From 9af7a5aa56e673a40ab19a4014b5b22a6813adc5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakobus=20Sch=C3=BCrz?= <jakobus.schuerz@schuerz.at>
Date: Tue, 3 Sep 2019 09:34:47 +0200
Subject: [PATCH] add original ldapsearch for groups from dovecot

---
 scripts/acl_groups.py | 73 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)
 create mode 100755 scripts/acl_groups.py

diff --git a/scripts/acl_groups.py b/scripts/acl_groups.py
new file mode 100755
index 0000000..d5fded2
--- /dev/null
+++ b/scripts/acl_groups.py
@@ -0,0 +1,73 @@
+#!/usr/bin/env python
+#
+# A Dovecot post-login script for IMAP. This creates environment
+# ACL_GROUPS with a comma-separated list of the user's LDAP group
+# memberships and then execs the Dovecot IMAP handler.
+#
+
+import ldap, os, sys;
+import logging
+import sys
+import re
+logging.basicConfig(level=logging.DEBUG,filename='/var/log/dovecot-acl/dovecot-acl_groups.py.log')
+logger = logging.getLogger(__name__)
+
+ldapUrl = "ldap://ldap.schuerz.at"
+bindAccount = "cn=service_id,ou=mailserver,ou=system,ou=services,dc=schuerz,dc=at"
+bindPw = 'Tha7iekahheeth8zie6Ao1eh'
+
+searchBase = "ou=users,dc=schuerz,dc=at"
+searchFilter = "(&(objectClass=posixAccount)(uid={0}))"
+
+groupBase = re.compile("ou=groups,dc=schuerz,dc=at|cn=perm-svc-mailserver_admins,ou=mailserver,ou=system,ou=services,dc=schuerz,dc=at")
+logger.debug(groupBase)
+
+logger.debug("ENV: %s" % (os.environ))
+user = {0}
+groups = []
+
+l = ldap.initialize(ldapUrl)
+l.set_option(ldap.OPT_X_TLS_CACERTFILE, '/etc/ssl/certs/Xunde_Energie_Chain-CA.pem')
+l.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND)
+l.set_option(ldap.OPT_X_TLS_DEMAND, True)
+l.set_option(ldap.OPT_DEBUG_LEVEL, 255)
+l.set_option(ldap.OPT_REFERRALS, 0)
+l.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
+l.start_tls_s()
+l.bind(bindAccount, bindPw, ldap.AUTH_SIMPLE)
+res = l.search_s(searchBase, ldap.SCOPE_SUBTREE,
+                 searchFilter.format(os.environ["USER"]),
+                 ['memberOf'])
+for dn, entry in res:
+    try:
+        for g in entry['memberOf']:
+            # Returns 'cn=All UK staff,ou=Groups,dc=example,dc=com' etc.
+            # Fish out 'All UK staff' as group name.
+            if groupBase.search(g):
+                logger.debug("XXX " + g)
+                groups.append(g.split(',', 1)[0][3:])
+            else:
+                logger.debug("--- " + g)
+    except KeyError:
+        pass    # User in no groups.
+
+#logger.debug('USERDB_KEYS: (before) '+str(os.environ["USERDB_KEYS"]))
+os.environ["ACL_GROUPS"] = ",".join(set(groups))
+try:
+    logger.debug('try')
+    #os.environ["USERDB_KEYS"] += " GROUPS"
+    os.environ["USERDB_KEYS"] += "acl_groups"
+except KeyError:
+    logger.debug('except')
+    #os.environ["USERDB_KEYS"] = "GROUPS"
+    os.environ["USERDB_KEYS"] = "acl_groups"
+
+logger.debug('ACL_GROUPS: '+str(os.environ["ACL_GROUPS"]))
+logger.debug('USERDB_KEYS: '+str(os.environ["USERDB_KEYS"]))
+logger.debug("ENV(after): %s" % (os.environ))
+logger.debug('sys.argv[1]: '+str(sys.argv[1]))
+logger.debug('sys.argv[1:]: '+str(sys.argv[1:]))
+logger.debug('sys.argv: '+str(sys.argv))
+logger.debug('-------------------------')
+os.execv(sys.argv[1], sys.argv[1:])
+sys.exit(1) # In case above fails