Enforce minimum membership of mailusers to send/receive(IMAP) mail

jb3 · jb3 · commit d8fc3ec57174 · 2026-04-03T22:56:31.000+01:00
diff --git a/ansible/roles/dovecot/templates/configs/auth-ldap.conf.ext.j2 b/ansible/roles/dovecot/templates/configs/auth-ldap.conf.ext.j2
@@ -81,7 +81,7 @@ passdb ldap {
   }
   bind = yes
 
-  filter = (&(objectClass=posixAccount)(uid=%{user | username}))
+  filter = (&(objectClass=posixAccount)(memberof=cn=mailusers,cn=groups,cn=accounts,dc=box,dc=pydis,dc=wtf)(uid=%{user | username}))
   driver = ldap
   ldap_connection_group = passdb
 }
@@ -93,7 +93,7 @@ userdb ldap {
     sieve = %{home}/main.sieve
     sieve_user_log_path = %{home}/sieve.log
   }
-  filter = (&(objectClass=posixAccount)(uid=%{user | username}))
+  filter = (&(objectClass=posixAccount)(memberof=cn=mailusers,cn=groups,cn=accounts,dc=box,dc=pydis,dc=wtf)(uid=%{user | username}))
   driver = ldap
   ldap_connection_group = userdb
 }

Original file line number	Diff line number	Diff line change
`@@ -81,7 +81,7 @@ passdb ldap {`
`81`	`81`	`}`
`82`	`82`	`bind = yes`
`83`	`83`
`84`		`- filter = (&(objectClass=posixAccount)(uid=%{user \| username}))`
	`84`	`+ filter = (&(objectClass=posixAccount)(memberof=cn=mailusers,cn=groups,cn=accounts,dc=box,dc=pydis,dc=wtf)(uid=%{user \| username}))`
`85`	`85`	`driver = ldap`
`86`	`86`	`ldap_connection_group = passdb`
`87`	`87`	`}`
`@@ -93,7 +93,7 @@ userdb ldap {`
`93`	`93`	`sieve = %{home}/main.sieve`
`94`	`94`	`sieve_user_log_path = %{home}/sieve.log`
`95`	`95`	`}`
`96`		`- filter = (&(objectClass=posixAccount)(uid=%{user \| username}))`
	`96`	`+ filter = (&(objectClass=posixAccount)(memberof=cn=mailusers,cn=groups,cn=accounts,dc=box,dc=pydis,dc=wtf)(uid=%{user \| username}))`
`97`	`97`	`driver = ldap`
`98`	`98`	`ldap_connection_group = userdb`
`99`	`99`	`}`