Problem using groups(roles) in cyrus ACL

teardrainer at web.de teardrainer at web.de
Wed Sep 6 14:10:16 CEST 2017


>
> I think your groupbase is wrong:
> Excerpt of my imapd.conf (Multidomain, but self explaining).
>
> ldap_group_base: ou=Groups,dc=%2,dc=%1
> ldap_group_filter:
> (&(cn=%u)(objectclass=ldapsubentry)(objectclass=nsroledefinition))
> ldap_group_scope: one
>

Thx Franz,

this pushed us in the right direction, since there was some confusion regarding the group and member selection. Here are our configs which might be useful for others:

Using Kolab roles as groups:
ldap_group_base: dc=acme,dc=com
ldap_group_filter: (&(cn=%u)(objectclass=ldapsubentry)(objectclass=nsroledefinition))
ldap_group_scope: one
ldap_member_base: ou=people,dc=acme,dc=com
ldap_member_method: attribute
ldap_member_attribute: nsrole

Using Kolab groups as groups:
ldap_group_base: ou=groups,dc=acme,dc=com
ldap_group_filter: (&(cn=%u)(objectclass=groupofuniquenames))
ldap_group_scope: one
ldap_member_base: dc=acme,dc=com
ldap_member_method: filter
ldap_member_filter: (&(uniqueMember=%D)(objectclass=groupofuniquenames))
ldap_member_attribute: cn
ldap_size_limit: 10

Note the ldap_size_limit in the second example (defaults to 1). Since the member filter returns multiple results for users with multiple groups, they won't be able to log in anymore if
ldap_size_limit is not increased.

Group-ACLs can be set using group:groupname via cmd-line or webadmin.


Thanks all,

Bob


More information about the users mailing list