Hello, I'm trying to configure my user_attrs using LDAP as the userdb so that dovecot knows what secondary groups a user is a member of. The LDAP backend is an Open Directory implementation, which stores secondary group affiliations as memberUid attributes in cn=groupname,cn=groups,dc=dns,dc=name,dc=server. With ldapsearch, my query would be: ldapsearch -x -b cn=groups,dc=dns,dc=name,dc=server "(memberUid=ian)" cn Is this possible to configure in Dovecot? Thanks, Ian
On 09/15/2009 11:18 PM, Ian Levesque wrote:> Hello, > > I'm trying to configure my user_attrs using LDAP as the userdb so that > dovecot knows what secondary groups a user is a member of. The LDAP > backend is an Open Directory implementation, which stores secondary > group affiliations as memberUid attributes in > cn=groupname,cn=groups,dc=dns,dc=name,dc=server. > > With ldapsearch, my query would be: > > ldapsearch -x -b cn=groups,dc=dns,dc=name,dc=server "(memberUid=ian)" cn > > Is this possible to configure in Dovecot? >I needed the ability to authorize users against secondary groups like yours that store membership in memberUid. The easiest way I found to do so was to flip dovecot over to use checkpassword authentication, and therefore my perl implementation of checkpassword (which auths against ldap). The wiki has some config notes, but for example I use this: passdb checkpassword { # Path for checkpassword binary args = /opt/bin/checkpassword-ldap.pl } userdb prefetch { } # for deliver userdb passwd { args = blocking=yes } With the login process in perl, you can do whatever you want, including checking secondary groups, setting variables prefetch-style (userdb_uid), overriding settings per-user, etc. I would be happy to share the perl I have hacked up to do this off list (not quite ready for release). -Jeff -- Jeff Hardy Systems Analyst hardyjm at potsdam.edu
On Sep 16, 2009, at 5:18 AM, Ian Levesque wrote:> I'm trying to configure my user_attrs using LDAP as the userdb so > that dovecot knows what secondary groups a user is a member of. The > LDAP backend is an Open Directory implementation, which stores > secondary group affiliations as memberUid attributes in > cn=groupname,cn=groups,dc=dns,dc=name,dc=server.Do you mean memberGid? Also is it only secondary groups, the primary group is somewhere else?> With ldapsearch, my query would be: > > ldapsearch -x -b cn=groups,dc=dns,dc=name,dc=server > "(memberUid=ian)" cn > > Is this possible to configure in Dovecot?Hmm. Looking at the code if you do: user_attrs = memberGid=gid then it should set "gid=123,345,456" field. You could verify that this gets returned by setting auth_debug=yes. But .. I can't really see where that code would actually be used, since it looks like only the first GID is actually used. Try anyway how far you can get. :)