Differences

This shows you the differences between two versions of the page.

--- sogodovecotldapandgroups [2011/07/07 11:26] – Correct link markup jim
+++ sogodovecotldapandgroups [2016/02/05 12:44] (current) – Fix Python script. jim
@@ Line 23: / Line 23: @@
 We don't want every group to be a POSIX group. They need to have a ''gid'' and I've had trouble with group names that don't consist of a single all-lowercase word. We have groups called //All Staff// and similar. LDAP directory maintenance tools usually have nice ways of dealing with ''groupOfNames''.
-So we're using the [[http://www.padl.com/~lukeh/rfc2307bis.txt][RFC2307bis]] schema instead. This is exactly the same as ''nis.schema'' but has ''posixGroup'' as an **auxiliary class**. So you can add ''posixGroup'' as an extra object type to a ''groupOfNames'' and everyone is happy.
+So we're using the [[http://www.padl.com/~lukeh/rfc2307bis.txt|RFC2307bis]] schema instead. This is exactly the same as ''nis.schema'' but has ''posixGroup'' as an **auxiliary class**. So you can add ''posixGroup'' as an extra object type to a ''groupOfNames'' and everyone is happy.
 ===== Groups membership in OpenLDAP =====
@@ Line 37: / Line 37: @@
 So in Dovecot configuration I set up a post-login script:
-  service imap {
+<code>
-    executable = imap imap-postlogin
+service imap {
-  }
+  executable = imap imap-postlogin
-  service imap-postlogin {
+}
-    # all post-login scripts are executed via script-login binary
-    executable = script-login -d /etc/dovecot/acl_groups.py
-    # the script process runs as the user specified here (v2.0.14+):
+service imap-postlogin {
-    user = $default_internal_user
+  # all post-login scripts are executed via script-login binary
-    # this UNIX socket listener must use the same name as given to imap executable
+  executable = script-login -d /etc/dovecot/acl_groups.py
-    unix_listener imap-postlogin {
-    }
+  # the script process runs as the user specified here (v2.0.14+):
+  user = $default_internal_user
+  # this UNIX socket listener must use the same name as given to imap executable
+  unix_listener imap-postlogin {
   }
+}
+</code>
 We currently have ''Maildir''s in the users home directory. ''script-login -d'' runs the after login ''imap'' process as the user. The script ''acl_groups.py'' fishes out the group memberships from LDAP, sets up ''ACL_GROUPS'' and chains to the rest of the IMAP session. Dovecot passes the location of the program to run for the rest of the session on the command line.
@@ Line 78: / Line 82: @@
                    ['memberOf'])
   for dn, entry in res:
-      for g in entry['memberOf']:
+      try:
-          # Returns 'cn=All UK staff,ou=Groups,dc=example,dc=com' etc.
+          for g in entry['memberOf']:
-          # Fish out 'All UK staff' as group name.
+              # Returns 'cn=All UK staff,ou=Groups,dc=example,dc=com' etc.
-          groups.append(g.split(',', 1)[0][3:])
+              # Fish out 'All UK staff' as group name.
+              groups.append(g.split(',', 1)[0][3:])
+      except KeyError:
+          pass    # User in no groups.
   os.environ["ACL_GROUPS"] = ",".join(groups)
   try:

sogodovecotldapandgroups.1310038002.txt.gz · Last modified: 2011/07/07 11:26 by jim

Show page Recent Changes Backlinks

Old revisions Admin Sitemap Back to top