On Fri, Jun 02, 2006 at 03:42:14PM +0200, Simon Matter wrote: > > On Fri, Jun 02, 2006 at 10:31:46AM +0200, Brasseur Valéry wrote: > >> I have seen in the code that when you want to use groups in ACL for > >> cyrus, > >> the group is a UNIX one ... (calling setgrent, getpwnam ... ) > >> Is there a a way to use LDAP groups instead ... > > > > If you use nss_ldap, then cyrus will be using ldap groups without even > > knowing > > about it. > > > > But you may have performance problems if cyrus uses group enumeration, > > that's > > expensive in ldap. > > Usually you could use nscd to cache but nss_ldap group lookups don't work, > and they really are slow with large groups. Therefore, I have implemented > (I mean hacked) a groupcache feature for cyrus-imapd which is included in > my rpms. Let me know if you are interested and don't want to exctract them > from the source rpm. A better approach would be to get rid of group enumeration function calls and use a better way to discover to which group an user belongs. There are functions in glibc that do this nicely, and nss_ldap translates them into quick ldap queries. ---- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
