[Dovecot] Secondary groups from ldap

Ian Levesque ian at crystal.harvard.edu
Thu Sep 17 16:31:08 EEST 2009 

On Sep 16, 2009, at 9:16 PM, Timo Sirainen wrote:

> On Sep 16, 2009, at 5:18 AM, Ian Levesque wrote:
>
>> I'm trying to configure my user_attrs using LDAP as the userdb so  
>> that dovecot knows what secondary groups a user is a member of. The  
>> LDAP backend is an Open Directory implementation, which stores  
>> secondary group affiliations as memberUid attributes in  
>> cn=groupname,cn=groups,dc=dns,dc=name,dc=server.
>
> Do you mean memberGid? Also is it only secondary groups, the primary  
> group is somewhere else?

No, the way that OD handles secondary group affiliations is through a  
"groups" cn that lists "memberUid"s that are in the group. I've seen  
LDAP implementations that provide secondary group IDs in the "user"  
cn, which is indeed a lot easier to query.


>> With ldapsearch, my query would be:
>>
>> ldapsearch -x -b cn=groups,dc=dns,dc=name,dc=server  
>> "(memberUid=ian)" cn
>>
>> Is this possible to configure in Dovecot?
>
>
> Hmm. Looking at the code if you do:
>
> user_attrs = memberGid=gid
>
> then it should set "gid=123,345,456" field. You could verify that  
> this gets returned by setting auth_debug=yes. But .. I can't really  
> see where that code would actually be used, since it looks like only  
> the first GID is actually used. Try anyway how far you can get. :)

Well, if dovecot doesn't use secondary groups, maybe I'm  
misunderstanding a problem we're having. Basically, I'm trying to  
configure a shared mailbox. The two users sharing the mailbox are in  
the same secondary group. The mailbox itself is 770 but the users  
can't access the mailbox, and dovecot complains:

	stat(/path/to/.mailbox/tmp) failed: Permission denied (euid=2637 
(username) egid=20(staff) missing +x perm: /path/to/.mailbox)

	$ ls -al /path/to/.mailbox
	.archive -> /path/to/shared/.mailbox

	$ ls -ald /path/to/shared/.mailbox
	drwxrwx--- 5 root tech 172 Sep 16 11:10 /path/to/shared/.mailbox

I assumed this is because dovecot's not recognizing the secondary  
group "tech" properly, did I misinterpret the error?

Best,
Ian

More information about the dovecot mailing list