Yes, it was that simple, the group files had the wrong owner. Problem solved, thanks for your help.
BTW: Great piece oft software, keep up the good work! Cheers, Robert Claudio Jeker wrote: > On Tue, Oct 24, 2006 at 06:43:17PM +0200, Robert Müller wrote: > >> Hi all, >> >> I'm using qmail-ldap on different servers since about more than one >> year. Now I've set up a new one with virtual users environment. My >> qmail-installation uses a dedicated account for retrieving >> LDAP-attributes and I have set the LDAP ACL very restrictive to prevent >> users from seeing other accounts. Mail delivery for normal qmailusers >> works very well, but I observe a strange problem with qmailgroups. The >> following is derived from slapd's logfile: >> qmail binds correctly as the dedicated user to search the mail address. >> After the entry with the corresponding address is found, it retrieves >> all LDAP Attributes for a normal qmailuser within the existing bind and >> therefore succeeds with delivery. >> But for a qmailgroup entry it unbinds and rebinds anonymously and is >> then not able to read the attribute "entry" and all other attributes >> since this is prohibited by my LDAP-ACLs for anonymous binds. >> >> Can anyone of you experts tell me if this is desired behaviour and why? >> Or did I miss a simple configuration option? >> Any help greatly appreciated, >> >> > > Most of the time this happen because ~control/ldappassword is not readably > by the user which runs the qmail-group command. > This is why ~control/ldapgrouplogin and ~control/ldapgrouppassword exist. > Especally it makes it possible to use a different user for the normal mail > lookup then for the group lookups. group lookups only need read access to > some fields (e.g. userPassword is not needed) allowing stricter ACL rules. > Additionally it makes it possible to tune the limits in slapd. > >
