Dear clapf-users,
as clapf grows it requires some new features. It's easy to
implement in sql, however it's a bit trickier using LDAP.
To decide how to deal with LDAP backend, a little background
first.
I modified the qmail.schema to include some clapf related
attributes, such policy group id, blacklist, ... Every time
I added a new feature, then I had to modify the ldap scheme
too.
The latest addition (token groups) required an addtional attribute
('gid'). However 'gid' might be a used attribute for other
purposes, so I created a new one: 'clapfgid'. So far, so good.
However though the webui has a user administration menu, you
may not use it eg. to create a new user, since it handles
clapf specific attributes mostly. Then why would I bother with
it?
So we need to come to an agreement (ie. make a best practice-like
thing) howto throw clapf into an ldap environment, and I count
on your ideas help on this matter.
I have two proposals (but you are free to add your own).
A) Let all clapf specific user data (policy group, domain,
... gid) be stored in the SQL database of clapf, and
let clapf read the username, password (for webui auth)
and perhaps the uid from the ldap database.
This way I have to implement only the clapf specific
attributes in the webui.
The drawback is that whenever a message arrives, then
clapf needs an LDAP query, then an SQL query to get
all the required user data. OK, I can put the combined
data to memcached later.
B) the second idea is to import all the required ldap
data to clapf's local SQL database. If we can somehow
synchronize, then clapf can be simpler, since it needs
SQL support only.
Currently the webui supports method B) in junction with
Active Directory, but I believe we can extend its concept
to support an openldap (or other) LDAP directory as well.
So to sum up, you can help me by the followings:
- show me a user ldif entry (can be a fictional user)
- describe how you manage your ldap users, and how you
manage clapf related user data
- which method would you accept? A) or B) or your
own solution: C)
Best regards,
Janos
