[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Cyrus-IMAPD and LDAP

"Kevin J. Menard, Jr." wrote:
> Ok, we're getting way off-topic here, so perhaps this should be taken to the
> info-cyrus list.

It is possibly off-topic, but I was talking to a problem that affects other
programs as well.  IIRC, ProFTPd was discussed recently, but some Apache
modules (mod_authz_ldap comes to mind, mod_auth_nis possibly too).

>  But, what do you mean by this preceding paragraph?

In general, every program that does POSIX-group-based authorization and
does not do a real login (because, among other things, does not run as
root) is negatively impacted what the name service is slow, as LDAP is,
at least when compared with other alternatives.

In particular, notice this code fragment from auth_newstate in lib/auth_unix.c
in cyrus-imapd:

    while (grp = getgrent()) {
        for (mem = grp->gr_mem; *mem; mem++) {
            if (!strcmp(*mem, identifier)) break;

        if (*mem || (pwd && pwd->pw_gid == grp->gr_gid)) {
            newstate->group = (char **)xrealloc((char *)newstate->group,
                                                newstate->ngroups * sizeof(char *));
            newstate->group[newstate->ngroups-1] = xstrdup(grp->gr_name);

That was to find what groups a user is a member of, i.e. a light version
of initgroups.  The NSS service is optimized to solve the real initgroups
case, but this fake requires a search for (objectClass=posixGroup).  Hope
there aren't many...

As I said  earlier, this is not a criticism of cyrus-imapd, of which I am
a very happy user.  It is a deficiency in the NSS interface that affects
especially LDAP users.  And Cyrus is not the only victim.

All the best,