LDAP olcAccess for auth_bind
Hi,
I'm trying to set up a production mail server. I have installed Dovecot on
Debian from the package. For authentication, I have another machine running
OpenLDAP, also installed on Debian. I would like the end mail client to
authenticate with Dovecot using the login and password set in LDAP.
In the LDAP-related configuration, I have:
auth_bind=yes
base = ou=Users,dc=example,dc=com
user_attrs =
mail=couriermaildir:~/Maildir,homeDirectory=/home/%d/%uid/,uidNumber=uid,gidNumber=gid
user_filter = (&(objectClass=posixAccount)(uid=%u))
pass_attrs = uid=user,userPassword=password,\
pass_filter = (&(objectClass=posixAccount)(uid=%u))
The LDAP user is entered as uid=u...@example.com. With the default
olcAccess permissions, it works and logs in correctly.
Here are my default olcAccess settings after installation:
# {1}mdb, config
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcAccess: {0}to dn.children="ou=Idmaps,dc=example,dc=com"
attrs=userPassword,
shadowLastChange,SambaLMPassword,SambaNTPassword by self write by
anonymous a
uth by dn="cn=samba,dc=example,dc=com" write by
dn="cn=admin,dc=laktopol,dc=p
l" write by * none
olcAccess: {1}to dn.subtree="ou=Idmaps,dc=example,dc=com" by self write by
dn=
"cn=samba,dc=example,dc=com" write by dn="cn=admin,dc=example,dc=com"
write b
y * read
olcAccess: {2}to dn.children="ou=Hosts,dc=example,dc=com"
attrs=userPassword,s
hadowLastChange,SambaLMPassword,SambaNTPassword by self write by anonymous
au
th by dn="cn=samba,dc=example,dc=com" write by
dn="cn=admin,dc=example,dc=com
" write by * none
olcAccess: {3}to dn.subtree="ou=Hosts,dc=example,dc=com" by self write by
dn="
cn=samba,dc=example,dc=com" write by dn="cn=admin,dc=example,dc=com" write
by
* read
olcAccess: {4}to dn.children="ou=Users,dc=example,dc=com"
attrs=userPassword,s
hadowLastChange,SambaLMPassword,SambaNTPassword by self write by anonymous
au
th by dn="cn=samba,dc=example,dc=com" write by
dn="cn=nsspam,dc=laktopol,dc=p
l" write by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: {5}to dn.children="ou=Users,dc=example,dc=com" by self write by
dn=
"cn=samba,dc=example,dc=com" write by dn="cn=nsspam,dc=example,dc=com"
write
by dn="cn=admin,dc=example,dc=com" write by * read
olcAccess: {6}to filter=(objectClass=sambaDomain) by
dn="cn=samba,dc=laktopol,
dc=pl" write by dn="cn=admin,dc=example,dc=com" write by * read
olcAccess: {7}to dn.base="dc=example,dc=com" attrs=children by
dn="cn=samba,dc
=laktopol,dc=pl" write by dn="cn=admin,dc=example,dc=com" write by * read
olcAccess: {8}to
attrs=userPassword,shadowLastChange,SambaLMPassword,SambaNTPa
ssword by self write by anonymous auth by dn="cn=nsspam,dc=example,dc=com"
wr
ite by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: {9}to attrs=shadowLastChange by self write by * read
olcAccess: {10} to * by * read
However, I am not satisfied with these settings because using the anonymous
user, anyone can browse the entire LDAP tree. While passwords are not
visible with anonymous login, user data in the LDAP domain is exposed.
If I change the last olcAccess entry from "olcAccess: {10} to * by * read"
to "olcAccess: {10} to * by anonymous auth," the anonymous user cannot
browse LDAP, but the mail client user also cannot log in.
What should be the correct configuration?
--
Andrzej
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Re: LDAP olcAccess for auth_bind
Hi,
Thank you for your response. What you wrote makes sense, and it was
definitely my mistake.
I have made the necessary changes in the settings.
auth_bind_userdn = cn=%u,ou=Users,dc=example,dc=com
I changed the user's cn to u...@example.com.
It appears that there is indeed a specific BIND attempt for this user.
However, it does not resolve the issues with olcAccess.
If I change the last olcAccess entry from "olcAccess: {10} to * by * read"
to "olcAccess: {10} to * by anonymous auth," the anonymous user cannot
browse LDAP, but the mail client user also cannot log in.
The LDAP server logs contain the following entries:
May 17 07:37:11 ldap0 slapd[262]: conn=1069 fd=14 ACCEPT from IP=
192.168.204.94:45490 (IP=0.0.0.0:389)
May 17 07:37:11 ldap0 slapd[262]: conn=1069 op=0 BIND dn="" method=128
May 17 07:37:11 ldap0 slapd[262]: conn=1069 op=0 RESULT tag=97 err=0 text=
May 17 07:37:11 ldap0 slapd[262]: conn=1069 op=1 BIND dn="cn=
u...@example.com,ou=Users,dc=example,dc=com" method=128
May 17 07:37:11 ldap0 slapd[262]: conn=1069 op=1 BIND dn="cn=
u...@example.com,ou=Users,dc=example,dc=com" mech=SIMPLE ssf=0
May 17 07:37:11 ldap0 slapd[262]: conn=1069 op=1 RESULT tag=97 err=0 text=
May 17 07:37:11 ldap0 slapd[262]: conn=1069 op=2 BIND anonymous
mech=implicit ssf=0
May 17 07:37:11 ldap0 slapd[262]: conn=1069 op=2 BIND dn="" method=128
May 17 07:37:11 ldap0 slapd[262]: conn=1069 op=2 RESULT tag=97 err=0 text=
May 17 07:37:11 ldap0 slapd[262]: conn=1069 op=3 SRCH
base="ou=Users,dc=example,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=u...@example.com))"
May 17 07:37:11 ldap0 slapd[262]: conn=1069 op=3 SRCH attr=mail
homeDirectory uidNumber gidNumber
May 17 07:37:11 ldap0 slapd[262]: conn=1069 op=3 SEARCH RESULT tag=101
err=50 nentries=0 text=
The tag 101 corresponds to the search request response operation, and
err=50 indicates insufficient access rights.
In the logs, we can see the event "BIND anonymous mech=implicit ssf=0,"
which suggests that Dovecot is attempting to connect anonymously.
The same thing happens when I perform such a query using ldapsearch and
using the user u...@example.com on the LDAP server console.
In the logs, there is SEARCH RESULT tag=101 err=32 nentries=0 text=.
On Wed, May 17, 2023 at 8:12 AM Mihai Badici wrote:
> I think you need also add "by users read" but the problem in this setup is
> to find the user you have a filter so you need to search for this .
>
> So you need either specify a special binding account or the format of the
> biding user
>
> This is from the default config on debian :
>
>
> # For example:
> # auth_bind_userdn = cn=%u,ou=people,o=org
> #
>
>
> On 5/17/23 08:57, Andrzej Milewski wrote:
>
> Hi,
> I'm trying to set up a production mail server. I have installed Dovecot on
> Debian from the package. For authentication, I have another machine running
> OpenLDAP, also installed on Debian. I would like the end mail client to
> authenticate with Dovecot using the login and password set in LDAP.
>
> In the LDAP-related configuration, I have:
> auth_bind=yes
> base = ou=Users,dc=example,dc=com
> user_attrs =
> mail=couriermaildir:~/Maildir,homeDirectory=/home/%d/%uid/,uidNumber=uid,gidNumber=gid
> user_filter = (&(objectClass=posixAccount)(uid=%u))
> pass_attrs = uid=user,userPassword=password,\
> pass_filter = (&(objectClass=posixAccount)(uid=%u))
>
> The LDAP user is entered as uid=u...@example.com. With the default
> olcAccess permissions, it works and logs in correctly.
>
> Here are my default olcAccess settings after installation:
> # {1}mdb, config
> dn: olcDatabase={1}mdb,cn=config
> objectClass: olcDatabaseConfig
> objectClass: olcMdbConfig
> olcDatabase: {1}mdb
> olcDbDirectory: /var/lib/ldap
> olcSuffix: dc=example,dc=com
> olcAccess: {0}to dn.children="ou=Idmaps,dc=example,dc=com"
> attrs=userPassword,
> shadowLastChange,SambaLMPassword,SambaNTPassword by self write by
> anonymous a
> uth by dn="cn=samba,dc=example,dc=com" write by
> dn="cn=admin,dc=laktopol,dc=p
> l" write by * none
> olcAccess: {1}to dn.subtree="ou=Idmaps,dc=example,dc=com" by self write by
> dn=
> "cn=samba,dc=example,dc=com" write by dn="cn=admin,dc=example,dc=com"
> write b
> y * read
> olcAccess: {2}to dn.children="ou=Hosts,dc=example,dc=com"
> attrs=userPassword,s
> hadowLastChange,SambaLMPassword,SambaNTPassword by self write by
> anonymous au
> th by dn="cn=samba,dc=example,dc=com" write by
> dn="cn=admin,dc=example,dc=com
> " write by * none
> olcAccess: {3}to dn.subtree="ou=Hosts,dc=example,dc=com" by self write by
> dn="
> cn=samba,dc=ex
Re: LDAP olcAccess for auth_bind
Hi,
My LDAP server is installed on a Proxmox container using the TurnKey Linux
template. I always thought it was a clean Debian installation. I tried it
on a fresh Debian installation, and both olcAccess and the LDAP tree differ
significantly from what is provided in the template.
I need to practice olcAccess permissions.
Thank you for the tips on configuring the Dovecot bind.
--
Andrzej
On Wed, May 17, 2023 at 11:01 AM Mihai Badici wrote:
> You can check if the acl's are correct using ldapsearch .
>
> This second bind without dn is weird so you need to check from where it
> come.
>
> Anyway I think is better to have a special user for binding because you
> can't use the %u if you have multiple organisational units which will occur
> in the near future for sure :) If somebody have one server will not be
> happy with only one domain and you will not be happy to put all in the same
> container.
>
>
> May 17 07:37:11 ldap0 slapd[262]: conn=1069 op=2 BIND dn="" method=128
>
>
> On 5/17/23 11:24, Andrzej Milewski wrote:
>
> Hi,
> Thank you for your response. What you wrote makes sense, and it was
> definitely my mistake.
> I have made the necessary changes in the settings.
> auth_bind_userdn = cn=%u,ou=Users,dc=example,dc=com
>
> I changed the user's cn to u...@example.com.
>
> It appears that there is indeed a specific BIND attempt for this user.
> However, it does not resolve the issues with olcAccess.
> If I change the last olcAccess entry from "olcAccess: {10} to * by * read"
> to "olcAccess: {10} to * by anonymous auth," the anonymous user cannot
> browse LDAP, but the mail client user also cannot log in.
>
> The LDAP server logs contain the following entries:
> May 17 07:37:11 ldap0 slapd[262]: conn=1069 fd=14 ACCEPT from IP=
> 192.168.204.94:45490 (IP=0.0.0.0:389)
> May 17 07:37:11 ldap0 slapd[262]: conn=1069 op=0 BIND dn="" method=128
> May 17 07:37:11 ldap0 slapd[262]: conn=1069 op=0 RESULT tag=97 err=0 text=
> May 17 07:37:11 ldap0 slapd[262]: conn=1069 op=1 BIND dn="cn=
> u...@example.com,ou=Users,dc=example,dc=com" method=128
> May 17 07:37:11 ldap0 slapd[262]: conn=1069 op=1 BIND dn="cn=
> u...@example.com,ou=Users,dc=example,dc=com" mech=SIMPLE ssf=0
> May 17 07:37:11 ldap0 slapd[262]: conn=1069 op=1 RESULT tag=97 err=0 text=
> May 17 07:37:11 ldap0 slapd[262]: conn=1069 op=2 BIND anonymous
> mech=implicit ssf=0
> May 17 07:37:11 ldap0 slapd[262]: conn=1069 op=2 BIND dn="" method=128
> May 17 07:37:11 ldap0 slapd[262]: conn=1069 op=2 RESULT tag=97 err=0 text=
> May 17 07:37:11 ldap0 slapd[262]: conn=1069 op=3 SRCH
> base="ou=Users,dc=example,dc=com" scope=2 deref=0
> filter="(&(objectClass=posixAccount)(uid=u...@example.com))"
> May 17 07:37:11 ldap0 slapd[262]: conn=1069 op=3 SRCH attr=mail
> homeDirectory uidNumber gidNumber
> May 17 07:37:11 ldap0 slapd[262]: conn=1069 op=3 SEARCH RESULT tag=101
> err=50 nentries=0 text=
>
> The tag 101 corresponds to the search request response operation, and
> err=50 indicates insufficient access rights.
> In the logs, we can see the event "BIND anonymous mech=implicit ssf=0,"
> which suggests that Dovecot is attempting to connect anonymously.
> The same thing happens when I perform such a query using ldapsearch and
> using the user u...@example.com on the LDAP server console.
> In the logs, there is SEARCH RESULT tag=101 err=32 nentries=0 text=.
>
> On Wed, May 17, 2023 at 8:12 AM Mihai Badici wrote:
>
>> I think you need also add "by users read" but the problem in this setup
>> is to find the user you have a filter so you need to search for this .
>>
>> So you need either specify a special binding account or the format of the
>> biding user
>>
>> This is from the default config on debian :
>>
>>
>> # For example:
>> # auth_bind_userdn = cn=%u,ou=people,o=org
>> #
>>
>>
>> On 5/17/23 08:57, Andrzej Milewski wrote:
>>
>> Hi,
>> I'm trying to set up a production mail server. I have installed Dovecot
>> on Debian from the package. For authentication, I have another machine
>> running OpenLDAP, also installed on Debian. I would like the end mail
>> client to authenticate with Dovecot using the login and password set in
>> LDAP.
>>
>> In the LDAP-related configuration, I have:
>> auth_bind=yes
>> base = ou=Users,dc=example,dc=com
>> user_attrs =
>> mail=couriermaildir:~/Maildir,homeDirectory=/home/%d/%uid/,uidNumber=uid,gidNumber=gid
>> user_filter = (&(objectClass=posixAccount)(uid=%u))
>> pass_attrs = uid=user,userPassword=password,\
>> pa
Re: Outlook fails to connect to Dovecot submission server
Hello, I may be mistaken, but I don't see "auth_mechanism = plain login" in your configuration. It's possible that you are using something different for authentication, but I don't see it in the configuration. On Wed, May 17, 2023 at 4:04 PM Ralf Becker via dovecot wrote: > Dovecot 2.3.20 including it's submission server works well with all > sorts of clients, but Outlook. > > Outlook works / can connect to Dovecot IMAP service with same > certificate TLS config, but it fails to connect using SMTPs on port 465. > Other clients connect and send mails without problem, also openssl > s_client can connect and reports no problems. > > I tried with Outlook Version 365 on Windows 11 (no cloud) and > "Microsoft® Outlook® 2021 MSO (Version 2304 Build 16.0.16327.20200) > 64-bit". > > I already enabled all submission_client_workarounds and lowered > min_ssl_version from TLSv1.2 to TLSv1, but that changed nothing. > > I can see nothing failing in the logs, thought the OL connection wizard > always check IMAP and SMTP together, so it's hard to say what the > problem is. > > The same two Outlook version connect without a problem to Postfix > authenticating via SASL to Dovecot also requiring a minimum TLS version > of 1.2. > They just wont connect with Dovecot submission server. > > Any ideas what's wrong, or how to debug that further? > > Ralf > > -- > > Ralf Becker > EGroupware GmbH [www.egroupware.org] > Handelsregister HRB Kaiserslautern 3587 > Geschäftsführer Birgit und Ralf Becker > Leibnizstr. 17, 67663 Kaiserslautern, Germany > Telefon +49 631 31657-0 > ___ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org > -- Andrzej ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: LDAP olcAccess for auth_bind
Hi,
I reviewed your guidelines and focused only on how olcAccess works to block
anonymous users. I installed a blank native Debian and interestingly, the
default Debian rules also allow anonymous reading of the LDAP directory.
olcAccess by Debian olcAccess: {0} to attrs=userPassword by self write by
anonymous auth by * none olcAccess: {1} to attrs=shadowLastChange by self
write by * read olcAccess: {2} to * by * read
After analyzing everything and testing, I started with two rules that block
anonymous users and at the same time grant access to logged-in users. I
realize that this is probably not enough and I should include some
permissions in this, but this is the initial setting on which I can
continue to work.
olcAccess by me olcAccess: {0} to attrs=userPassword,shadowLastChange by
self write by anonymous auth by * none olcAccess: {1} to * by self write by
users read by anonymous auth by * none
Thank you for your help.
On Wed, May 17, 2023 at 7:57 AM Andrzej Milewski
wrote:
> Hi,
> I'm trying to set up a production mail server. I have installed Dovecot on
> Debian from the package. For authentication, I have another machine running
> OpenLDAP, also installed on Debian. I would like the end mail client to
> authenticate with Dovecot using the login and password set in LDAP.
>
> In the LDAP-related configuration, I have:
> auth_bind=yes
> base = ou=Users,dc=example,dc=com
> user_attrs =
> mail=couriermaildir:~/Maildir,homeDirectory=/home/%d/%uid/,uidNumber=uid,gidNumber=gid
> user_filter = (&(objectClass=posixAccount)(uid=%u))
> pass_attrs = uid=user,userPassword=password,\
> pass_filter = (&(objectClass=posixAccount)(uid=%u))
>
> The LDAP user is entered as uid=u...@example.com. With the default
> olcAccess permissions, it works and logs in correctly.
>
> Here are my default olcAccess settings after installation:
> # {1}mdb, config
> dn: olcDatabase={1}mdb,cn=config
> objectClass: olcDatabaseConfig
> objectClass: olcMdbConfig
> olcDatabase: {1}mdb
> olcDbDirectory: /var/lib/ldap
> olcSuffix: dc=example,dc=com
> olcAccess: {0}to dn.children="ou=Idmaps,dc=example,dc=com"
> attrs=userPassword,
> shadowLastChange,SambaLMPassword,SambaNTPassword by self write by
> anonymous a
> uth by dn="cn=samba,dc=example,dc=com" write by
> dn="cn=admin,dc=laktopol,dc=p
> l" write by * none
> olcAccess: {1}to dn.subtree="ou=Idmaps,dc=example,dc=com" by self write by
> dn=
> "cn=samba,dc=example,dc=com" write by dn="cn=admin,dc=example,dc=com"
> write b
> y * read
> olcAccess: {2}to dn.children="ou=Hosts,dc=example,dc=com"
> attrs=userPassword,s
> hadowLastChange,SambaLMPassword,SambaNTPassword by self write by
> anonymous au
> th by dn="cn=samba,dc=example,dc=com" write by
> dn="cn=admin,dc=example,dc=com
> " write by * none
> olcAccess: {3}to dn.subtree="ou=Hosts,dc=example,dc=com" by self write by
> dn="
> cn=samba,dc=example,dc=com" write by dn="cn=admin,dc=example,dc=com"
> write by
> * read
> olcAccess: {4}to dn.children="ou=Users,dc=example,dc=com"
> attrs=userPassword,s
> hadowLastChange,SambaLMPassword,SambaNTPassword by self write by
> anonymous au
> th by dn="cn=samba,dc=example,dc=com" write by
> dn="cn=nsspam,dc=laktopol,dc=p
> l" write by dn="cn=admin,dc=example,dc=com" write by * none
> olcAccess: {5}to dn.children="ou=Users,dc=example,dc=com" by self write by
> dn=
> "cn=samba,dc=example,dc=com" write by dn="cn=nsspam,dc=example,dc=com"
> write
> by dn="cn=admin,dc=example,dc=com" write by * read
> olcAccess: {6}to filter=(objectClass=sambaDomain) by
> dn="cn=samba,dc=laktopol,
> dc=pl" write by dn="cn=admin,dc=example,dc=com" write by * read
> olcAccess: {7}to dn.base="dc=example,dc=com" attrs=children by
> dn="cn=samba,dc
> =laktopol,dc=pl" write by dn="cn=admin,dc=example,dc=com" write by * read
> olcAccess: {8}to
> attrs=userPassword,shadowLastChange,SambaLMPassword,SambaNTPa
> ssword by self write by anonymous auth by
> dn="cn=nsspam,dc=example,dc=com" wr
> ite by dn="cn=admin,dc=example,dc=com" write by * none
> olcAccess: {9}to attrs=shadowLastChange by self write by * read
> olcAccess: {10} to * by * read
>
> However, I am not satisfied with these settings because using the
> anonymous user, anyone can browse the entire LDAP tree. While passwords are
> not visible with anonymous login, user data in the LDAP domain is exposed.
>
> If I change the last olcAccess entry from "olcAccess: {10} to * by * read"
> to "olcAccess: {10} to * by anonymous auth," the anonymous user cannot
> browse LDAP, but the mail client user also cannot log in.
>
> What should be the correct configuration?
> --
> Andrzej
>
--
Andrzej Milewski
andrzej.milew...@gmail.com
tel. 0603957324
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
Re: LDAP olcAccess for auth_bind
Hi,
I would like to ask about one more thing regarding LDAP server
authentication.
Am I understanding correctly that the auth_bind option, regardless of
whether it is set to yes or no, and even if anonymous access to the LDAP
directory is blocked, must be used with dn=cn=manager,dc=example,dc=com and
dnpass=password to enable authentication?
It seems to me that there are no other cases where Dovecot can query the
LDAP server directly using the login and password provided by the client.
To perform authentication, it must execute a BIND by an intermediate user,
regardless of where the password check takes place - in LDAP or in Dovecot.
Are there any other ways for the client to log in directly with their
credentials on the Dovecot server?
On Mon, May 22, 2023 at 1:17 PM Andrzej Milewski
wrote:
> Hi,
>
> I reviewed your guidelines and focused only on how olcAccess works to
> block anonymous users. I installed a blank native Debian and interestingly,
> the default Debian rules also allow anonymous reading of the LDAP directory.
>
> olcAccess by Debian olcAccess: {0} to attrs=userPassword by self write by
> anonymous auth by * none olcAccess: {1} to attrs=shadowLastChange by self
> write by * read olcAccess: {2} to * by * read
>
> After analyzing everything and testing, I started with two rules that
> block anonymous users and at the same time grant access to logged-in users.
> I realize that this is probably not enough and I should include some
> permissions in this, but this is the initial setting on which I can
> continue to work.
>
> olcAccess by me olcAccess: {0} to attrs=userPassword,shadowLastChange by
> self write by anonymous auth by * none olcAccess: {1} to * by self write by
> users read by anonymous auth by * none
>
> Thank you for your help.
>
> On Wed, May 17, 2023 at 7:57 AM Andrzej Milewski <
> andrzej.milew...@gmail.com> wrote:
>
>> Hi,
>> I'm trying to set up a production mail server. I have installed Dovecot
>> on Debian from the package. For authentication, I have another machine
>> running OpenLDAP, also installed on Debian. I would like the end mail
>> client to authenticate with Dovecot using the login and password set in
>> LDAP.
>>
>> In the LDAP-related configuration, I have:
>> auth_bind=yes
>> base = ou=Users,dc=example,dc=com
>> user_attrs =
>> mail=couriermaildir:~/Maildir,homeDirectory=/home/%d/%uid/,uidNumber=uid,gidNumber=gid
>> user_filter = (&(objectClass=posixAccount)(uid=%u))
>> pass_attrs = uid=user,userPassword=password,\
>> pass_filter = (&(objectClass=posixAccount)(uid=%u))
>>
>> The LDAP user is entered as uid=u...@example.com. With the default
>> olcAccess permissions, it works and logs in correctly.
>>
>> Here are my default olcAccess settings after installation:
>> # {1}mdb, config
>> dn: olcDatabase={1}mdb,cn=config
>> objectClass: olcDatabaseConfig
>> objectClass: olcMdbConfig
>> olcDatabase: {1}mdb
>> olcDbDirectory: /var/lib/ldap
>> olcSuffix: dc=example,dc=com
>> olcAccess: {0}to dn.children="ou=Idmaps,dc=example,dc=com"
>> attrs=userPassword,
>> shadowLastChange,SambaLMPassword,SambaNTPassword by self write by
>> anonymous a
>> uth by dn="cn=samba,dc=example,dc=com" write by
>> dn="cn=admin,dc=laktopol,dc=p
>> l" write by * none
>> olcAccess: {1}to dn.subtree="ou=Idmaps,dc=example,dc=com" by self write
>> by dn=
>> "cn=samba,dc=example,dc=com" write by dn="cn=admin,dc=example,dc=com"
>> write b
>> y * read
>> olcAccess: {2}to dn.children="ou=Hosts,dc=example,dc=com"
>> attrs=userPassword,s
>> hadowLastChange,SambaLMPassword,SambaNTPassword by self write by
>> anonymous au
>> th by dn="cn=samba,dc=example,dc=com" write by
>> dn="cn=admin,dc=example,dc=com
>> " write by * none
>> olcAccess: {3}to dn.subtree="ou=Hosts,dc=example,dc=com" by self write by
>> dn="
>> cn=samba,dc=example,dc=com" write by dn="cn=admin,dc=example,dc=com"
>> write by
>> * read
>> olcAccess: {4}to dn.children="ou=Users,dc=example,dc=com"
>> attrs=userPassword,s
>> hadowLastChange,SambaLMPassword,SambaNTPassword by self write by
>> anonymous au
>> th by dn="cn=samba,dc=example,dc=com" write by
>> dn="cn=nsspam,dc=laktopol,dc=p
>> l" write by dn="cn=admin,dc=example,dc=com" write by * none
>> olcAccess: {5}to dn.children="ou=Users,dc=example,dc=com" by self write
>> by dn=
>> "cn=samba,dc=example,dc=com" write by dn="cn=nsspam,dc=examp
Postlogin script ACL_GROUPS from LDAP
Hello, I am testing the Dovecot mail server with the iRedMail configuration. My backend is based on LDAP. I would like to set up the "Public" folders in such a way as to grant permissions to specific groups of users. To achieve this, I created the following entry in the configuration: acl = vfile:/etc/dovecot/dovecot-acl-global:cache_secs=300 For individual users, the global permissions work correctly, and I achieve what I want. However, I am unsure how to grant permissions for a group. Specifically, I know that I should include permissions for groups in this file, for example: Public/ anyone l Public/IT_Suwalki group=grupa1 lrwstipek Public/IT_Suwalki/* group=grupa1 lrwstipekxa But I don't know how to associate users with groups. From what I managed to figure out, the user should have the "ACL_GROUPS=grupa1,grupa2" variable, and it should be passed by the postlogin script. But how can I do that? Do you have any working example of such a script? Which LDAP attributes should this script utilize? In my LDAP, there is an attribute called "memberOfGroup"; can I use it? Thank you for all the suggestions. -- Andrzej Milewski andrzej.milew...@gmail.com tel. 0603957324 ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
