From 71688532934217c117d79e80b89b2bd36eeadefc Mon Sep 17 00:00:00 2001 From: Johan Smits Date: Sat, 2 Oct 2021 04:43:01 +0200 Subject: [PATCH] Microsoft Active Directory you can have groups in groups support. (#40) To support this you need to set the leaf group member option for it to follow the sub groups (if any). --- Makefile | 2 ++ README.md | 2 ++ rootfs/etc/postfix/ldap/virtual-group-maps.cf | 10 ++++++++++ rootfs/usr/local/bin/setup.sh | 4 ++++ 4 files changed, 18 insertions(+) diff --git a/Makefile b/Makefile index 6aa2e7be..8bf4e3c4 100644 --- a/Makefile +++ b/Makefile @@ -91,6 +91,8 @@ init_ldap: init_openldap init_redis -e LDAP_FORWARD_ATTRIBUTE="mail" \ -e LDAP_GROUP_FILTER="(&(mail=%s)(objectClass=mailGroup))" \ -e LDAP_GROUP_ATTRIBUTE="uid" \ + -e LDAP_GROUP_RESULT_ATTRIBUTE="mail" \ + -e LDAP_GROUP_RESULT_MEMBER="member" \ -e LDAP_SENDER_FILTER="(&(|(mail=%s)(mailalias=%s))(objectClass=mailAccount))" \ -e LDAP_SENDER_ATTRIBUTE="mail" \ -e LDAP_DOVECOT_USER_ATTRS="=home=/var/mail/vhosts/%d/%n/,=mail=maildir:/var/mail/vhosts/%d/%n/mail/,mailuserquota=quota_rule=*:bytes=%\$$" \ diff --git a/README.md b/README.md index d1f47fe9..d29c90d7 100644 --- a/README.md +++ b/README.md @@ -392,6 +392,8 @@ When using LDAP authentication the following additional variables become availab | **LDAP_GROUP_FILTER** | The search filter for group lookups | *optional* | | **LDAP_GROUP_ATTRIBUTE** | The attributes for group lookup | *optional* | | **LDAP_GROUP_FORMAT** | The format for group lookups | *optional* | +| **LDAP_GROUP_RESULT_ATTRIBUTE** | The leaf result attribute group | *optional* | +| **LDAP_GROUP_RESULT_MEMBER** | The special result attribute of the group | *optional* | | **LDAP_SENDER_SEARCH_BASE** | The search base for sender lookups | *optional* | ${LDAP_DEFAULT_SEARCH_BASE} | | **LDAP_SENDER_SEARCH_SCOPE** | The search scope for sender lookups | *optional* | ${LDAP_DEFAULT_SEARCH_SCOPE} | | **LDAP_SENDER_FILTER** | The search filter for sender lookups | **required** | diff --git a/rootfs/etc/postfix/ldap/virtual-group-maps.cf b/rootfs/etc/postfix/ldap/virtual-group-maps.cf index 9e9ce874..ea014aaa 100644 --- a/rootfs/etc/postfix/ldap/virtual-group-maps.cf +++ b/rootfs/etc/postfix/ldap/virtual-group-maps.cf @@ -28,9 +28,19 @@ search_base = {{ .LDAP_GROUP_SEARCH_BASE }} scope = {{ .LDAP_GROUP_SEARCH_SCOPE }} query_filter = {{ .LDAP_GROUP_FILTER }} + +{{ if ne .LDAP_GROUP_ATTRIBUTE "" }} result_attribute = {{ .LDAP_GROUP_ATTRIBUTE }} +{{ end }} {{ if ne .LDAP_GROUP_FORMAT "" }} result_format = {{ .LDAP_GROUP_FORMAT }} {{ end }} +{{ if ne .LDAP_GROUP_RESULT_ATTRIBUTE "" }} +leaf_result_attribute = {{ .LDAP_GROUP_RESULT_ATTRIBUTE }} +{{ end }} + +{{ if ne .LDAP_GROUP_RESULT_MEMBER "" }} +special_result_attribute = {{ .LDAP_GROUP_RESULT_MEMBER }} +{{ end }} diff --git a/rootfs/usr/local/bin/setup.sh b/rootfs/usr/local/bin/setup.sh index f1cbea3e..725555b6 100644 --- a/rootfs/usr/local/bin/setup.sh +++ b/rootfs/usr/local/bin/setup.sh @@ -126,6 +126,8 @@ if [ "$DBDRIVER" = "ldap" ]; then export LDAP_GROUP_FILTER export LDAP_GROUP_ATTRIBUTE export LDAP_GROUP_FORMAT + export LDAP_GROUP_RESULT_ATTRIBUTE + export LDAP_GROUP_RESULT_MEMBER export LDAP_SENDER_SEARCH_BASE export LDAP_SENDER_SEARCH_SCOPE @@ -182,6 +184,8 @@ if [ "$DBDRIVER" = "ldap" ]; then LDAP_GROUP_FILTER=${LDAP_GROUP_FILTER:-} LDAP_GROUP_ATTRIBUTE=${LDAP_GROUP_ATTRIBUTE:-} LDAP_GROUP_FORMAT=${LDAP_GROUP_FORMAT:-} + LDAP_GROUP_RESULT_ATTRIBUTE=${LDAP_GROUP_RESULT_ATTRIBUTE:-} + LDAP_GROUP_RESULT_MEMBER=${LDAP_GROUP_RESULT_MEMBER:-} LDAP_SENDER_SEARCH_BASE=${LDAP_SENDER_SEARCH_BASE:-"${LDAP_DEFAULT_SEARCH_BASE}"} LDAP_SENDER_SEARCH_SCOPE=${LDAP_SENDER_SEARCH_SCOPE:-"${LDAP_DEFAULT_SEARCH_SCOPE}"}