Re: [Dovecot] Public folders and groups

2012-10-26 Thread Jan Phillip Greimann 
I didn't know ADs well, but...can't you simply add the Field? In LDAP it 
should be possible, if you use MS AD, i dunno.


Am 25.10.2012 22:49, schrieb b m: No AD doesn't have such a field, but 
I could use some unused field to

 get what I want. Let's say set Attribute1 to group1. The problem is
 how to get that info. I guess I have to edit dovecot-ldap.conf and put
 in user_attrs something like that ,=acl_groups=Attribute1. Any
 suggestions?

Re: [Dovecot] Public folders and groups

2012-10-26 Thread Ben Morrow 
At  1PM -0700 on 25/10/12 b m wrote:
  From: Jan Phillip Greimann j...@softjury.de
 Am 25.10.2012 00:13, schrieb b m:

  Currently I have dovecot working with Active Directory
  authentication and public folders with acl. In acl I have the users
  I want to access the public folders. It'll be easier for me to use
  one group instead of 50 users but I can't get it to work. From where
  does dovecot get the group attribute for a user? Can it read the
  groups that a user belongs from AD?

 ACL groups support works by returning a comma-separated acl_groups
 extra field from userdb, which contains all the groups the user
 belongs to.
 
 It seems to be possible, I had an acl_groups field in my MySQL
 Database for this, I'am sure it is something like that in an AD too.

 No AD doesn't have such a field, but I could use some unused field to
 get what I want. Let's say set Attribute1 to group1. The problem
 is how to get that info. I guess I have to edit dovecot-ldap.conf and
 put in user_attrs something like that ,=acl_groups=Attribute1. Any
 suggestions?

That's the wrong way around. Assuming you created an 'imapGroups'
attribute containing a comma-separated list of IMAP groups, you would
want to add 'imapGroups=acl_groups' to user_attrs.

Alternatively, if you don't want to duplicate the information in the
LDAP directory, you can use post-login scripting to set up the groups
list (see http://wiki2.dovecot.org/PostLoginScripting). If you have your
system set up with nss_ldap or winbind so that AD users show up as
system users with their proper groups, the example on the wiki using the
'groups' command will work. Otherwise, you can pull the information
directly from LDAP, something like

#!/bin/sh

do_ldap () {
/usr/local/bin/ldapsearch -h PDC \
((objectClass=$1)($2)) $3 \
| sed -nes/^$3: //p
}

user_dn=$(do_ldap User sAMAccountName=$USER dn)
ACL_GROUPS=$(do_ldap Group member=$user_dn cn | paste -sd, -)

export ACL_GROUPS
export USERDB_KEYS=$USERDB_KEYS acl_groups
exec $@

Obviously you will need to adjust the path and connection parameters for
ldapsearch to suit your environment; also, I don't use AD, so you may
need to adjust the LDAP search. (If you prefer it might be easier to do
this in Perl or Python or something rather than shell.)

Ben

Re: [Dovecot] Public folders and groups

2012-10-25 Thread Jan Phillip Greimann 

Am 25.10.2012 00:13, schrieb b m:

Currently I have dovecot working with Active Directory authentication and public folders 
with acl. In acl I have the users I want to access the public folders. It'll be easier 
for me to use one group instead of 50 users but I can't get it to work. From where does 
dovecot get the group attribute for a user? Can it read the groups that a 
user belongs from AD?


Here a sentence to this, found in the dovecot wiki. 
(http://wiki2.dovecot.org/ACL)


ACL groups support works by returning a comma-separated acl_groups extra 
field from userdb, which contains all the groups the user belongs to.


It seems to be possible, I had an acl_groups field in my MySQL Database 
for this, I'am sure it is something like that in an AD too.

Re: [Dovecot] Public folders and groups

2012-10-25 Thread b m 
No AD doesn't have such a field, but I could use some unused field to get what 
I want. Let's say set Attribute1 to group1. The problem is how to get that 
info. I guess I have to edit dovecot-ldap.conf and put in user_attrs something 
like that ,=acl_groups=Attribute1. Any suggestions?






 From: Jan Phillip Greimann j...@softjury.de
To: b m stocto...@yahoo.com; Dovecot Mailing List dovecot@dovecot.org 
Sent: Thursday, October 25, 2012 1:35 PM
Subject: Re: [Dovecot] Public folders and groups
 
Am 25.10.2012 00:13, schrieb b m:
 Currently I have dovecot working with Active Directory authentication and 
 public folders with acl. In acl I have the users I want to access the public 
 folders. It'll be easier for me to use one group instead of 50 users but I 
 can't get it to work. From where does dovecot get the group attribute for a 
 user? Can it read the groups that a user belongs from AD?

Here a sentence to this, found in the dovecot wiki. 
(http://wiki2.dovecot.org/ACL)

ACL groups support works by returning a comma-separated acl_groups extra field 
from userdb, which contains all the groups the user belongs to.

It seems to be possible, I had an acl_groups field in my MySQL Database for 
this, I'am sure it is something like that in an AD too.