[Dovecot] multiple users to same e-mail account with ldap authentication

Ben Morrow ben at morrow.me.uk
Tue Nov 13 19:51:50 EET 2012 

At  2PM +0100 on 13/11/12 you (Marco Gatti) wrote:
> 2012/11/13 Robert Schetterer <rs at sys4.de>:
> > Am 13.11.2012 11:35, schrieb Marco Gatti:
> >> Hi, I was looking for a particular case of dovecot configuration I
> >> cannot find anywhere.
> >> Is there a way dovecot can authenticate via ldap different windows
> >> 2008 AD users that have access to the same e-mail account (like user
> >> authorization in ms exchange)?
> >> For example I want to extend AD schema to let users have 10 email
> >> accounts (with multiple domain support). If they are private accounts
> >> I think there is no problem at all. But if I want two or more users to
> >> access the same mail account what happens? Can I do it with dovecot?
> >> Or should I create AD groups and add members to that, to let user
> >> access the same mail account?
<snip>
> I'll try to give more details.
> I have to build a multiple domain mail server with the use of windows
> AD authentication.
> I've managed to add some extra filed in the AD schema like this:
> 
> mail1: account1 at example1.com
> box1: /example1.com/account1/
> enabled1: TRUE
> quota1: 1000000
> 
> mail2: account2 at example2.com
> box2: /example2.com/account2/
> enabled2: TRUE
> quota2: 1000000

This isn't a good schema to use for this. The mail1, mail2 &c attributes
represent the same property of different addresses, so they should be
the same attribute on different objects.

I don't know much about AD's LDAP server, is it straightforward to
create brand new objectclasses? If I were doing this in an ordinary LDAP
server I might create a class of objects which looked like

    mailboxAddr: account1 at example1.com
    mailboxLocation: /example1/account1
    mailboxEnabled: TRUE
    mailboxQuota: 1000000

with mailboxAddr as the RDN, and then give each user a multi-valued
mailbox attribute with the addresses that user has access to.

> There could be 10 or 50 of them for each AD user.
> If I use NTLM or PAM authentication (after joining the AD) I have to
> use AD usernames to login with dovecot and I don't know how then to
> deal with different email addresses configured per user.
> If I use LDAP lookup I have to use the email address as username but
> then if different AD users have to access the same email account how
> dovecot can manage it???

If you want the user to be able to log in and see just one address at a
time you have to have the user tell dovecot which user and which address
they want when they log in. Since (usually) the only fields you have are
'user' and 'password', they will need to stuff both components into the
user field somehow; perhaps by logging on with a user name of

    user at domain.ad!account1 at example.com

You would then need (probably) to write a checkpassword userdb script to
split this into username and account name, verify the user is authorized
for the account, look up the mailbox location using the account name,
and pass the username back to be checked against the password. So, it
could be done, but it would be messy and users would get it wrong all
the time.

Alternatively, you could have the user log in with their ordinary AD
account name, and then present them with *all* the email accounts they
have access to, as separate (trees of) folders. You can do this with a
post-login script which sets up a namespace for each account: see the
example at the bottom of http://wiki2.dovecot.org/PostLoginScripting for
something vaguely similar. You would need to use Net::LDAP (or some
equivalent in some other language) to look up the user's accounts in the
AD, and then create the relevant environment variables.

(I'm not sure what to do about INBOX in a setup like this: I don't think
you're allowed to *not* have an INBOX. Probably each user should have
one 'canonical' private account, which contains their IMAP INBOX. If you
didn't want to do this I expect you could set up a default namespace
which is read-only, with just an empty INBOX in it.)

If you want to try this, and you're having trouble getting the scripting
right, I'd be happy to help you through it if you can post enough
information about the LDAP schema you eventually decide on.

Ben

More information about the dovecot mailing list