[Dovecot] [IDEA] Shared Folders via LDAP Lookups
Hi All,
We've been thinking a lot about the 2 different ways dovecot implements shares; namespaces and symlinks.
We currently use the symlink version for our clients and they use the create_dovecot_shares.pl tool we did at:
Our idea is either in the namespace declaration or if a folder has a dovecot-shared file/symlink, have a ldap lookup defined in say, dovecot-ldap-shares.conf or dovecot-ldap.conf, that queries a dn and looks for memberUID or a group dn, then those uids/groups can get into the IMAP maildir.
Obviously the original folder would need to be owned by some predefined user, e.g dovecot etc.
Then it's just a simple matter of adding a new memberUID/group to the share listing.
We can do a custom dovecot.schema if needed (for say a dovecotShare attribute etc.), as long as we get dovecot a Private Enterprise Number from:
http://www.iana.org/cgi-bin/enterprise.pl
If Timo hasn't already got one, but I can't see one in:
http://www.iana.org/assignments/enterprise-numbers
Thoughts?
-- Kind Regards,
Gavin Henry. Managing Director.
T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry@suretecsystems.com
Open Source. Open Solutions(tm).
On Thu, 2006-11-30 at 14:55 +0000, Gavin Henry wrote:
Our idea is either in the namespace declaration or if a folder has a dovecot-shared file/symlink, have a ldap lookup defined in say, dovecot-ldap-shares.conf or dovecot-ldap.conf, that queries a dn and looks for memberUID or a group dn, then those uids/groups can get into the IMAP maildir.
I guess this could work as a simpler ACL plugin backend, if you only needed "all access" vs. "none access". Or the ACLs could be defined in LDAP as well. I'd rather not touch LDAP more than I have to, though. :)
I was also going to add support for defining multiple groups in dovecot-auth (either as plain names or name=GID lists to give access to multiple GIDs). Once that works, it's also possible to support group ACLs in the vfile ACL backend too.
I was also going to add support for defining multiple groups in dovecot-auth (either as plain names or name=GID lists to give access to multiple GIDs). Once that works, it's also possible to support group ACLs in the vfile ACL backend too.
Great! Definitely will make it easier to manage shared folders...
Any idea when this will show up? Is this a 2.x change, or maybe 1.x?
--
Best regards,
Charles
On Sun, 2006-12-03 at 09:51 -0500, Charles Marcus wrote:
I was also going to add support for defining multiple groups in dovecot-auth (either as plain names or name=GID lists to give access to multiple GIDs). Once that works, it's also possible to support group ACLs in the vfile ACL backend too.
Great! Definitely will make it easier to manage shared folders...
Any idea when this will show up? Is this a 2.x change, or maybe 1.x?
I'm not sure if the next version of Dovecot is called 1.2 or 2.0. :) In either case.. Well, it's not really a priority for me right now. The priority currently is to get the stuff working well that I've already mostly implemented to CVS HEAD.. Not sure what happens after that. :)
<quote who="Timo Sirainen"> > On Thu, 2006-11-30 at 14:55 +0000, Gavin Henry wrote: >> Our idea is either in the namespace declaration or if a folder has a >> dovecot-shared file/symlink, have a ldap lookup defined in say, >> dovecot-ldap-shares.conf or dovecot-ldap.conf, that queries a dn and >> looks >> for memberUID or a group dn, then those uids/groups can get into the >> IMAP >> maildir. > > I guess this could work as a simpler ACL plugin backend, if you only > needed "all access" vs. "none access". Or the ACLs could be defined in > LDAP as well. I'd rather not touch LDAP more than I have to, though. :)
It would be excellent if the ACLs could be in LDAP too.
I'm thinking along the lines of how samba stores account flags in a directory, e.g. sambaAcctFlags: [U ]
We could add this to a dovecot.schema e.g.
dovecotACLflags:
etc.
I was also going to add support for defining multiple groups in dovecot-auth (either as plain names or name=GID lists to give access to multiple GIDs). Once that works, it's also possible to support group ACLs in the vfile ACL backend too.
Excellent.
participants (3)
-
Charles Marcus
-
Gavin Henry
-
Timo Sirainen