Microsoft Active Directory you can have groups in groups support. (#40)

johansmitsnl · web-flow · commit 716885329342 · 2021-10-02T04:43:01.000+02:00
To support this you need to set the leaf group member option for it
to follow the sub groups (if any).
diff --git a/Makefile b/Makefile
@@ -91,6 +91,8 @@ init_ldap: init_openldap init_redis
 		-e LDAP_FORWARD_ATTRIBUTE="mail" \
 		-e LDAP_GROUP_FILTER="(&(mail=%s)(objectClass=mailGroup))" \
 		-e LDAP_GROUP_ATTRIBUTE="uid" \
+		-e LDAP_GROUP_RESULT_ATTRIBUTE="mail" \
+		-e LDAP_GROUP_RESULT_MEMBER="member" \
 		-e LDAP_SENDER_FILTER="(&(|(mail=%s)(mailalias=%s))(objectClass=mailAccount))" \
 		-e LDAP_SENDER_ATTRIBUTE="mail" \
 		-e LDAP_DOVECOT_USER_ATTRS="=home=/var/mail/vhosts/%d/%n/,=mail=maildir:/var/mail/vhosts/%d/%n/mail/,mailuserquota=quota_rule=*:bytes=%\$$" \
diff --git a/README.md b/README.md
@@ -392,6 +392,8 @@ When using LDAP authentication the following additional variables become availab
 | **LDAP_GROUP_FILTER**               | The search filter for group lookups                  | *optional*                                   |
 | **LDAP_GROUP_ATTRIBUTE**            | The attributes for group lookup                      | *optional*                                   |
 | **LDAP_GROUP_FORMAT**               | The format for group lookups                         | *optional*                                   |
+| **LDAP_GROUP_RESULT_ATTRIBUTE**     | The leaf result attribute group                      | *optional*                                   |
+| **LDAP_GROUP_RESULT_MEMBER**        | The special result attribute of the group            | *optional*                                   |
 | **LDAP_SENDER_SEARCH_BASE**         | The search base for sender lookups                   | *optional*                                   | ${LDAP_DEFAULT_SEARCH_BASE}  |
 | **LDAP_SENDER_SEARCH_SCOPE**        | The search scope for sender lookups                  | *optional*                                   | ${LDAP_DEFAULT_SEARCH_SCOPE} |
 | **LDAP_SENDER_FILTER**              | The search filter for sender lookups                 | **required**                                 |
diff --git a/rootfs/etc/postfix/ldap/virtual-group-maps.cf b/rootfs/etc/postfix/ldap/virtual-group-maps.cf
@@ -28,9 +28,19 @@ search_base = {{ .LDAP_GROUP_SEARCH_BASE }}
 scope = {{ .LDAP_GROUP_SEARCH_SCOPE }}
 
 query_filter = {{ .LDAP_GROUP_FILTER }}
+
+{{ if ne .LDAP_GROUP_ATTRIBUTE "" }}
 result_attribute = {{ .LDAP_GROUP_ATTRIBUTE }}
+{{ end }}
 
 {{ if ne .LDAP_GROUP_FORMAT "" }}
 result_format = {{ .LDAP_GROUP_FORMAT }}
 {{ end }}
 
+{{ if ne .LDAP_GROUP_RESULT_ATTRIBUTE "" }}
+leaf_result_attribute = {{ .LDAP_GROUP_RESULT_ATTRIBUTE }}
+{{ end }}
+
+{{ if ne .LDAP_GROUP_RESULT_MEMBER "" }}
+special_result_attribute = {{ .LDAP_GROUP_RESULT_MEMBER }}
+{{ end }}
diff --git a/rootfs/usr/local/bin/setup.sh b/rootfs/usr/local/bin/setup.sh
@@ -126,6 +126,8 @@ if [ "$DBDRIVER" = "ldap" ]; then
   export LDAP_GROUP_FILTER
   export LDAP_GROUP_ATTRIBUTE
   export LDAP_GROUP_FORMAT
+  export LDAP_GROUP_RESULT_ATTRIBUTE
+  export LDAP_GROUP_RESULT_MEMBER
 
   export LDAP_SENDER_SEARCH_BASE
   export LDAP_SENDER_SEARCH_SCOPE
@@ -182,6 +184,8 @@ if [ "$DBDRIVER" = "ldap" ]; then
   LDAP_GROUP_FILTER=${LDAP_GROUP_FILTER:-}
   LDAP_GROUP_ATTRIBUTE=${LDAP_GROUP_ATTRIBUTE:-}
   LDAP_GROUP_FORMAT=${LDAP_GROUP_FORMAT:-}
+  LDAP_GROUP_RESULT_ATTRIBUTE=${LDAP_GROUP_RESULT_ATTRIBUTE:-}
+  LDAP_GROUP_RESULT_MEMBER=${LDAP_GROUP_RESULT_MEMBER:-}
 
   LDAP_SENDER_SEARCH_BASE=${LDAP_SENDER_SEARCH_BASE:-"${LDAP_DEFAULT_SEARCH_BASE}"}
   LDAP_SENDER_SEARCH_SCOPE=${LDAP_SENDER_SEARCH_SCOPE:-"${LDAP_DEFAULT_SEARCH_SCOPE}"}
