Hello,
we are searching for a possibility to configure a user login on behalf of another user with a PAM backend. This reminds to the behavior of a master user. But a master user can access the mailboxes of all users. We need this more restricted.
Example:
User "user1" and "user2" shall get access to the mailbox "info". We define the accounts "info~user1" and "info~user2" with the same home directory like "info".
Until now, we use a passwd-file backend. With this setup we can simply copy the password hash from "user1" to "info~user1" and from "user2" to "info~user2". But we intend to change the passdb backend from a flat file to PAM for authentication against Active Directory. This seems to be simple with pam_krb5. But then we can't simply copy password hashes anymore. Is their another possibility for configuring this?
Surely the preferable alternative would be the use of ACLs to give acccess to other users mailboxes. But we started this setup with Dovecot 1.0 or 1.1. And with these versions, ACLs weren't available. And now we have too much accounts and clients, which are configured this way and can't change this for the short term.
The passdb/userdb file from the above example looks like this:
info:!:501:501:Info:/home/mail01/info::
info~user1:PASSWORD_USER1:501:501:Info:/home/mail01/info::
userdb_mail=maildir:~/Maildir:
INDEX=/srv/dovecot/index/info:
CONTROL=/srv/dovecot/control/info
info~user2:PASSWORD_USER2:501:501:Info:/home/mail01/info::
userdb_mail=maildir:~/Maildir:
INDEX=/srv/dovecot/index/info:
CONTROL=/srv/dovecot/control/info
user1:PASSWORD_USER1:501:501:Info:/home/mail01/user1::
user2:PASSWORD_USER2:501:501:Info:/home/mail01/user2::
Ingo Rogalsky