2012/11/13 Ben Morrow ben@morrow.me.uk:
At 2PM +0100 on 13/11/12 you (Marco Gatti) wrote:
2012/11/13 Robert Schetterer rs@sys4.de:
Am 13.11.2012 11:35, schrieb Marco Gatti:
Hi, I was looking for a particular case of dovecot configuration I cannot find anywhere. Is there a way dovecot can authenticate via ldap different windows 2008 AD users that have access to the same e-mail account (like user authorization in ms exchange)? For example I want to extend AD schema to let users have 10 email accounts (with multiple domain support). If they are private accounts I think there is no problem at all. But if I want two or more users to access the same mail account what happens? Can I do it with dovecot? Or should I create AD groups and add members to that, to let user access the same mail account? <snip> I'll try to give more details. I have to build a multiple domain mail server with the use of windows AD authentication. I've managed to add some extra filed in the AD schema like this:
mail1: account1@example1.com box1: /example1.com/account1/ enabled1: TRUE quota1: 1000000
mail2: account2@example2.com box2: /example2.com/account2/ enabled2: TRUE quota2: 1000000
This isn't a good schema to use for this. The mail1, mail2 &c attributes represent the same property of different addresses, so they should be the same attribute on different objects.
I don't know much about AD's LDAP server, is it straightforward to create brand new objectclasses? If I were doing this in an ordinary LDAP server I might create a class of objects which looked like
mailboxAddr: account1@example1.com mailboxLocation: /example1/account1 mailboxEnabled: TRUE mailboxQuota: 1000000
with mailboxAddr as the RDN, and then give each user a multi-valued mailbox attribute with the addresses that user has access to.
You mean multi-valued mailboxAddr, mailboxLocation, and so on? How can I extract a single one and be sure it's correct?
There could be 10 or 50 of them for each AD user. If I use NTLM or PAM authentication (after joining the AD) I have to use AD usernames to login with dovecot and I don't know how then to deal with different email addresses configured per user. If I use LDAP lookup I have to use the email address as username but then if different AD users have to access the same email account how dovecot can manage it???
If you want the user to be able to log in and see just one address at a time you have to have the user tell dovecot which user and which address they want when they log in. Since (usually) the only fields you have are 'user' and 'password', they will need to stuff both components into the user field somehow; perhaps by logging on with a user name of
user@domain.ad!account1@example.com
You would then need (probably) to write a checkpassword userdb script to split this into username and account name, verify the user is authorized for the account, look up the mailbox location using the account name, and pass the username back to be checked against the password. So, it could be done, but it would be messy and users would get it wrong all the time.
Since users don't configure mail clients on their own it could be a solution!
Alternatively, you could have the user log in with their ordinary AD account name, and then present them with *all* the email accounts they have access to, as separate (trees of) folders. You can do this with a post-login script which sets up a namespace for each account: see the example at the bottom of http://wiki2.dovecot.org/PostLoginScripting for something vaguely similar. You would need to use Net::LDAP (or some equivalent in some other language) to look up the user's accounts in the AD, and then create the relevant environment variables.
(I'm not sure what to do about INBOX in a setup like this: I don't think you're allowed to *not* have an INBOX. Probably each user should have one 'canonical' private account, which contains their IMAP INBOX. If you didn't want to do this I expect you could set up a default namespace which is read-only, with just an empty INBOX in it.)
If you want to try this, and you're having trouble getting the scripting right, I'd be happy to help you through it if you can post enough information about the LDAP schema you eventually decide on.
Ben
All accounts in a tree sounds bad since users won't clearly understand which is which. Thank you Ben!
-- Marco