[Dovecot] LDAP auth improvements
v2.1 supports now multiple LDAP fields in a template e.g.:
user_attrs =
homeDirectory=home,
uidNumber=uid,
gidNumber=gid,
=mail=%{ldap:mailboxFormat}:%{ldap:homeDirectory}
which is the same as:
user_attrs =
=home=%{ldap:homeDirectory},
=uid=%{ldap:uidNumber},
=gid=%{ldap:gidNumber},
=mail=%{ldap:mailboxFormat}:%{ldap:homeDirectory}
I was also thinking about adding an alternative simplified syntax for this:
user_attrs { home = %{ldap:homeDirectory} uid = %{ldap:uidNumber} gid = %{ldap:gidNumber} mail = %{ldap:mailboxFormat}:%{ldap:homeDirectory} }
Any ideas for further improvements before I do this change?
One thing I'm still wondering about is what I should do when LDAP returns multiple values. Like perhaps:
acl_groups = %{ldap:aclGroups:,}
Which would mean that all the aclGroups values would be joined together separated by "," characters. And a bit more complex with multiple gidNumbers:
gid = %{ldap:gidNumber[0]} mail_access_groups = %{ldap:gidNumber[1:]:,}
On 02.02.2012 14:54, Timo Sirainen wrote:
One thing I was recently missing was something like this:
If the user is in LDAP group "group1", then use host = imap1 otherwise use host = imap2
However this would require a separate LDAP query since most LDAP servers do not list any group information in the user table.
Another nice feature: Use some sort of script to compute the lookup result, e.g. an external shell script:
#!/bin/bash if [[ $ldap_uid == fred ]]; then echo "quota_rule = storage=3G" else echo "quota_rule = storage=100M" fi
Stuff like this is possible for SQL user databases, however LDAP does not have such flexible queries.
Cheers, Christoph
-- Christoph Bußenius Rechnerbetriebsgruppe der Fakultäten Informatik und Mathematik TU München +49 89-289-18519 <> Raum 00.05.055 <> Boltzmannstr. 3 <> Garching
participants (2)
-
Christoph Bußenius
-
Timo Sirainen