Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
sogodovecotldapandgroups [2011/07/07 11:24] – File system permissions jimsogodovecotldapandgroups [2016/02/05 12:44] (current) – Fix Python script. jim
Line 5: Line 5:
 ===== IMAP shared folder ACLs and SOGo ===== ===== IMAP shared folder ACLs and SOGo =====
  
-Work has a company [[http://www.sogo.nu|SOGo]] instance. This is backed by a LDAP directory running on [[http://www.openldap.org][OpenLDAP]] and a [[http://www.dovecot.org|Dovecot]] IMAP server.+Work has a company [[http://www.sogo.nu|SOGo]] instance. This is backed by a LDAP directory running on [[http://www.openldap.org|OpenLDAP]] and a [[http://www.dovecot.org|Dovecot]] IMAP server.
  
 The SOGo web mail interfaces allows you to set sharing permissions on IMAP folders. It reads and sets these using the IMAP ACL extensions, activated in Dovecot by loading the necessary plugins: The SOGo web mail interfaces allows you to set sharing permissions on IMAP folders. It reads and sets these using the IMAP ACL extensions, activated in Dovecot by loading the necessary plugins:
Line 23: Line 23:
 We don't want every group to be a POSIX group. They need to have a ''gid'' and I've had trouble with group names that don't consist of a single all-lowercase word. We have groups called //All Staff// and similar. LDAP directory maintenance tools usually have nice ways of dealing with ''groupOfNames''. We don't want every group to be a POSIX group. They need to have a ''gid'' and I've had trouble with group names that don't consist of a single all-lowercase word. We have groups called //All Staff// and similar. LDAP directory maintenance tools usually have nice ways of dealing with ''groupOfNames''.
  
-So we're using the [[http://www.padl.com/~lukeh/rfc2307bis.txt][RFC2307bis]] schema instead. This is exactly the same as ''nis.schema'' but has ''posixGroup'' as an **auxiliary class**. So you can add ''posixGroup'' as an extra object type to a ''groupOfNames'' and everyone is happy.+So we're using the [[http://www.padl.com/~lukeh/rfc2307bis.txt|RFC2307bis]] schema instead. This is exactly the same as ''nis.schema'' but has ''posixGroup'' as an **auxiliary class**. So you can add ''posixGroup'' as an extra object type to a ''groupOfNames'' and everyone is happy.
  
 ===== Groups membership in OpenLDAP ===== ===== Groups membership in OpenLDAP =====
Line 33: Line 33:
 ===== Putting it together ===== ===== Putting it together =====
  
-Dovecot currently has no way of dealing with multi-value LDAP attributes. But it does have a [[http://wiki2.dovecot.org/PostLoginScripting][post-login script]] to allow you to set up an environment variable ''ACL_GROUPS'' with a comma-separated list of groups that user belongs to.+Dovecot currently has no way of dealing with multi-value LDAP attributes. But it does have a [[http://wiki2.dovecot.org/PostLoginScripting|post-login script]] to allow you to set up an environment variable ''ACL_GROUPS'' with a comma-separated list of groups that user belongs to.
  
 So in Dovecot configuration I set up a post-login script: So in Dovecot configuration I set up a post-login script:
  
-  service imap { +<code> 
-    executable = imap imap-postlogin +service imap { 
-  } +  executable = imap imap-postlogin 
-  service imap-postlogin { +}
-    # all post-login scripts are executed via script-login binary +
-    executable = script-login -d /etc/dovecot/acl_groups.py+
  
-    # the script process runs as the user specified here (v2.0.14+): +service imap-postlogin { 
-    user = $default_internal_user +  # all post-login scripts are executed via script-login binary 
-    # this UNIX socket listener must use the same name as given to imap executable +  executable = script-login -d /etc/dovecot/acl_groups.py 
-    unix_listener imap-postlogin { + 
-    }+  # the script process runs as the user specified here (v2.0.14+): 
 +  user = $default_internal_user 
 +   
 +  # this UNIX socket listener must use the same name as given to imap executable 
 +  unix_listener imap-postlogin {
   }   }
 +}
 +</code>
      
 We currently have ''Maildir''s in the users home directory. ''script-login -d'' runs the after login ''imap'' process as the user. The script ''acl_groups.py'' fishes out the group memberships from LDAP, sets up ''ACL_GROUPS'' and chains to the rest of the IMAP session. Dovecot passes the location of the program to run for the rest of the session on the command line. We currently have ''Maildir''s in the users home directory. ''script-login -d'' runs the after login ''imap'' process as the user. The script ''acl_groups.py'' fishes out the group memberships from LDAP, sets up ''ACL_GROUPS'' and chains to the rest of the IMAP session. Dovecot passes the location of the program to run for the rest of the session on the command line.
Line 78: Line 82:
                    ['memberOf'])                    ['memberOf'])
   for dn, entry in res:   for dn, entry in res:
-      for g in entry['memberOf']: +      try: 
-          # Returns 'cn=All UK staff,ou=Groups,dc=example,dc=com' etc. +          for g in entry['memberOf']: 
-          # Fish out 'All UK staff' as group name. +              # Returns 'cn=All UK staff,ou=Groups,dc=example,dc=com' etc. 
-          groups.append(g.split(',', 1)[0][3:]) +              # Fish out 'All UK staff' as group name. 
-  +              groups.append(g.split(',', 1)[0][3:]) 
 +      except KeyError: 
 +          pass    # User in no groups. 
 +          
   os.environ["ACL_GROUPS"] = ",".join(groups)   os.environ["ACL_GROUPS"] = ",".join(groups)
   try:   try:
Line 92: Line 99:
   sys.exit(1) # In case above fails   sys.exit(1) # In case above fails
      
 +
 ===== File system permissions ===== ===== File system permissions =====
  
 The final stage is to make sure that the file system permissions allow the user to read from the shared mailbox. This is difficult with ''Maildir'' directories under the user's home directory. Right now I've set the ''Maildir'' directory group to ''mail'' and given the group ''r-s'' permission on the directory. But this has to be done by hand for each home directory created. I'm looking at moving all mail to under ''/var/mail'' instead. The final stage is to make sure that the file system permissions allow the user to read from the shared mailbox. This is difficult with ''Maildir'' directories under the user's home directory. Right now I've set the ''Maildir'' directory group to ''mail'' and given the group ''r-s'' permission on the directory. But this has to be done by hand for each home directory created. I'm looking at moving all mail to under ''/var/mail'' instead.
  
 
sogodovecotldapandgroups.1310037881.txt.gz · Last modified: 2011/07/07 11:24 by jim
Show page Recent Changes Backlinks
Old revisions Admin Sitemap Back to top
chimeric.de = chi`s home Creative Commons License Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0