Re: User authentication for shared mailbox
I managed to make it work. In case some other people want to do the same, the trick was to use the master user concept, as suggested by Aki Tuomi, with a lua script to check if user can be master. My configuration looks like this:
passdb pam_master { driver = pam master = yes result_success = continue } passdb pam { } passdb lua { lua_file = /etc/dovecot/master-auth.lua result_failure = return-fail result_internalfail = return-fail result_success = continue-ok } passdb ldap { ldap_base = ou=Group,dc=example,dc=com fields { password = {SHA1}IQ== user = %{ldap:cn} } filter = (cn=%{user | username}) }
and the lua script:
function script_init() return 0 end
function auth_passdb_lookup(req) if req.master_user then req:log_info("Looking for groups for " .. tostring(req.master_user)) handle = io.popen("/bin/groups " .. tostring(req.master_user)) output = handle:read("*a") req:log_debug("Searching " .. tostring(req.user) .. " in found groups " .. output) for group in output:gmatch("%w+") do if group == req.user then return dovecot.auth.PASSDB_RESULT_OK, { password="!" } end end end return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "No such user" end
-- Bien cordialement, / Plej kore,
Stéphane Veyret
I managed to make it work. In case some other people want to do the same, the trick was to use the master user concept, as suggested by Aki Tuomi, with a lua script to check if user can be master. My configuration looks like this:
passdb pam_master {
driver = pam
master = yes
result_success = continue
}
passdb pam {
}
passdb lua {
lua_file = /etc/dovecot/master-auth.lua
result_failure = return-fail
result_internalfail = return-fail
result_success = continue-ok
}
passdb ldap {
ldap_base = ou=Group,dc=example,dc=com
fields {
password = {SHA1}IQ==
user = %{ldap:cn}
}
filter = (cn=%{user | username})
}and the lua script:
function script_init()
return 0
end
function auth_passdb_lookup(req)
if req.master_user then
req:log_info("Looking for groups for " .. tostring(req.master_user))
handle = io.popen("/bin/groups " .. tostring(req.master_user))
output = handle:read("*a")
req:log_debug("Searching " .. tostring(req.user) .. " in found
groups " .. output)
for group in output:gmatch("%w+") do
if group == req.user then
return dovecot.auth.PASSDB_RESULT_OK, { password="!" }
end
end
end
return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "No such user"
end-- Bien cordialement, / Plej kore,
Stephane Veyret
participants (1)
-
Stéphane Veyret