[Dovecot] LDAP Authentication - Home Directory Creation
How does everyone handle this case?
Users are authenticated by LDAP, and do not have accounts on the IMAP/dovecot server. When a new user is added to LDAP, the home directory (/home/newuser) needs to be created on the IMAP/dovecot server so dovecot can create the mail directories inside it (/home/newuser/mail/).
Obviously I can come up with a few custom solutions, utilizing cron, but I feel like there's a cleaner solution out there.
Thanks!
On 01-12-11 18:26, Stephen Bowman wrote:
How does everyone handle this case?
Users are authenticated by LDAP, and do not have accounts on the IMAP/dovecot server. When a new user is added to LDAP, the home directory (/home/newuser) needs to be created on the IMAP/dovecot server so dovecot can create the mail directories inside it (/home/newuser/mail/).
Obviously I can come up with a few custom solutions, utilizing cron, but I feel like there's a cleaner solution out there.
How about http://wiki.dovecot.org/PostLoginScripting and something containing 'mkdir -p' ?
-- Tom
On 1.12.2011, at 19.26, Stephen Bowman wrote:
How does everyone handle this case?
Users are authenticated by LDAP, and do not have accounts on the IMAP/dovecot server. When a new user is added to LDAP, the home directory (/home/newuser) needs to be created on the IMAP/dovecot server so dovecot can create the mail directories inside it (/home/newuser/mail/).
Dovecot creates the home directory automatically if it has permissions to do it. So I guess in your case the mail user doesn't have permissions to do it and only root can create it?
Stephen Bowman <sbbowman@gmail.com> wrote:
How does everyone handle this case?
Users are authenticated by LDAP, and do not have accounts on the IMAP/dovecot server. When a new user is added to LDAP, the home directory (/home/newuser) needs to be created on the IMAP/dovecot server so dovecot can create the mail directories inside it (/home/newuser/mail/).
chmod /home to 1777 and let dovecot create the directory. Or switch to a virtual setup, where the users don't get real users on the imap server (they can't log in, so they don't need any real user on that server) and every mail is owned by your virtual mail user.
Grüße, Sven.
-- Sigmentation fault. Core dumped.
On 2.12.2011, at 0.41, Sven Hartge wrote:
Or switch to a virtual setup, where the users don't get real users on the imap server (they can't log in, so they don't need any real user on that server) and every mail is owned by your virtual mail user.
Well, it of course makes things easier, but from security point of view it's worse.. I hope some day there won't be any problems with Dovecot using multiple UIDs.
Timo Sirainen <tss@iki.fi> wrote:
On 2.12.2011, at 0.41, Sven Hartge wrote:
Or switch to a virtual setup, where the users don't get real users on the imap server (they can't log in, so they don't need any real user on that server) and every mail is owned by your virtual mail user.
Well, it of course makes things easier, but from security point of view it's worse..
Of course. But using real users only works if every user is a PosixUser in LDAP (i.e. has a uidNumber and gidNumber). If this is not the case, then you are forced to use a virtual mail user setup.
I hope some day there won't be any problems with Dovecot using multiple UIDs.
Meaning?
Grüße, Sven.
-- Sigmentation fault. Core dumped.
On 2.12.2011, at 1.03, Sven Hartge wrote:
Timo Sirainen <tss@iki.fi> wrote:
On 2.12.2011, at 0.41, Sven Hartge wrote:
Or switch to a virtual setup, where the users don't get real users on the imap server (they can't log in, so they don't need any real user on that server) and every mail is owned by your virtual mail user.
Well, it of course makes things easier, but from security point of view it's worse..
Of course. But using real users only works if every user is a PosixUser in LDAP (i.e. has a uidNumber and gidNumber). If this is not the case, then you are forced to use a virtual mail user setup.
Currently at least. This could be automated in a few ways.. Like simplest: uid = 1000 + md5sum(username) mod 64000. That won't necessarily be unique of course, but it's still better than mod 1. :)
I hope some day there won't be any problems with Dovecot using multiple UIDs.
Meaning?
There are different problems with multiple UIDs that are more difficult to solve than with a single UID. How to manage them, how to handle shared mailboxes, how to create home dirs automatically, probably other things. There are ways to solve these problems in one way or another.
Timo Sirainen <tss@iki.fi> wrote:
On 2.12.2011, at 1.03, Sven Hartge wrote:
Timo Sirainen <tss@iki.fi> wrote:
I hope some day there won't be any problems with Dovecot using multiple UIDs.
Meaning?
There are different problems with multiple UIDs that are more difficult to solve than with a single UID. How to manage them, how to handle shared mailboxes, how to create home dirs automatically, probably other things. There are ways to solve these problems in one way or another.
Ah, yes, shared folders.
I remember now, this is why we changed from using real users to a virtual user in the beginning (using Courier), because implementing this feature with real users was real pain in the lower backside.
Grüße, Sven.
-- Sigmentation fault. Core dumped.
El 01/12/11 18:26, Stephen Bowman escribió:
How does everyone handle this case?
Users are authenticated by LDAP, and do not have accounts on the IMAP/dovecot server. When a new user is added to LDAP, the home directory (/home/newuser) needs to be created on the IMAP/dovecot server so dovecot can create the mail directories inside it (/home/newuser/mail/).
Obviously I can come up with a few custom solutions, utilizing cron, but I feel like there's a cleaner solution out there.
Are you authenticating directly by LDAP or are you using pam? If you were using pam, you could use pam_mkhomedir module.
-- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica _(___V Tfo: 868887590 Fax: 868888337
participants (5)
-
Angel L. Mateo
-
Stephen Bowman
-
Sven Hartge
-
Timo Sirainen
-
Tom Hendrikx