[Dovecot] Secondary groups from ldap

Jeff Hardy hardyjm at potsdam.edu
Wed Sep 16 20:41:12 EEST 2009


On 09/15/2009 11:18 PM, Ian Levesque wrote:
> Hello,
>
> I'm trying to configure my user_attrs using LDAP as the userdb so that
> dovecot knows what secondary groups a user is a member of. The LDAP
> backend is an Open Directory implementation, which stores secondary
> group affiliations as memberUid attributes in
> cn=groupname,cn=groups,dc=dns,dc=name,dc=server.
>
> With ldapsearch, my query would be:
>
> ldapsearch -x -b cn=groups,dc=dns,dc=name,dc=server "(memberUid=ian)" cn
>
> Is this possible to configure in Dovecot?
>

I needed the ability to authorize users against secondary groups like 
yours that store membership in memberUid.  The easiest way I found to do 
so was to flip dovecot over to use checkpassword authentication, and 
therefore my perl implementation of checkpassword (which auths against 
ldap).  The wiki has some config notes, but for example I use this:

passdb checkpassword {
     # Path for checkpassword binary
     args = /opt/bin/checkpassword-ldap.pl
}

userdb prefetch {
}

# for deliver
userdb passwd {
     args = blocking=yes
}

With the login process in perl, you can do whatever you want, including 
checking secondary groups, setting variables prefetch-style 
(userdb_uid), overriding settings per-user, etc.  I would be happy to 
share the perl I have hacked up to do this off list (not quite ready for 
release).

-Jeff

--
Jeff Hardy
Systems Analyst
hardyjm at potsdam.edu




More information about the dovecot mailing list