[Kolab-devel] Cyrus IMAP groups patch

Jeroen van Meeuwen (Kolab Systems) vanmeeuwen at kolabsys.com
Fri Aug 20 15:45:07 CEST 2010 

Gunnar Wrobel wrote:
> Zitat von Thomas Arendsen Hein <thomas at intevation.de>:
> > In short: We don't need the groups patch upstream,
> 
> I don't think Jeroen wanted to get the groups patch upstream. He also  
> wants to avoid it and I think he suggested to do so via PAM.
> 

Indeed I do not want to upstream this patch, and in fact I want to drop it 
from Kolab as well.

> > we probably want SASL to know about the group of names in LDAP.
> 
> ... and in turn Cyrus IMAPD to use SASL for group lists. It is  
> mentioned in the issue you linked so I think you know that but I just  
> wanted to highlight that the resulting patch is a two step appraoch  
> and probably would not be to easy.
> 
> @Jeroen: If I understood you correctly you were suggesting that we  
> could feed Cyrus IMAPD with alternate group information via PAM. Did I  
> indeed understand you correctly? How could such an approach look like?  
> I'm no PAM expert and it would cost me some research to see if that  
> should be possible or not.
> 

SASL is an authentication layer, not a general user/group information or 
authorization layer (although it can be used to limit whether a user 
successfully authenticates by enforcing membership of a certain group). Long 
story short, SASL cannot (or actually, should not) be used for general group 
information, and creating a plugin that uses SASL's LDAP capabilities is just 
too inefficient (both in development as well as in actual implementation).

There is a simple alternative, which in my opinion is also very acceptable; 

Obtaining group information from LDAP does not include the entire system 
authenticating to LDAP. It merely requires that NSS is aware of where groups 
reside;

[root at test90-1 ~]# getent group sales
[root at test90-1 ~]# vim /etc/nsswitch.conf
(...
    make sure the groups: line includes ldap
    ...)
[root at test90-1 ~]# getent group sales
sales:*:507:vanmeeuwen
[root at test90-1 ~]# 

I'm not sure how this, having been configured system-wide (admittedly) can be 
mutually exclusive with anything else that may be going on on said system?

-- 
Jeroen van Meeuwen
Senior Engineer, Kolab Systems AG

e: vanmeeuwen at kolabsys.com
t: +316 42 801 403
w: http://www.kolabsys.com

pgp: 9342 BF08

More information about the devel mailing list