[tpop3d-discuss] ldap virtual auth plugin : near release

Paul Makepeace Paul.Makepeace at realprogrammers.com
Thu, 21 Feb 2002 05:43:13 -0800 

On Thu, Feb 21, 2002 at 11:53:11AM +0100, Prune wrote:
> Paul Makepeace wrote:
> >On Thu, Feb 21, 2002 at 10:31:50AM +0000, Chris Lightfoot wrote:
> >
> >>... And a general question. Wouldn't it be better to allow
> >>the administrator to specify the whole LDAP filter
> >>strings, based on insertions like $(user) etc., in the
> >>config file? Then your scheme would be represented by
> >>
> >>   auth-ldap-filter:   (mail=$(local_part)@$(domain))
> >>
> >>and other users could invent whatever filters they wanted?
> >>
> >
> >Another technique in LDAP is to store the filters themselves in some
> >part of the directory. This removes the need for config file editing,
> >server restarts etc and provides the opportunity for dynamic directory
> >structures.
> >
> >[We used to also put stubs of Perl code in the directory but I wouldn't
> >offer that out-of-the-box :-)]
> >
> >Paul
> >
> what would be the use ?

It would allow a directory administrator to set policies and
transformations etc based on the schema they design and subsequently
update without providing them with access to the POP server's config
file and privileges on the server to restart it. So it's enabling a
person (dir. admin) to do their job potentially without interfering with
someone's else's (sys. admin). This may or may not be a benefit,
depending on an organization's security and role structure (something an
LDAP directory is often used to help with).

> the filter is something static, isn't it ?
> putting it in ldap would
> -add one more search (it's ok if it's just one at start)
> -need one to add it to his directory before being able to use tpop3d

Yup, those are both true. I just put the idea out there since it
doesn't necessarily generally occur to people (it certainly didn't to
me for a while :-)

> would you please give us an example ?

As a general LDAP example, you could for define an arbitraty group
by a filter, e.g. all senior developers who have a particular boss, or
all the color printers on the second floor, assuming you have that data
in the directory.

YMMV :-)

Paul

-- 
Paul Makepeace ....................................... http://paulm.com/