[Dovecot] Secondary groups from ldap
Jeff Hardy
hardyjm at potsdam.edu
Wed Sep 16 20:41:12 EEST 2009
On 09/15/2009 11:18 PM, Ian Levesque wrote:
> Hello,
>
> I'm trying to configure my user_attrs using LDAP as the userdb so that
> dovecot knows what secondary groups a user is a member of. The LDAP
> backend is an Open Directory implementation, which stores secondary
> group affiliations as memberUid attributes in
> cn=groupname,cn=groups,dc=dns,dc=name,dc=server.
>
> With ldapsearch, my query would be:
>
> ldapsearch -x -b cn=groups,dc=dns,dc=name,dc=server "(memberUid=ian)" cn
>
> Is this possible to configure in Dovecot?
>
I needed the ability to authorize users against secondary groups like
yours that store membership in memberUid. The easiest way I found to do
so was to flip dovecot over to use checkpassword authentication, and
therefore my perl implementation of checkpassword (which auths against
ldap). The wiki has some config notes, but for example I use this:
passdb checkpassword {
# Path for checkpassword binary
args = /opt/bin/checkpassword-ldap.pl
}
userdb prefetch {
}
# for deliver
userdb passwd {
args = blocking=yes
}
With the login process in perl, you can do whatever you want, including
checking secondary groups, setting variables prefetch-style
(userdb_uid), overriding settings per-user, etc. I would be happy to
share the perl I have hacked up to do this off list (not quite ready for
release).
-Jeff
--
Jeff Hardy
Systems Analyst
hardyjm at potsdam.edu
More information about the dovecot
mailing list