[Dovecot] Ldap and secondary PosixGroups
Joseba Torre
joseba.torre at ehu.es
Thu Feb 3 12:40:32 EET 2011
El Thursday 03 February 2011, Matthieu Ambrosy <matthieu.ambrosy at gmail.com>
dijo:
> I'm using "Pam Ldap" for my users (Debian Lenny).
>
> getent passwd :
> *m.ambrosy:x:2000:100:m.ambrosy:/home/m.ambrosy:/bin/bash*
>
> getent group :
> *l_admin:*:2000:m.ambrosy
> l_personnel:*:2001:m.ambrosy
> l_mail:*:2003:m.ambrosy*
>
> As you can see, in LDAP, user "m.ambrosy" (PosixAccount) is defined with
> gidNumber = 100 (local group "users") and uidNumber = 2000.
> Furthermore this user belongs to 3 secondary Ldap PosixGroup (l_admin 2000,
> l_personnel 2001, l_mail 2003).
>
> If /var/mail belongs to the primary group (100), no problem.
> If /var/mail belongs to l_mail (2003) :
> *mkdir(/var/mail/m.ambrosy) failed: Permission denied (euid=2000(m.ambrosy)
> egid=100(users) missing +w perm: /var/mail, euid is not dir owner*
>
> In fact, Dovecot seems to not see secondary groups for my user. It just
> checks the primary group (gidNumber).
>
> If I modify my Ldap user like this, getent passwd :
> *m.ambrosy:x:2000:2003:m.ambrosy:/home/m.ambrosy:/bin/bash
> *It works fine but my "l_mail" group must be secondary (like an option for
> some users), not the primary gidNumber. Can I do it in the conf file?*
One more flexible solution can be using direct ldap for dovecot instead of
pam. It may be easier if you posted your actual setup, but I guess that if you
check if the user is member of the l_mail group in the pass_filter, and then
force 2003 as the gid in the userdb everything should work,
Bye,
--
Joseba Torre. Vicegerencia de TICs, área de Explotación
More information about the dovecot
mailing list