On 23/05/2011 16:07, Ariel Biener wrote:
We need to provide admin rights to faculty computer/IT staff, so they can have access to the mailboxes of their respective users. We use LDAP as an authentication/authorization backend.
Currently, dovecot has a "master user" which can access allmailboxes. I am looking for a solution, preferably within dovecot, to create a delegation type of administration, allowing certain users to access the mailboxes of other users based on an LDAP filter or LDAP attribute value. If possible, allowing per protocol access(that is, I would like to give them IMAP access and not POP3) and within IMAP allowing only to view a mailbox, but not to change it, that would be even better.
If I were doing this in SQL, then I would construct my SQL query to basically be true IFF some complicated where clause confirms the delegation?
Possibly you can do a similar query in LDAP?
Note one significant limitation is that the username is in the format "admin*user" in variable %u. This makes all your queries quite tricky... I would recommend considering sponsoring some feature request to have this split into two extra variables with the admin and usernames split out? In the case of LDAP that should make it possible to filter on some admin attribute?
Also you have Checkpassword script option and you can do anything you like in that script?
Good luck
Ed W