cyrus and ldap groups in multidomain
Jan Kowalsky
jankow at datenkollektiv.net
Tue Apr 12 15:52:47 CEST 2016
Hi all,
hi Daniel, (since you investigated this already very deep, I put you in cc),
while I tried to use ldap groups for imap acls I came into a dead end.
Although I once I thought it was working - it doesn't actually.
kolab 3.4 on debian wheezy
cyrus-imapd 2.5~dev2015021301-0~kolab2
example.net -> primary domain
otherdomain.org -> secondary domain
I tried to get role based ldap groups working for imap acls in an
multidomain environment. Daniel Hoffend wrote a summary about this
problem and gave valuable hints:
https://lists.kolab.org/pipermail/devel/2015-February/015268.html
While it's no problem using ldap groups for just one domain - I don't
came further for multiple domain.
Daniel wrote, that the ldap_member_base get's rewritten to the current
domain. As long as I see in the ldap logs not for me. The role cn is
still searched in example.net instead of otherdomain.org.
While it is working for look up group acl it doesn't for set new acl.
For testing this I configured the ldap_group_base to the secondary
domain. Then wrote some group acl - and after switching back to the
ldap_group_base either to the primary domain or to dc=%2,dc=%1 the acls
for so configured mailboxes work.
It's even possible to write new acls - as long the ptscache isn't delted.
Since the code
https://cgit.cyrus.foundation/cyrus-imapd/tree/ptclient/ldap.c#n728
suggest that dc=%2,dc=%1 is a valid variable I also tried with this
instead of the primary domain.
My actual imapd.conf
ptscache_timeout: 600
pts_module: ldap
ldap_servers: ldap://ldap.example.net:389
ldap_sasl: 0
ldap_base: dc=example,dc=net
ldap_bind_dn: uid=kolab-service,ou=Special Users,dc=example,dc=net
ldap_password: secret
ldap_filter:
(|(&(|(uid=cyrus-admin)(uid=cyrus-murder))(uid=%U))(&(|(uid=%U)(mail=%U@%d)(mail=%U@%r))(objectclass=kolabinetorgperson)))
ldap_user_attribute: mail
ldap_group_base: dc=%2,dc=%1
ldap_group_filter:
(&(cn=%u)(objectclass=ldapsubentry)(objectclass=nsroledefinition))
ldap_group_scope: one
ldap_member_base: ou=People,dc=%2,dc=%2
ldap_member_method: attribute
ldap_member_attribute: nsrole
ldap_restart: 1
ldap_timeout: 10
ldap_time_limit: 10
ldap_domain_base_dn: cn=kolab,cn=config
ldap_domain_filter:
(&(objectclass=domainrelatedobject)(associateddomain=%s))
ldap_domain_name_attribute: associatedDomain
ldap_domain_scope: sub
ldap_domain_result_attribute: inetdomainbasedn
Does anybody of you use imap group acl in multidomain setup?
Any help is very appreciated.
Regard
Jan
More information about the users
mailing list