hi,
i have a question regarding the pipe, when being used to contact the LDA
(in my case, dovecot).
my virtual users are in LDAP, but they have their own UID and GID. since
i don't want to do a setuid script for the LDA (and obviously the LDA
needs to run with the correct permissions to be able to affect the
target user's mailbox files), is there a way to use the whole record
object from the LDAP query (which contains the uidNumber and gidNumber
attributes) and use some kind of substitution in the master.cf when
specifying the user=UID:GID parameter? the current situation is:
dovecot unix - n n - - pipe
flags=ODRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -e -f
${sender} -d ${user}
- problem: vmail (uid 5000) is obviously not the UID associated with the
dovecot
Jul 31 03:25:40 rhyno dovecot: lda(aik): Error: user aik: Auth USER
lookup failed
Jul 31 03:25:40 rhyno dovecot: auth: Error: userdb(aik): client doesn't
have lookup permissions for this user: userdb uid (10001) doesn't match
peer uid (5000) (to bypass this check, set: service auth { unix_listener
/var/run/dovecot/auth-userdb { mode=0777 } })
the catch is that at the passwd level, the local unix users and the LDAP
users are separated (they were once connected, but security and
performance considerations made us decide to split them), so i can't and
won't use the local user delivery method.
thanks in advance,
a
