On Sep 16, 2009, at 9:16 PM, Timo Sirainen wrote:
On Sep 16, 2009, at 5:18 AM, Ian Levesque wrote:
I'm trying to configure my user_attrs using LDAP as the userdb so
that dovecot knows what secondary groups a user is a member of. The
LDAP backend is an Open Directory implementation, which stores
secondary group affiliations as memberUid attributes in
cn=groupname,cn=groups,dc=dns,dc=name,dc=server.
Do you mean memberGid? Also is it only secondary groups, the primary
group is somewhere else?
No, the way that OD handles secondary group affiliations is through a
"groups" cn that lists "memberUid"s that are in the group. I've seen
LDAP implementations that provide secondary group IDs in the "user"
cn, which is indeed a lot easier to query.
With ldapsearch, my query would be:
ldapsearch -x -b cn=groups,dc=dns,dc=name,dc=server
"(memberUid=ian)" cn
Is this possible to configure in Dovecot?
Hmm. Looking at the code if you do:
user_attrs = memberGid=gid
then it should set "gid=123,345,456" field. You could verify that
this gets returned by setting auth_debug=yes. But .. I can't really
see where that code would actually be used, since it looks like only
the first GID is actually used. Try anyway how far you can get. :)
Well, if dovecot doesn't use secondary groups, maybe I'm
misunderstanding a problem we're having. Basically, I'm trying to
configure a shared mailbox. The two users sharing the mailbox are in
the same secondary group. The mailbox itself is 770 but the users
can't access the mailbox, and dovecot complains:
stat(/path/to/.mailbox/tmp) failed: Permission denied (euid=2637
(username) egid=20(staff) missing +x perm: /path/to/.mailbox)
$ ls -al /path/to/.mailbox
.archive -> /path/to/shared/.mailbox
$ ls -ald /path/to/shared/.mailbox
drwxrwx--- 5 root tech 172 Sep 16 11:10 /path/to/shared/.mailbox
I assumed this is because dovecot's not recognizing the secondary
group "tech" properly, did I misinterpret the error?
Best,
Ian
