authenticate as userA, but get authorization to user userB's account

Kadlecsik József kadlecsik.jozsef at wigner.mta.hu
Wed Oct 25 14:28:22 EEST 2017 

Hi,

On Wed, 25 Oct 2017, Heiko Schlittermann wrote:

> given a small organization. There are *personal* mailboxes (mailbox per 
> user, incl. subfolders et cetera). The users can share specic folders 
> via the ACL (we call it "other users/", Dovecot calls it "shared" 
> folder. Additionally there are mailboxes Dovecot calls "public" (we use 
> the term "groups/"). They are not associated with a specific account, 
> but acessible via ACL only. (Good example for the latter is 
> "info at example.com")
> 
> But now they're seeking for a way to implement "role" Accounts.
> 
> We could create new "role" users, share the password and create an 
> additional account within the mail client (thunderbird) they use. From 
> users perspective it is exactly what they want. But I dislike the idea 
> of sharing the password.
> 
> Question: Is there any way to split the authentication from the 
> authorization within common mail clients (as Thunderbird) in combination 
> with Dovecot. That is, doing something like logging in to the account 
> sales at example.com, using the credentials of the very own account (say 
> hans at example.com)?

We faced the same problem and solved it with a PAM module:

https://gitlab.kfki.hu/kadlec/pam-groupuser

Any kind of MUA are supported with whatever background authentication you 
have. Here follows the README:

This tiny PAM module makes possible to authenticate to group user 
accounts, where

- the group user has got an own group with the same name as its username
- the group members are real users, who want to access the resources
  (email, files) of the group user

The pam_groupuser.so module must be referred two times in the PAM
configuration for the given service/resources, i.e.

auth required pam_groupuser.so
<all normal auth modules>
auth required pam_groupuser.so second-pass

The users must use the username "groupusername*realusername" and the
password belonging to "realusername". The first call to pam_groupusers.so
sets the username for PAM to "realusername", so the authentication modules
will use the real username for authentication. The second call to
pam_groupusers.so sets the username for PAM to "groupusername", so the
account and session environment is set up according to groupusername.

The applications which supports this kind of setups:

- dovecot POP/IMAP server
- vsfptd FTP server

Addendum: for dovecot, add "*" to the allowed username chars to 
auth_username_chars in /etc/dovecot/conf.d/10-auth.conf.

Best regards,
Jozsef
--
E-mail : kadlecsik.jozsef at wigner.mta.hu
PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address: Wigner Research Centre for Physics, Hungarian Academy of Sciences
         H-1525 Budapest 114, POB. 49, Hungary

More information about the dovecot mailing list