[Dovecot] Public folders and groups

Ben Morrow ben at morrow.me.uk
Fri Oct 26 11:54:56 EEST 2012 

At  1PM -0700 on 25/10/12 b m wrote:
>  From: Jan Phillip Greimann <jg at softjury.de>
>> Am 25.10.2012 00:13, schrieb b m:
>>
>> > Currently I have dovecot working with Active Directory
>> > authentication and public folders with acl. In acl I have the users
>> > I want to access the public folders. It'll be easier for me to use
>> > one group instead of 50 users but I can't get it to work. From where
>> > does dovecot get the "group" attribute for a user? Can it read the
>> > groups that a user belongs from AD?
>>
>> ACL groups support works by returning a comma-separated acl_groups
>> extra field from userdb, which contains all the groups the user
>> belongs to.
>> 
>> It seems to be possible, I had an acl_groups field in my MySQL
>> Database for this, I'am sure it is something like that in an AD too.
>
> No AD doesn't have such a field, but I could use some unused field to
> get what I want. Let's say set "Attribute1" to "group1". The problem
> is how to get that info. I guess I have to edit dovecot-ldap.conf and
> put in user_attrs something like that ",=acl_groups=Attribute1". Any
> suggestions?

That's the wrong way around. Assuming you created an 'imapGroups'
attribute containing a comma-separated list of IMAP groups, you would
want to add 'imapGroups=acl_groups' to user_attrs.

Alternatively, if you don't want to duplicate the information in the
LDAP directory, you can use post-login scripting to set up the groups
list (see http://wiki2.dovecot.org/PostLoginScripting). If you have your
system set up with nss_ldap or winbind so that AD users show up as
system users with their proper groups, the example on the wiki using the
'groups' command will work. Otherwise, you can pull the information
directly from LDAP, something like

    #!/bin/sh

    do_ldap () {
        /usr/local/bin/ldapsearch -h <PDC> \
            "(&(objectClass=$1)($2))" $3 \
            | sed -ne"s/^$3: //p"
    }

    user_dn="$(do_ldap User "sAMAccountName=$USER" dn)"
    ACL_GROUPS="$(do_ldap Group "member=$user_dn" cn | paste -sd, -)"

    export ACL_GROUPS
    export USERDB_KEYS="$USERDB_KEYS acl_groups"
    exec "$@"

Obviously you will need to adjust the path and connection parameters for
ldapsearch to suit your environment; also, I don't use AD, so you may
need to adjust the LDAP search. (If you prefer it might be easier to do
this in Perl or Python or something rather than shell.)

Ben

More information about the dovecot mailing list