cyrus and ldap groups in multidomain
jankow at datenkollektiv.net
Tue Apr 12 15:52:47 CEST 2016
hi Daniel, (since you investigated this already very deep, I put you in cc),
while I tried to use ldap groups for imap acls I came into a dead end.
Although I once I thought it was working - it doesn't actually.
kolab 3.4 on debian wheezy
example.net -> primary domain
otherdomain.org -> secondary domain
I tried to get role based ldap groups working for imap acls in an
multidomain environment. Daniel Hoffend wrote a summary about this
problem and gave valuable hints:
While it's no problem using ldap groups for just one domain - I don't
came further for multiple domain.
Daniel wrote, that the ldap_member_base get's rewritten to the current
domain. As long as I see in the ldap logs not for me. The role cn is
still searched in example.net instead of otherdomain.org.
While it is working for look up group acl it doesn't for set new acl.
For testing this I configured the ldap_group_base to the secondary
domain. Then wrote some group acl - and after switching back to the
ldap_group_base either to the primary domain or to dc=%2,dc=%1 the acls
for so configured mailboxes work.
It's even possible to write new acls - as long the ptscache isn't delted.
Since the code
suggest that dc=%2,dc=%1 is a valid variable I also tried with this
instead of the primary domain.
My actual imapd.conf
ldap_bind_dn: uid=kolab-service,ou=Special Users,dc=example,dc=net
Does anybody of you use imap group acl in multidomain setup?
Any help is very appreciated.
More information about the users