| Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision |
| sogodovecotldapandgroups [2011/07/07 11:26] – Correct link markup jim | sogodovecotldapandgroups [2016/02/02 22:08] – Add blank line. jim |
|---|
| We don't want every group to be a POSIX group. They need to have a ''gid'' and I've had trouble with group names that don't consist of a single all-lowercase word. We have groups called //All Staff// and similar. LDAP directory maintenance tools usually have nice ways of dealing with ''groupOfNames''. | We don't want every group to be a POSIX group. They need to have a ''gid'' and I've had trouble with group names that don't consist of a single all-lowercase word. We have groups called //All Staff// and similar. LDAP directory maintenance tools usually have nice ways of dealing with ''groupOfNames''. |
| |
| So we're using the [[http://www.padl.com/~lukeh/rfc2307bis.txt][RFC2307bis]] schema instead. This is exactly the same as ''nis.schema'' but has ''posixGroup'' as an **auxiliary class**. So you can add ''posixGroup'' as an extra object type to a ''groupOfNames'' and everyone is happy. | So we're using the [[http://www.padl.com/~lukeh/rfc2307bis.txt|RFC2307bis]] schema instead. This is exactly the same as ''nis.schema'' but has ''posixGroup'' as an **auxiliary class**. So you can add ''posixGroup'' as an extra object type to a ''groupOfNames'' and everyone is happy. |
| |
| ===== Groups membership in OpenLDAP ===== | ===== Groups membership in OpenLDAP ===== |
| So in Dovecot configuration I set up a post-login script: | So in Dovecot configuration I set up a post-login script: |
| |
| service imap { | <code> |
| executable = imap imap-postlogin | service imap { |
| } | executable = imap imap-postlogin |
| service imap-postlogin { | } |
| # all post-login scripts are executed via script-login binary | |
| executable = script-login -d /etc/dovecot/acl_groups.py | service imap-postlogin { |
| | # all post-login scripts are executed via script-login binary |
| | executable = script-login -d /etc/dovecot/acl_groups.py |
| |
| # the script process runs as the user specified here (v2.0.14+): | # the script process runs as the user specified here (v2.0.14+): |
| user = $default_internal_user | user = $default_internal_user |
| # this UNIX socket listener must use the same name as given to imap executable | |
| unix_listener imap-postlogin { | # this UNIX socket listener must use the same name as given to imap executable |
| } | unix_listener imap-postlogin { |
| } | } |
| | } |
| | </code> |
| | |
| We currently have ''Maildir''s in the users home directory. ''script-login -d'' runs the after login ''imap'' process as the user. The script ''acl_groups.py'' fishes out the group memberships from LDAP, sets up ''ACL_GROUPS'' and chains to the rest of the IMAP session. Dovecot passes the location of the program to run for the rest of the session on the command line. | We currently have ''Maildir''s in the users home directory. ''script-login -d'' runs the after login ''imap'' process as the user. The script ''acl_groups.py'' fishes out the group memberships from LDAP, sets up ''ACL_GROUPS'' and chains to the rest of the IMAP session. Dovecot passes the location of the program to run for the rest of the session on the command line. |
