%U@%r))(objectclass=kolabinetorgperson)))
ldap_filter: (|(&(|(uid=cyrus-admin)(uid=cyrus-murder))(uid=%U))(&(|(uid=%U)(alias=%u)(mail=%U@%d)(mail=%U@%r))(objectclass=kolabinetorgperson)))
ldap_user_attribute: mail
ldap_group_base: dc=example,dc=org
#ldap_group_filter: (&(cn=%u)(objectclass=ldapsubentry)(objectclass=nsroledefinition))
ldap_group_filter: (&(mail=%u)(objectclass=kolabgroupofuniquenames))
#ldap_group_scope: one
ldap_group_scope: sub
#ldap_member_base: ou=People,dc=example,dc=org
ldap_member_base: dc=example,dc=org
#ldap_member_method: attribute
ldap_member_method: filter
#ldap_member_attribute: nsrole
ldap_member_filter: (uniqueMember=%D)
ldap_member_attribute: mail
ldap_restart: 1
ldap_timeout: 10
ldap_time_limit: 10
vanmeeuwen moved this task from Doing to Review on the Sprint 201622 board.Jun 2 2016, 11:33 AM
petersen moved this task from Backlog to Review on the Sprint 201623 board.Jun 6 2016, 9:59 AM
petersen moved this task from Backlog to Review on the Sprint 201624 board.Jun 13 2016, 9:55 AM
petersen moved this task from Backlog to Review on the Sprint 201625 board.Jun 20 2016, 10:39 AM
petersen moved this task from Backlog to Review on the Sprint 201626 board.Jun 27 2016, 10:43 AM
petersen moved this task from Backlog to Review on the Sprint 201627 board.Jul 4 2016, 7:17 AM
petersen moved this task from Backlog to Review on the Sprint 201628 board.Jul 11 2016, 9:12 AM
petersen moved this task from Backlog to Review on the Sprint 201630 board.Jul 25 2016, 9:11 AM
petersen moved this task from Backlog to Review on the Sprint 201632 board.Aug 8 2016, 8:07 AM
petersen moved this task from Backlog to Review on the Sprint 201633 board.Aug 16 2016, 11:40 AM
petersen moved this task from Backlog to Review on the Sprint 201634 board.Aug 22 2016, 8:55 AM
vanmeeuwen raised the priority of this task from 40 to Normal.Mar 22 2019, 12:28 PM

Correcting the priority from 60/40 to Normal

vanmeeuwen closed this task as Resolved.Mar 22 2019, 12:39 PM