authenticate as userA, but get authorization to user userB's account

Heiko Schlittermann hs at schlittermann.de
Wed Oct 25 16:22:02 EEST 2017


Jochen Bern <Jochen.Bern at binect.de> (Mi 25 Okt 2017 14:44:26 CEST):
…
> > additional account within the mail client (thunderbird) they use. From
> > users perspective it is exactly what they want. But I dislike the idea
> > of sharing the password.
> 
> For what reason exactly? It not being personalized, too easy to leak,
> potentially not expiring ever, ... ?

If some of the users isn't allowed to access that "role" account
anymore, then I've to "revoke" the old password and to re-issue a new
one to the lefterover members for that role.

> dovecot can take the "username" from a client certificate used in the
…

Client certificates are no option currently, as it is difficult to
maintain and probably not compatible with a broader range of MUAs.

…
> I seem to remember that at least some of the userdb backends dovecot
> supports allow to have *several different* passwords stored for userB,
> too ... (But that would probably imply that you cannot allow userB to
> change "the" password themselves.)

That brings some other idea: We use LDAP authentication. It is possible
to have multiple (how many?) userPassword fields per LDAP object. If we
are able to track the password hashes (which hash for which user), we
can have each user using his very own password to login as another user
(provided that other user has an additional userPassword field)
 
    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://dovecot.org/pipermail/dovecot/attachments/20171025/f5c643a1/attachment.sig>


More information about the dovecot mailing list