No AD doesn't have such a field, but I could use some unused field to get what I want. Let's say set "Attribute1" to "group1". The problem is how to get that info. I guess I have to edit dovecot-ldap.conf and put in user_attrs something like that ",=acl_groups=Attribute1". Any suggestions?

From: Jan Phillip Greimann <jg@softjury.de> To: b m <stocton12@yahoo.com>; Dovecot Mailing List <dovecot@dovecot.org> Sent: Thursday, October 25, 2012 1:35 PM Subject: Re: [Dovecot] Public folders and groups

Am 25.10.2012 00:13, schrieb b m:

Currently I have dovecot working with Active Directory authentication and public folders with acl. In acl I have the users I want to access the public folders. It'll be easier for me to use one group instead of 50 users but I can't get it to work. From where does dovecot get the "group" attribute for a user? Can it read the groups that a user belongs from AD?

Here a sentence to this, found in the dovecot wiki. (http://wiki2.dovecot.org/ACL)

ACL groups support works by returning a comma-separated acl_groups extra field from userdb, which contains all the groups the user belongs to.

It seems to be possible, I had an acl_groups field in my MySQL Database for this, I'am sure it is something like that in an AD too.

At 1PM -0700 on 25/10/12 b m wrote:

From: Jan Phillip Greimann <jg@softjury.de>

...

Am 25.10.2012 00:13, schrieb b m:

...

Currently I have dovecot working with Active Directory authentication and public folders with acl. In acl I have the users I want to access the public folders. It'll be easier for me to use one group instead of 50 users but I can't get it to work. From where does dovecot get the "group" attribute for a user? Can it read the groups that a user belongs from AD?

ACL groups support works by returning a comma-separated acl_groups extra field from userdb, which contains all the groups the user belongs to.

It seems to be possible, I had an acl_groups field in my MySQL Database for this, I'am sure it is something like that in an AD too.

No AD doesn't have such a field, but I could use some unused field to get what I want. Let's say set "Attribute1" to "group1". The problem is how to get that info. I guess I have to edit dovecot-ldap.conf and put in user_attrs something like that ",=acl_groups=Attribute1". Any suggestions?

That's the wrong way around. Assuming you created an 'imapGroups' attribute containing a comma-separated list of IMAP groups, you would want to add 'imapGroups=acl_groups' to user_attrs.

Alternatively, if you don't want to duplicate the information in the LDAP directory, you can use post-login scripting to set up the groups list (see http://wiki2.dovecot.org/PostLoginScripting). If you have your system set up with nss_ldap or winbind so that AD users show up as system users with their proper groups, the example on the wiki using the 'groups' command will work. Otherwise, you can pull the information directly from LDAP, something like

#!/bin/sh

do_ldap () {
    /usr/local/bin/ldapsearch -h <PDC> \
        "(&(objectClass=$1)($2))" $3 \
        | sed -ne"s/^$3: //p"
}

user_dn="$(do_ldap User "sAMAccountName=$USER" dn)"
ACL_GROUPS="$(do_ldap Group "member=$user_dn" cn | paste -sd, -)"

export ACL_GROUPS
export USERDB_KEYS="$USERDB_KEYS acl_groups"
exec "$@"

Obviously you will need to adjust the path and connection parameters for ldapsearch to suit your environment; also, I don't use AD, so you may need to adjust the LDAP search. (If you prefer it might be easier to do this in Perl or Python or something rather than shell.)

Ben