Hello all, I'm using "Pam Ldap" for my users (Debian Lenny). getent passwd : *m.ambrosy:x:2000:100:m.ambrosy:/home/m.ambrosy:/bin/bash* getent group : *l_admin:*:2000:m.ambrosy l_personnel:*:2001:m.ambrosy l_mail:*:2003:m.ambrosy* As you can see, in LDAP, user "m.ambrosy" (PosixAccount) is defined with gidNumber = 100 (local group "users") and uidNumber = 2000. Furthermore this user belongs to 3 secondary Ldap PosixGroup (l_admin 2000, l_personnel 2001, l_mail 2003). If /var/mail belongs to the primary group (100), no problem. If /var/mail belongs to l_mail (2003) : *mkdir(/var/mail/m.ambrosy) failed: Permission denied (euid=2000(m.ambrosy) egid=100(users) missing +w perm: /var/mail, euid is not dir owner* In fact, Dovecot seems to not see secondary groups for my user. It just checks the primary group (gidNumber). If I modify my Ldap user like this, getent passwd : *m.ambrosy:x:2000:2003:m.ambrosy:/home/m.ambrosy:/bin/bash *It works fine but my "l_mail" group must be secondary (like an option for some users), not the primary gidNumber. Can I do it in the conf file?* * Am I making myself clear? Regards, Matthieu.
El Thursday 03 February 2011, Matthieu Ambrosy <matthieu.ambrosy at gmail.com> dijo:> I'm using "Pam Ldap" for my users (Debian Lenny). > > getent passwd : > *m.ambrosy:x:2000:100:m.ambrosy:/home/m.ambrosy:/bin/bash* > > getent group : > *l_admin:*:2000:m.ambrosy > l_personnel:*:2001:m.ambrosy > l_mail:*:2003:m.ambrosy* > > As you can see, in LDAP, user "m.ambrosy" (PosixAccount) is defined with > gidNumber = 100 (local group "users") and uidNumber = 2000. > Furthermore this user belongs to 3 secondary Ldap PosixGroup (l_admin 2000, > l_personnel 2001, l_mail 2003). > > If /var/mail belongs to the primary group (100), no problem. > If /var/mail belongs to l_mail (2003) : > *mkdir(/var/mail/m.ambrosy) failed: Permission denied (euid=2000(m.ambrosy) > egid=100(users) missing +w perm: /var/mail, euid is not dir owner* > > In fact, Dovecot seems to not see secondary groups for my user. It just > checks the primary group (gidNumber). > > If I modify my Ldap user like this, getent passwd : > *m.ambrosy:x:2000:2003:m.ambrosy:/home/m.ambrosy:/bin/bash > *It works fine but my "l_mail" group must be secondary (like an option for > some users), not the primary gidNumber. Can I do it in the conf file?*One more flexible solution can be using direct ldap for dovecot instead of pam. It may be easier if you posted your actual setup, but I guess that if you check if the user is member of the l_mail group in the pass_filter, and then force 2003 as the gid in the userdb everything should work, Bye, -- Joseba Torre. Vicegerencia de TICs, ?rea de Explotaci?n
On Thu, 2011-02-03 at 10:34 +0100, Matthieu Ambrosy wrote:> I'm using "Pam Ldap" for my users (Debian Lenny). > > getent passwd : > *m.ambrosy:x:2000:100:m.ambrosy:/home/m.ambrosy:/bin/bash* > > getent group : > *l_admin:*:2000:m.ambrosy > l_personnel:*:2001:m.ambrosy > l_mail:*:2003:m.ambrosy*These are NSS lookups, not PAM.> In fact, Dovecot seems to not see secondary groups for my user. It just > checks the primary group (gidNumber).Assuming you're using userdb passwd, it should have set the secondary groups. dovecot -n output could have been helpful though.> If I modify my Ldap user like this, getent passwd : > *m.ambrosy:x:2000:2003:m.ambrosy:/home/m.ambrosy:/bin/bash > *It works fine but my "l_mail" group must be secondary (like an option for > some users), not the primary gidNumber. Can I do it in the conf file?*You could also set mail_access_groups = l_mail.