Page MenuHomePhorge

ptloader support for groups, not roles
Closed, ResolvedPublic5 Story Points


Canonification doesn't work through non-role groups (or, non-memberOf group membership).

The existing code path does not allow for both group membership as well as canonification to exist in parallel / sequentially.

ldap_group_base: dc=example,dc=org
ldap_group_filter: (&(cn=%U)(objectclass=groupofnames)(|(objectclass=groupofuniquenames)(objectclass=groupofurls)))
ldap_group_scope: sub
ldap_member_base: dc=example,dc=org
ldap_member_method: filter
ldap_member_filter: (uniqueMember=%D)
ldap_member_attribute: cn


Ticket Type

Event Timeline

petersen raised the priority of this task from 20 to High.
petersen created this task.
petersen added a project: Sprint 201622.
vanmeeuwen renamed this task from Change to how ptloader do user canonification to ptloader support for groups, not roles.Jun 1 2016, 6:34 PM
vanmeeuwen lowered the priority of this task from High to 40.
vanmeeuwen updated the task description. (Show Details)
vanmeeuwen removed a project: Architecture & Design.
vanmeeuwen removed a subscriber: vincent.
vanmeeuwen set the point value for this task to 5.Jun 2 2016, 10:44 AM
vanmeeuwen moved this task from Backlog to Doing on the Sprint 201622 board.

The current patch allows authentication with uid (realmed, unrealmed), mail or alias, and results in the following membership determinations.

Below are the results from /usr/lib/cyrus-imapd/ptdump, with the following syntax:

user: AUTHN_ID (originally supplied login username) -> AUTHZ_ID (result of user canonification)
user: cyrus-admin -> cyrus-admin
    time: 1464857045
    groups: 0
user: geek ->
    time: 1464856896
    groups: 1
user: ->
    time: 1464856927
    groups: 1
user: ->
    time: 1464857044
    groups: 1
user: ->
    time: 1464856943
    groups: 1

The changes to the Cyrus IMAP configuration look as follows (current defaults commented out):

auth_mech: pts
pts_module: ldap
ldap_servers: ldap://localhost:389
ldap_sasl: 0
ldap_base: dc=example,dc=org
ldap_bind_dn: uid=kolab-service,ou=Special Users,dc=example,dc=org
ldap_password: 1PLXa1m66wETqVO
#ldap_filter: (|(&(|(uid=cyrus-admin)(uid=cyrus-murder))(uid=%U))(&(|(uid=%U)(mail=%U@%d)(mail=%U@%r))(objectclass=kolabinetorgperson)))
ldap_filter: (|(&(|(uid=cyrus-admin)(uid=cyrus-murder))(uid=%U))(&(|(uid=%U)(alias=%u)(mail=%U@%d)(mail=%U@%r))(objectclass=kolabinetorgperson)))
ldap_user_attribute: mail
ldap_group_base: dc=example,dc=org
#ldap_group_filter: (&(cn=%u)(objectclass=ldapsubentry)(objectclass=nsroledefinition))
ldap_group_filter: (&(mail=%u)(objectclass=kolabgroupofuniquenames))
#ldap_group_scope: one
ldap_group_scope: sub
#ldap_member_base: ou=People,dc=example,dc=org
ldap_member_base: dc=example,dc=org
#ldap_member_method: attribute
ldap_member_method: filter
#ldap_member_attribute: nsrole
ldap_member_filter: (uniqueMember=%D)
ldap_member_attribute: mail
ldap_restart: 1
ldap_timeout: 10
ldap_time_limit: 10
vanmeeuwen raised the priority of this task from 40 to Normal.Mar 22 2019, 12:28 PM

Correcting the priority from 60/40 to Normal