Hi, I'm looking for a solution to use nested AD groups for authorization in shared-imap folders(namespace public). As a simple hack to determine the (primary) groups of a user we use the following setup with a post-login script: in dovecot.conf ... protocol imap { mail_executable = /etc/dovecot/ldap_groups.sh ... ldap_groups.sh ACL_GROUPS=`ldapsearch -h ldapserver -p 3268 -s sub -D "cn=ldap mail, ou=user, ou=global, ou=xxx, dc=xxx, dc=local" -b "ou=xxx, dc=xxx, dc=local" "(&(sAMAccountName=$USER))" -LLL memberOf -w password | grep "memberOf: CN=" | sed 's/memberOf: CN=//' | sed 's/,OU=.*//' | tr "\n" "," | sed 's/, $//'` export ACL_GROUPS exec /usr/libexec/dovecot/imap $* Does anyone know, how to simply get the groups of groups with such a post-login script? Thanks, Martin