[Dovecot] Quota based on LDAP group
Hi
I have a setup where my dovecot (2.0, if that makes a difference) authenticates against an LDAP directory. In my scenario, I have two types of users, lets call them "normal" and "privileged". What I need is for the normal user to have a fixed quota, but for the priviledged to have none. (The users do not exist on the underlying system, so I cant do quota based on FS)
The issue is that my LDAP is actually an AD, and there is a fair amount of new accounts over the time (in other words, I cannot use LDAP attribute for storing quota, because the AD tools don't understand it, and I would have to add it manually for each new account).
The approach I had in mind is using quota based on user group (I do have groups representing both normal and priviledged users), but I cannot find a way to set it up in dovecot. Am I missing something or does dovecot not support LDAP groups as attribute source?
thanks Pavel Herrmann
On 24.6.2013, at 16.35, Pavel Herrmann <morpheus.ibis@gmail.com> wrote:
I have a setup where my dovecot (2.0, if that makes a difference) authenticates against an LDAP directory. In my scenario, I have two types of users, lets call them "normal" and "privileged". What I need is for the normal user to have a fixed quota, but for the priviledged to have none. (The users do not exist on the underlying system, so I cant do quota based on FS)
The issue is that my LDAP is actually an AD, and there is a fair amount of new accounts over the time (in other words, I cannot use LDAP attribute for storing quota, because the AD tools don't understand it, and I would have to add it manually for each new account).
The approach I had in mind is using quota based on user group (I do have groups representing both normal and priviledged users), but I cannot find a way to set it up in dovecot. Am I missing something or does dovecot not support LDAP groups as attribute source?
Sounds like you need to do two LDAP lookups and merge them. That requires Dovecot v2.2.
On Monday 24 of June 2013 23:01:54 Timo Sirainen wrote:
On 24.6.2013, at 16.35, Pavel Herrmann <morpheus.ibis@gmail.com> wrote:
I have a setup where my dovecot (2.0, if that makes a difference) authenticates against an LDAP directory. In my scenario, I have two types of users, lets call them "normal" and "privileged". What I need is for the normal user to have a fixed quota, but for the priviledged to have none. (The users do not exist on the underlying system, so I cant do quota based on FS)
The issue is that my LDAP is actually an AD, and there is a fair amount of new accounts over the time (in other words, I cannot use LDAP attribute for storing quota, because the AD tools don't understand it, and I would have to add it manually for each new account).
The approach I had in mind is using quota based on user group (I do have groups representing both normal and priviledged users), but I cannot find a way to set it up in dovecot. Am I missing something or does dovecot not support LDAP groups as attribute source?
Sounds like you need to do two LDAP lookups and merge them. That requires Dovecot v2.2.
Sure, I am open to upgrading, if it solves the issue.
I would actually need more than 2 requests, as AD supports recursive groups (a group being member of another group), which I do use.
One possible issue is that from what I can see on the wiki does not really work with how groups in LDAP usually work. What I would need is the opposite direction - locate a group that has "member=myUserDn" attribute, look whether it has quota attribute set, if not use the group DN as myUserDn and repeat the search. Granted, AD has a backlink "memberOf" attribute, but I am still left with recursively looking up whether the group has a quota attribute, and whether it is a member of another group (cyclic membership is not possible AFAIK). Is this possible with Dovecot 2.2?
thanks Pavel Herrmann
On 25.6.2013, at 0.05, Pavel Herrmann <morpheus.ibis@gmail.com> wrote:
Sounds like you need to do two LDAP lookups and merge them. That requires Dovecot v2.2.
Sure, I am open to upgrading, if it solves the issue.
I would actually need more than 2 requests, as AD supports recursive groups (a group being member of another group), which I do use.
One possible issue is that from what I can see on the wiki does not really work with how groups in LDAP usually work. What I would need is the opposite direction - locate a group that has "member=myUserDn" attribute, look whether it has quota attribute set, if not use the group DN as myUserDn and repeat the search. Granted, AD has a backlink "memberOf" attribute, but I am still left with recursively looking up whether the group has a quota attribute, and whether it is a member of another group (cyclic membership is not possible AFAIK). Is this possible with Dovecot 2.2?
http://wiki2.dovecot.org/AuthDatabase/LDAP/Userdb -> "Subqueries and pointers" does what you need I think. My head can't really follow LDAP stuff well enough to say for sure.
Hi
On Tuesday 25 of June 2013 00:13:05 Timo Sirainen wrote:
On 25.6.2013, at 0.05, Pavel Herrmann <morpheus.ibis@gmail.com> wrote:
Sounds like you need to do two LDAP lookups and merge them. That requires Dovecot v2.2.
Sure, I am open to upgrading, if it solves the issue.
I would actually need more than 2 requests, as AD supports recursive groups (a group being member of another group), which I do use.
One possible issue is that from what I can see on the wiki does not really work with how groups in LDAP usually work. What I would need is the opposite direction - locate a group that has "member=myUserDn" attribute, look whether it has quota attribute set, if not use the group DN as myUserDn and repeat the search. Granted, AD has a backlink "memberOf" attribute, but I am still left with recursively looking up whether the group has a quota attribute, and whether it is a member of another group (cyclic membership is not possible AFAIK). Is this possible with Dovecot 2.2?
http://wiki2.dovecot.org/AuthDatabase/LDAP/Userdb -> "Subqueries and pointers" does what you need I think. My head can't really follow LDAP stuff well enough to say for sure.
Yeah, I figured that one out. the thing I dont see is how I set this up to work recursively (until the quota attribute is found). What I need is something similar to postfix "special_result_attribute" and "leaf_result_attribute" options (with the exception that I need to select one/closest of the attributes found, whereas postfix gets them all)
thanks Pavel Herrmann
participants (2)
-
Pavel Herrmann
-
Timo Sirainen