[Dovecot] Ldap and secondary PosixGroups
Hello all,
I'm using "Pam Ldap" for my users (Debian Lenny).
getent passwd : *m.ambrosy:x:2000:100:m.ambrosy:/home/m.ambrosy:/bin/bash*
getent group : *l_admin:*:2000:m.ambrosy l_personnel:*:2001:m.ambrosy l_mail:*:2003:m.ambrosy*
As you can see, in LDAP, user "m.ambrosy" (PosixAccount) is defined with gidNumber = 100 (local group "users") and uidNumber = 2000. Furthermore this user belongs to 3 secondary Ldap PosixGroup (l_admin 2000, l_personnel 2001, l_mail 2003).
If /var/mail belongs to the primary group (100), no problem. If /var/mail belongs to l_mail (2003) : *mkdir(/var/mail/m.ambrosy) failed: Permission denied (euid=2000(m.ambrosy) egid=100(users) missing +w perm: /var/mail, euid is not dir owner*
In fact, Dovecot seems to not see secondary groups for my user. It just checks the primary group (gidNumber).
If I modify my Ldap user like this, getent passwd : *m.ambrosy:x:2000:2003:m.ambrosy:/home/m.ambrosy:/bin/bash *It works fine but my "l_mail" group must be secondary (like an option for some users), not the primary gidNumber. Can I do it in the conf file?* * Am I making myself clear?
Regards, Matthieu.
El Thursday 03 February 2011, Matthieu Ambrosy <matthieu.ambrosy@gmail.com> dijo:
I'm using "Pam Ldap" for my users (Debian Lenny).
getent passwd : *m.ambrosy:x:2000:100:m.ambrosy:/home/m.ambrosy:/bin/bash*
getent group : *l_admin:*:2000:m.ambrosy l_personnel:*:2001:m.ambrosy l_mail:*:2003:m.ambrosy*
As you can see, in LDAP, user "m.ambrosy" (PosixAccount) is defined with gidNumber = 100 (local group "users") and uidNumber = 2000. Furthermore this user belongs to 3 secondary Ldap PosixGroup (l_admin 2000, l_personnel 2001, l_mail 2003).
If /var/mail belongs to the primary group (100), no problem. If /var/mail belongs to l_mail (2003) : *mkdir(/var/mail/m.ambrosy) failed: Permission denied (euid=2000(m.ambrosy) egid=100(users) missing +w perm: /var/mail, euid is not dir owner*
In fact, Dovecot seems to not see secondary groups for my user. It just checks the primary group (gidNumber).
If I modify my Ldap user like this, getent passwd : *m.ambrosy:x:2000:2003:m.ambrosy:/home/m.ambrosy:/bin/bash *It works fine but my "l_mail" group must be secondary (like an option for some users), not the primary gidNumber. Can I do it in the conf file?*
One more flexible solution can be using direct ldap for dovecot instead of pam. It may be easier if you posted your actual setup, but I guess that if you check if the user is member of the l_mail group in the pass_filter, and then force 2003 as the gid in the userdb everything should work,
Bye,
Joseba Torre. Vicegerencia de TICs, área de Explotación
On Thu, 2011-02-03 at 10:34 +0100, Matthieu Ambrosy wrote:
I'm using "Pam Ldap" for my users (Debian Lenny).
getent passwd : *m.ambrosy:x:2000:100:m.ambrosy:/home/m.ambrosy:/bin/bash*
getent group : *l_admin:*:2000:m.ambrosy l_personnel:*:2001:m.ambrosy l_mail:*:2003:m.ambrosy*
These are NSS lookups, not PAM.
In fact, Dovecot seems to not see secondary groups for my user. It just checks the primary group (gidNumber).
Assuming you're using userdb passwd, it should have set the secondary groups. dovecot -n output could have been helpful though.
If I modify my Ldap user like this, getent passwd : *m.ambrosy:x:2000:2003:m.ambrosy:/home/m.ambrosy:/bin/bash *It works fine but my "l_mail" group must be secondary (like an option for some users), not the primary gidNumber. Can I do it in the conf file?*
You could also set mail_access_groups = l_mail.
participants (3)
-
Joseba Torre
-
Matthieu Ambrosy
-
Timo Sirainen