Jos De Graeve wrote: JDG> I use saslauthd to auth against ldap (bind auth) and I am trying JDG> to use ptloader to fetch group information from LDAP so that group JDG> based ACL's can be used for shared folders. We have several similar systems in production. JDG> If I look with ptdump each user is listed with the correct number JDG> of groups he is member of, but the group name is wrong. Instead JDG> of the group name (cn attribute) it shows some random attribute JDG> such as another group member (a value of the memberUid attribute), JDG> or "top" ( a value of the objectclass attribute ). Sometimes, the JDG> group name is correct. JDG> I am running cyrus 2.2.13, on debian lenny amd64 > auth_mech: pts > unix_group_enable: no > ptloader_sock: /var/run/cyrus/socket/ptsock > ldap_base: ou=people,dc=example,dc=org > ldap_filter: (uid=%U) > ldap_version: 3 > ldap_sasl: 0 > ldap_size_limit: 100 > ldap_group_base: ou=groups,dc=example,dc=org > ldap_group_scope: sub > ldap_group_filter: cn=%u > ldap_member_scope: sub > ldap_member_base: ou=groups,dc=example,dc=org > # ldap_member_method: attribute > # ldap_member_attribute: memberUid > ldap_member_method: filter > ldap_member_filter: memberUid=%U > ldap_uri: ldap://netinfo.example.org/ > pts_module: ldap JDG> My groups are "posixGroup" with the uid's of the members listed JDG> in the memberUid attribute, the group name is listed in the cn JDG> attribute: If you add ldap_member_attribute: cn to your config, it should work. Certainly something very similar works on our Lenny/amd64 2.3.14++ builds: auth_mech: pts pts_module: ldap ptscache_timeout: 60 ptloader_sock: /srv/imap/var/run/cyrus/socket/ptsock ldap_uri: ldapi:///var/run/ldapi \ ldaps://ldap3.this-site.client.com \ ldaps://ldap2.this-site.client.com \ ldaps://ldap4.this-site.client.com \ ldaps://ldap1.this-site.client.com ldap_tls_cacert_file: /etc/ssl/certs/client-ca.pem ldap_tls_check_peer: yes ldap_base: dc=client,dc=com ldap_group_base: dc=client,dc=com ldap_member_base: dc=client,dc=com ldap_sasl: no ldap_bind_dn: cn=this-cyrus,ou=agents,dc=client,dc=com ldap_password: verylongrandomstring ldap_filter: (|(&(objectclass=gosaMailAccount)(gosaMailServer=imap.client.com)(uid=%u))(&(objectclass=simpleSecurityObject)(cn=%u)(|(cn=cyrus)(cn=spamteach)))) ldap_group_filter: (&(objectclass=posixGroup)(cn=%u)) ldap_member_method: filter ldap_member_filter: (&(objectclass=posixGroup)(memberUid=%u)) ldap_member_attribute: cn # size limit determines the max number of groups a user may be # in before authentication fails ldap_size_limit: 1024 ldap_external_ids: mupdate.client.com fe1.client.com \ fe2.client.com feN.client.com \ be1.client.com be2.client.com \ beN.client.com JDG> The man pages are somewhat sparse on details on how the JDG> parameters are interpreted and how they will get the ldap JDG> information interpreted. I tried serveral variations on JDG> the configuration file without any success. Yes. It would be nice when someone has time to make the configuration of pts_ldap more similar to other things likely to be using the same data (eg pam/nss/samba as well as saslauthd). Cheers Duncan -- Duncan Gibb - Technical Director Sirius Corporation plc - control through freedom http://www.siriusit.co.uk/ || t: +44 870 608 0063 Debian Cyrus Team - https://alioth.debian.org/projects/pkg-cyrus-imapd/ ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
