[Dovecot] Quota based on LDAP group

Pavel Herrmann morpheus.ibis at gmail.com
Tue Jun 25 00:05:38 EEST 2013


On Monday 24 of June 2013 23:01:54 Timo Sirainen wrote:
> On 24.6.2013, at 16.35, Pavel Herrmann <morpheus.ibis at gmail.com> wrote:
> > I have a setup where my dovecot (2.0, if that makes a difference)
> > authenticates against an LDAP directory. In my scenario, I have two types
> > of users, lets call them "normal" and "privileged". What I need is for
> > the normal user to have a fixed quota, but for the priviledged to have
> > none. (The users do not exist on the underlying system, so I cant do
> > quota based on FS)
> > 
> > The issue is that my LDAP is actually an AD, and there is a fair amount of
> > new accounts over the time (in other words, I cannot use LDAP attribute
> > for storing quota, because the AD tools don't understand it, and I would
> > have to add it manually for each new account).
> > 
> > The approach I had in mind is using quota based on user group (I do have
> > groups representing both normal and priviledged users), but I cannot find
> > a way to set it up in dovecot.
> > Am I missing something or does dovecot not support LDAP groups as
> > attribute
> > source?
> 
> Sounds like you need to do two LDAP lookups and merge them. That requires
> Dovecot v2.2.

Sure, I am open to upgrading, if it solves the issue.

I would actually need more than 2 requests, as AD supports recursive groups (a 
group being member of another group), which I do use.

One possible issue is that from what I can see on the wiki does not really 
work with how groups in LDAP usually work. What I would need is the opposite 
direction - locate a group that has "member=myUserDn" attribute, look whether 
it has quota attribute set, if not use the group DN as myUserDn and repeat the 
search.
Granted, AD has a backlink "memberOf" attribute, but I am still left with 
recursively looking up whether the group has a quota attribute, and whether it 
is a member of another group (cyclic membership is not possible AFAIK). Is 
this possible with Dovecot 2.2?

thanks
Pavel Herrmann




More information about the dovecot mailing list