Re: [courier-users] maildiracl and group again
Brought to you by:
mrsam
Menu
▾
▴
Re: [courier-users] maildiracl and group again
|
From: George S. <gs...@mh...> - 2008-11-27 15:19:54
|
OK, I read through the courier-authlib docs, and finally I saw the key. The trick is in this sentence: "1. Read the name of a mail account. Determine the local account's home directory, and system userid and groupid." If I set the users default Linux group to be the name of the group in the maildiracl command then it works as expected. Effectively authlib is calling getgid() and using it rather than calling getgroups() and iterating over the list. AuthLib is brain-dead in this assumption that the user is only a member of one group. Even your suggestion is bad. What if I want to have multiple shared folders with a different group controlling access to each one? Worse, from what I can see you're setting one group for the whole system. That's REALLY bad. This is a pretty sad limitation for an "authlib". It looks like pam has a function pam_modutil_user_in_group_uid_nam() that takes a UID and a group name and checks membership. Has anyone thought of using it? Is there a defect tracking system where I can put this limitation in as a bug? Sam Varshavchik wrote: > George Sexton writes: > >> And that's what I'm not getting. I looked through the courier-authlib >> configuration files and none of it appeared to make sense. >> >> I guess I foolishly thought that if I set the group up at the OS >> (/etc/passwd, /etc/group), that would work. >> >> Can you point me to something that would get me started? > > For each account, you have to set an account option named "group". How > to set an account option depends on your authentication module. > > The LDAP example is documented in authldaprc, by setting > LDAP_AUXOPTIONS. Setting > > LDAP_AUXOPTIONS usergroup=group > > Then the account's LDAP attribute "usergroup" sets the "group" option. > > authmysqlrc and authpgsqlrc contain instructions for defining account > options as well, for MySQL and Postgres. -- George Sexton MH Software, Inc. Voice: +1 303 438 9585 URL: http://www.mhsoftware.com/ |