Problem using groups(roles) in cyrus ACL

Discussion:

t***@web.de

2017-08-31 20:37:53 UTC

_______________________________________________
users mailing list
***@lists.kolab.org
https://lists.kolab.org/mailman/listinfo/users

Liutauras Adomaitis

2017-09-01 05:06:26 UTC

Permalink

Hi,

Hi all,
we recently switched to Kolab for our Groupware needs and almost everything
seems to be working smoothly. However, we require to have group permissions
on shared folders and this is giving us a headache. For some reason the
Using cyradm trying to set the ACL with
setaclmailbox: group:testrole: lrs: Invalid identifier
kolab imap[28121]: ptload(): bad response from ptloader server: group
identifier not found kolab imap[28121]: ptload completely failed: unable to
canonify identifier: group:testrole
The group however seems to be setup correctly (as a role in webadmin),
time: 1504171652
groups: 1
group:testrole
We have no idea what the problem could be or how to debug this further. Any
help would be greatly appreciated.

How are your groups defined in /etc/imapd.conf?
What version of OS, Kolab and Cyrus IMAP are you running?

Liutauras

t***@web.de

2017-09-01 06:09:07 UTC

Permalink

_______________________________________________
users mailing list
***@lists.kolab.org
https://lists.kolab.org/mailman/listinfo/users

Skale, Franz

2017-09-01 07:28:57 UTC

Permalink

Hi,

CentOS 7
kolab-webadmin-3.2.11-2.1.el7.kolab_16
cyrus-imapd-2.5.11-8.1.el7.kolab_16
ldap_user_attribute: mail
ldap_group_base: dc=acme,dc=com
ldap_group_filter: (cn=%u)
ldap_group_scope: one
ldap_member_base: ou=People,dc=acme,dc=com
ldap_member_method: attribute
ldap_member_attribute: nsrole
Thanks
Bob

Gesendet: Freitag, 01. September 2017 um 07:06 Uhr
Betreff: Re: Problem using groups(roles) in cyrus ACL
Hi,
On 2017 m. rugpjūčio 31 d., ketvirtadienis 23:37:53 EEST

Hi all,
we recently switched to Kolab for our Groupware needs and almost

everything

seems to be working smoothly. However, we require to have group

permissions

on shared folders and this is giving us a headache. For some reason

the

Using cyradm trying to set the ACL with
setaclmailbox: group:testrole: lrs: Invalid identifier

group
unable to

canonify identifier: group:testrole
The group however seems to be setup correctly (as a role in

webadmin),

time: 1504171652
groups: 1
group:testrole
We have no idea what the problem could be or how to debug this

further. Any

help would be greatly appreciated.

How are your groups defined in /etc/imapd.conf?
What version of OS, Kolab and Cyrus IMAP are you running?
Liutauras_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users

_______________________________________________
users mailing list
https://lists.kolab.org/mailman/listinfo/users

I think your groupbase is wrong:
Excerpt of my imapd.conf (Multidomain, but self explaining).

ldap_group_base: ou=Groups,dc=%2,dc=%1
ldap_group_filter:
(&(cn=%u)(objectclass=ldapsubentry)(objectclass=nsroledefinition))
ldap_group_scope: one

Rgds.
Franz

t***@web.de

2017-09-06 12:10:16 UTC

Permalink

Post by Skale, Franz
Excerpt of my imapd.conf (Multidomain, but self explaining).
ldap_group_base: ou=Groups,dc=%2,dc=%1
(&(cn=%u)(objectclass=ldapsubentry)(objectclass=nsroledefinition))
ldap_group_scope: one

Thx Franz,

this pushed us in the right direction, since there was some confusion regarding the group and member selection. Here are our configs which might be useful for others:

Using Kolab roles as groups:
ldap_group_base: dc=acme,dc=com
ldap_group_filter: (&(cn=%u)(objectclass=ldapsubentry)(objectclass=nsroledefinition))
ldap_group_scope: one
ldap_member_base: ou=people,dc=acme,dc=com
ldap_member_method: attribute
ldap_member_attribute: nsrole

Using Kolab groups as groups:
ldap_group_base: ou=groups,dc=acme,dc=com
ldap_group_filter: (&(cn=%u)(objectclass=groupofuniquenames))
ldap_group_scope: one
ldap_member_base: dc=acme,dc=com
ldap_member_method: filter
ldap_member_filter: (&(uniqueMember=%D)(objectclass=groupofuniquenames))
ldap_member_attribute: cn
ldap_size_limit: 10

Note the ldap_size_limit in the second example (defaults to 1). Since the member filter returns multiple results for users with multiple groups, they won't be able to log in anymore if
ldap_size_limit is not increased.

Group-ACLs can be set using group:groupname via cmd-line or webadmin.

Thanks all,

Bob