[Kolab-devel] Cyrus IMAP groups patch
Jeroen van Meeuwen (Kolab Systems)
vanmeeuwen at kolabsys.com
Fri Aug 27 16:56:43 CEST 2010
Mathieu Parent wrote:
> On Thu, Aug 26, 2010 at 5:22 PM, Gunnar Wrobel <wrobel at kolabsys.com> wrote:
> > Back to the native ports: My impression would be that it is okay to
> > follow Jeroens suggestion. At least as long as the groups always have
> > an ID in mail format. Which they do at the moment. So chances to mix
> > this up with system accounts are low. Do people agree? Thomas,
> > Mathieu, do you think this is okay?
>
> This is okay for the most common cases but you will need to apend
> "@example.org". How will cross-domain ACL works then? Also some
> implementations have uid!=mail, the GOsa one come to mind.
And 99.999% of all organisations using LDAP for that matter. It's actually
"most, if not all, LDAP implementation have uid != mail".
> Another
> solution is to change libnss-ldap.conf with attributes mapping to have
> uid=mail. The UNIX tools would work but this is little surprising to
> do:
>
> chown mathieu at example.org:mygroup at example.com /tmp/file
>
Actually the mathieu at example.org username user here is not impacted.
mygroup at example.com is a fully qualified group name, you could just use
mygroup if you set up the group cn properly. Of course one or the other has a
trade-off, especially if the same root object is used for all domains in a
single ldap environment, and environment (or "global") configuration is only
available within such root object... Anyways, moving too far away, OT for OP.
> While searching some info I got "ptloader". This is the authorization
> module for cyrus (SASL is the authentication one).
>
Yet another mechanism ;-) So, do we agree the patch in OP can go in the near
to foreseeable future?
--
Jeroen van Meeuwen
Senior Engineer, Kolab Systems AG
e: vanmeeuwen at kolabsys.com
t: +316 42 801 403
w: http://www.kolabsys.com
pgp: 9342 BF08
More information about the devel
mailing list