Igor Brezac wrote: > > On Wed, 27 Jul 2005, Sava Chankov wrote: > >> Hi, >> I'm using cyrus-imapd-2.2.12 with ptloader patch from Igor Brezac that >> fixes the >> SASL authz bug. Groups are read from LDAP by ptloader properly, but group >> authorization doesn't work with this configuration: >> >> virtdomains: yes >> ldap_version: 3 >> ldap_sasl: 0 >> ldap_size_limit: 500 >> ldap_bind_dn: uid=proxy_user,o=ControlPanel >> ldap_base: ou=People,ou=%d,o=ControlPanel >> ldap_filter: uid=%U >> ldap_group_base: ou=Group,ou=%d,o=ControlPanel >> ldap_group_filter: cn=%U >> ldap_member_method: filter >> ldap_member_base: ou=Group,ou=%d,o=ControlPanel >> ldap_member_attribute: cn > > This assumes ldap_member_filter: (member=%D). Correct?
Yes. >> A little example - user [EMAIL PROTECTED] is member of groups punk and >> ordinary_user. When the domain admin creates a shared folder named >> "test" and >> assigns read right to group punk with the command >> >> sam test group:[EMAIL PROTECTED] read >> >> the result is that user [EMAIL PROTECTED] doesn't see the shared folder. >> ptdump >> output is: >> user: group:[EMAIL PROTECTED] time: 1122481905 groups: 0 >> user: [EMAIL PROTECTED] time: 1122481327 groups: 2 >> ordinary_user >> punk > > ptdump shows punk instead of [EMAIL PROTECTED] Keep in mind that ptdump > shows pts cache content. Can you show a sample ldap entry for each > identifier? > This is the user: dn: uid=mincho, ou=People, ou=dve.bg, o=ControlPanel loginShell: /bin/false uidNumber: 1001 gidNumber: 1001 objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount uid: mincho cn: Mincho and the group: dn: cn=punk, ou=Group, ou=dve.bg, o=ControlPanel gidNumber: 1004 objectClass: top objectClass: posixGroup member: uid=mincho,ou=People,ou=dve.bg,o=ControlPanel memberUid: mincho cn: punk I also tried renaming the group to [EMAIL PROTECTED],ou=Group,ou=dve.bg,o=ControlPanel and it didn't work either. However, changing the group name to cn=group:[EMAIL PROTECTED],ou=Group,ou=dve.bg,o=ControlPanel and ldap_group_filter: cn=%u made it work. A similiar behaviour is observed when using ldap_member_method:attribute ldap_member_attribute:memberOf It only works when memberOf attribute of the user contains value "group:[EMAIL PROTECTED]". -- Sava Chankov Сава Чанков software developer софтуерен разработчик http://www.blueboard.biz блуборд --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
