Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision |
sogodovecotldapandgroups [2011/07/07 11:26] – Correct link markup jim | sogodovecotldapandgroups [2016/02/02 22:08] – Add blank line. jim |
---|
We don't want every group to be a POSIX group. They need to have a ''gid'' and I've had trouble with group names that don't consist of a single all-lowercase word. We have groups called //All Staff// and similar. LDAP directory maintenance tools usually have nice ways of dealing with ''groupOfNames''. | We don't want every group to be a POSIX group. They need to have a ''gid'' and I've had trouble with group names that don't consist of a single all-lowercase word. We have groups called //All Staff// and similar. LDAP directory maintenance tools usually have nice ways of dealing with ''groupOfNames''. |
| |
So we're using the [[http://www.padl.com/~lukeh/rfc2307bis.txt][RFC2307bis]] schema instead. This is exactly the same as ''nis.schema'' but has ''posixGroup'' as an **auxiliary class**. So you can add ''posixGroup'' as an extra object type to a ''groupOfNames'' and everyone is happy. | So we're using the [[http://www.padl.com/~lukeh/rfc2307bis.txt|RFC2307bis]] schema instead. This is exactly the same as ''nis.schema'' but has ''posixGroup'' as an **auxiliary class**. So you can add ''posixGroup'' as an extra object type to a ''groupOfNames'' and everyone is happy. |
| |
===== Groups membership in OpenLDAP ===== | ===== Groups membership in OpenLDAP ===== |
So in Dovecot configuration I set up a post-login script: | So in Dovecot configuration I set up a post-login script: |
| |
service imap { | <code> |
executable = imap imap-postlogin | service imap { |
} | executable = imap imap-postlogin |
service imap-postlogin { | } |
# all post-login scripts are executed via script-login binary | |
executable = script-login -d /etc/dovecot/acl_groups.py | service imap-postlogin { |
| # all post-login scripts are executed via script-login binary |
| executable = script-login -d /etc/dovecot/acl_groups.py |
| |
# the script process runs as the user specified here (v2.0.14+): | # the script process runs as the user specified here (v2.0.14+): |
user = $default_internal_user | user = $default_internal_user |
# this UNIX socket listener must use the same name as given to imap executable | |
unix_listener imap-postlogin { | # this UNIX socket listener must use the same name as given to imap executable |
} | unix_listener imap-postlogin { |
} | } |
| } |
| </code> |
| |
We currently have ''Maildir''s in the users home directory. ''script-login -d'' runs the after login ''imap'' process as the user. The script ''acl_groups.py'' fishes out the group memberships from LDAP, sets up ''ACL_GROUPS'' and chains to the rest of the IMAP session. Dovecot passes the location of the program to run for the rest of the session on the command line. | We currently have ''Maildir''s in the users home directory. ''script-login -d'' runs the after login ''imap'' process as the user. The script ''acl_groups.py'' fishes out the group memberships from LDAP, sets up ''ACL_GROUPS'' and chains to the rest of the IMAP session. Dovecot passes the location of the program to run for the rest of the session on the command line. |