On Wed, 2009-01-28 at 18:43 +0100, Thomas Hummel wrote:
Hello Timo,
In my trials to setup a shared namespace with dovecot-1.1.8/LDAP passdb/userdb (prefetch)/Maildir, I found out that :
ACL are mandatory (at least if the acl plugin is triggered in dovecot.conf)
Am I correct ? I'm still not sure if we can do without ACL at all (only with unix permissions and system_user userdb extra field).
I don't really understand. ACLs are not required if UNIX permissions are enough for you. ACLs only add extra restrictions.
the system_user userdb extra field is supposed to be ...the logname of the user the secondary groups of whom we want to check ! .. Seems obvious now and said this way, but looking at the wiki :
"system_user: If this is given, the user's groups are read from /etc/group (or wherever NSS is configured to taken them from)."
I thought 'system_user' was a flag (a boolean) which, when triggered made dovecot look for the secondaries group of the user (user whose name is already known).
Updated wiki.
b) why isn't system_user such a boolean ? Is there a case where we'd want system_user to be different than the user dovecot runs as at the moment the check takes place ?
Maybe. But there's no way to change that now without breaking backwards compatibility.
- same idea with acl_groups : since this extra_field holds a list of groups for the ACL plugin, why not rely on the native unix groups of the system the user belong to ?
Do you mean the ACL plugin would use the user's current UNIX groups? That might be useful as an extra option, but virtual users won't have any UNIX groups, so it can't work for everyone.