[Dovecot] Secondary groups from ldap
Hello,
I'm trying to configure my user_attrs using LDAP as the userdb so that
dovecot knows what secondary groups a user is a member of. The LDAP
backend is an Open Directory implementation, which stores secondary
group affiliations as memberUid attributes in
cn=groupname,cn=groups,dc=dns,dc=name,dc=server.
With ldapsearch, my query would be:
ldapsearch -x -b cn=groups,dc=dns,dc=name,dc=server "(memberUid=ian)" cn
Is this possible to configure in Dovecot?
Thanks, Ian
On 09/15/2009 11:18 PM, Ian Levesque wrote:
Hello,
I'm trying to configure my user_attrs using LDAP as the userdb so that dovecot knows what secondary groups a user is a member of. The LDAP backend is an Open Directory implementation, which stores secondary group affiliations as memberUid attributes in cn=groupname,cn=groups,dc=dns,dc=name,dc=server.
With ldapsearch, my query would be:
ldapsearch -x -b cn=groups,dc=dns,dc=name,dc=server "(memberUid=ian)" cn
Is this possible to configure in Dovecot?
I needed the ability to authorize users against secondary groups like yours that store membership in memberUid. The easiest way I found to do so was to flip dovecot over to use checkpassword authentication, and therefore my perl implementation of checkpassword (which auths against ldap). The wiki has some config notes, but for example I use this:
passdb checkpassword { # Path for checkpassword binary args = /opt/bin/checkpassword-ldap.pl }
userdb prefetch { }
# for deliver userdb passwd { args = blocking=yes }
With the login process in perl, you can do whatever you want, including checking secondary groups, setting variables prefetch-style (userdb_uid), overriding settings per-user, etc. I would be happy to share the perl I have hacked up to do this off list (not quite ready for release).
-Jeff
-- Jeff Hardy Systems Analyst hardyjm@potsdam.edu
On Sep 16, 2009, at 5:18 AM, Ian Levesque wrote:
I'm trying to configure my user_attrs using LDAP as the userdb so
that dovecot knows what secondary groups a user is a member of. The
LDAP backend is an Open Directory implementation, which stores
secondary group affiliations as memberUid attributes in
cn=groupname,cn=groups,dc=dns,dc=name,dc=server.
Do you mean memberGid? Also is it only secondary groups, the primary
group is somewhere else?
With ldapsearch, my query would be:
ldapsearch -x -b cn=groups,dc=dns,dc=name,dc=server
"(memberUid=ian)" cnIs this possible to configure in Dovecot?
Hmm. Looking at the code if you do:
user_attrs = memberGid=gid
then it should set "gid=123,345,456" field. You could verify that this
gets returned by setting auth_debug=yes. But .. I can't really see
where that code would actually be used, since it looks like only the
first GID is actually used. Try anyway how far you can get. :)
On Sep 16, 2009, at 9:16 PM, Timo Sirainen wrote:
On Sep 16, 2009, at 5:18 AM, Ian Levesque wrote:
I'm trying to configure my user_attrs using LDAP as the userdb so
that dovecot knows what secondary groups a user is a member of. The
LDAP backend is an Open Directory implementation, which stores
secondary group affiliations as memberUid attributes in
cn=groupname,cn=groups,dc=dns,dc=name,dc=server.Do you mean memberGid? Also is it only secondary groups, the primary
group is somewhere else?
No, the way that OD handles secondary group affiliations is through a
"groups" cn that lists "memberUid"s that are in the group. I've seen
LDAP implementations that provide secondary group IDs in the "user"
cn, which is indeed a lot easier to query.
With ldapsearch, my query would be:
ldapsearch -x -b cn=groups,dc=dns,dc=name,dc=server
"(memberUid=ian)" cnIs this possible to configure in Dovecot?
Hmm. Looking at the code if you do:
user_attrs = memberGid=gid
then it should set "gid=123,345,456" field. You could verify that
this gets returned by setting auth_debug=yes. But .. I can't really
see where that code would actually be used, since it looks like only
the first GID is actually used. Try anyway how far you can get. :)
Well, if dovecot doesn't use secondary groups, maybe I'm
misunderstanding a problem we're having. Basically, I'm trying to
configure a shared mailbox. The two users sharing the mailbox are in
the same secondary group. The mailbox itself is 770 but the users
can't access the mailbox, and dovecot complains:
stat(/path/to/.mailbox/tmp) failed: Permission denied (euid=2637 (username) egid=20(staff) missing +x perm: /path/to/.mailbox)
$ ls -al /path/to/.mailbox
.archive -> /path/to/shared/.mailbox
$ ls -ald /path/to/shared/.mailbox
drwxrwx--- 5 root tech 172 Sep 16 11:10 /path/to/shared/.mailboxI assumed this is because dovecot's not recognizing the secondary
group "tech" properly, did I misinterpret the error?
Best, Ian
participants (3)
-
Ian Levesque
-
Jeff Hardy
-
Timo Sirainen