[SOLVED] Re: LMTP Post login script for acl_groups

Aki Tuomi aki.tuomi at open-xchange.com
Thu Aug 29 12:23:18 EEST 2019


On 29.8.2019 12.18, R.N.S. via dovecot wrote:
>
>> Am 28.08.2019 um 20:02 schrieb Aki Tuomi via dovecot <dovecot at dovecot.org>:
>>
>>
>>> On 28/08/2019 21:01 R.N.S. via dovecot <dovecot at dovecot.org> wrote:
>>>
>>>
>>>> Am 28.08.2019 um 19:46 schrieb Jakobus Schürz via dovecot <dovecot at dovecot.org>:
>>>>
>>>> I think, i had the same problem as you.
>>>>
>>>> When dovecot runs lmtp, no user is logged in, so there is no user from
>>>> which you can get groups. So i think, my solution is (not really sure,
>>>> if this is right, it's a long time ago, i played around) this transport
>>>> in exim for local delivery
>>>>
>>>> dovecot_delivery:             
>>>>  debug_print = "T: dovecot_delivery_pipe for $local_part@$domain
>>>> translates to GET_LOCAL_MAIL"
>>>>  driver = pipe               
>>>>  command = /usr/lib/dovecot/deliver -d "GET_LOCAL_MAIL"
>>>>  message_prefix =
>>>>  message_suffix =
>>>>  delivery_date_add
>>>>  envelope_to_add             
>>>>  return_path_add             
>>>>  log_output
>>>>  user = MAILUSER
>>>>  group = MAILUSER
>>>>
>>>> I have a really sophisticated setup with ldap... so GET_LOCAL_MAIL and
>>>> MAILUSER are makros which get the email-adress and the mailuser for the
>>>> receiving emailadress.
>>>>
>>>> GET_LOCAL_MAIL could be $local_part@$domain
>>>> MAILUSER is vmail in my setup, the user who owns all mailboxes
>>>>
>>>> /usr/lib/dovecot/deliver is an alternative for the lmtp-delivery.
>>> Unfortunately this way Postfix and Dovecot need to run on the same host.
>>>
>>> I wonder, if this is a LMTP or Sieve issue. Maybe something can be done in sieve configuration to solve this?
>>>
>>> Is there nobody from @Dovecot who could give some feedback :-) please :-)
>>>
>>> Thanks
>>>
>>> Christian
>> It could be possible to solve this with auth lua script that would allow returning the acl groups as a string, instead of using post-login script.
> I finally got it working with Lua.
>
> Changes to the auth-ldap.conf.ext file:
> --------------------------------------------------
> userdb {
>   driver = ldap
>   args = /etc/dovecot/dovecot-ldap.conf.ext
>
>   # Fetch acl_groups from LDAP with the Lua userdb script
>   skip = never
>   result_success = continue
>   result_failure = return-fail
>
>   # Default fields can be used to specify defaults that LDAP may override
>   #default_fields = home=/home/virtual/%u
> }
> --------------------------------------------------
>
> I created this auth-lua.conf.ext:
> --------------------------------------------------
> # https://wiki.dovecot.org/AuthDatabase/Lua
>
> userdb {
>    driver = lua
>    args = file=/etc/dovecot/dovecot-auth-userdb.lua  blocking=yes
> }
> --------------------------------------------------
>
> I added it in 10-auth.conf behind the LDAP auth include statement.
>
> The Lua script looks like this:
> --------------------------------------------------
> require('io')
>
> function auth_userdb_lookup(req)
>   local bindpwfile = "/etc/dovecot/ldap-auth-userdb.secret"
>   local base = "ou=people,ou=it,dc=roessner-net,dc=de"
>   local binddn = "cn=dovecot," .. base
>
>   local cmd = [=[
>     /bin/sh -c "ldapsearch -LLL -ZZ -y $bindpwfile -xD $binddn -b $base '(rnsMSDovecotUser=$user)' rnsMSACLGroup | \
>       grep rnsMSACLGroup | \
>       awk -vORS=, '{ print \$2 }' | \
>       sed 's/,$/\n/'"
>   ]=]
>
>   cmd = cmd:gsub('$(%w+)', { bindpwfile = bindpwfile })
>   cmd = cmd:gsub('$(%w+)', { binddn = binddn })
>   cmd = cmd:gsub('$(%w+)', { base = base })
>   cmd = cmd:gsub('$(%w+)', { user = req.user })
>
>   local handle = io.popen(cmd)
>   local acl_groups = handle:read("*a")
>
>   return dovecot.auth.USERDB_RESULT_OK, "acl_groups=" .. acl_groups
> end
>
> function script_init()
>   return 0
> end
>
> function script_deinit()
> end
>
> -- vim: expandtab ts=2 sw=2
> --------------------------------------------------
>
> And this works for me :-)
>
> Many thanks
>
> Christian

There really is no LDAP module for your LUA?

Aki



More information about the dovecot mailing list