[Dovecot] user login on behalf of another user
Hello,
we are searching for a possibility to configure a user login on behalf of another user with a PAM backend. This reminds to the behavior of a master user. But a master user can access the mailboxes of all users. We need this more restricted.
Example:
User "user1" and "user2" shall get access to the mailbox "info". We define the accounts "info~user1" and "info~user2" with the same home directory like "info".
Until now, we use a passwd-file backend. With this setup we can simply copy the password hash from "user1" to "info~user1" and from "user2" to "info~user2". But we intend to change the passdb backend from a flat file to PAM for authentication against Active Directory. This seems to be simple with pam_krb5. But then we can't simply copy password hashes anymore. Is their another possibility for configuring this?
Surely the preferable alternative would be the use of ACLs to give acccess to other users mailboxes. But we started this setup with Dovecot 1.0 or 1.1. And with these versions, ACLs weren't available. And now we have too much accounts and clients, which are configured this way and can't change this for the short term.
The passdb/userdb file from the above example looks like this:
info:!:501:501:Info:/home/mail01/info::
info~user1:PASSWORD_USER1:501:501:Info:/home/mail01/info::
userdb_mail=maildir:~/Maildir:
INDEX=/srv/dovecot/index/info:
CONTROL=/srv/dovecot/control/info
info~user2:PASSWORD_USER2:501:501:Info:/home/mail01/info::
userdb_mail=maildir:~/Maildir:
INDEX=/srv/dovecot/index/info:
CONTROL=/srv/dovecot/control/info
user1:PASSWORD_USER1:501:501:Info:/home/mail01/user1::
user2:PASSWORD_USER2:501:501:Info:/home/mail01/user2::
Ingo Rogalsky
rog7993@web.de wrote:
User "user1" and "user2" shall get access to the mailbox "info". We define the accounts "info~user1" and "info~user2" with the same home directory like "info".
Isn't this the kind of scenario shared folders were made for?
Grüße, Sven.
-- Sigmentation fault. Core dumped.
Am 05.02.2012 18:14, schrieb Sven Hartge:
Isn't this the kind of scenario shared folders were made for?
Yes, of course. Although I didn't called it shared folders in my original post, I had this in mind, when I wrote that ACLs would be the better solution. But for historical reasons we are already in the situation having these kind of accounts. And I don't want to reconfigure about 100 clients now. This would need more time than I want spend now.
Ingo
Den 2012-02-05 17:53, rog7993@web.de skrev:
Surely the preferable alternative would be the use of ACLs to give acccess to other users mailboxes. But we started this setup with Dovecot 1.0 or 1.1. And with these versions, ACLs weren't available. And now we have too much accounts and clients, which are configured this way and can't change this for the short term.
secureity wise i would also do this, had bots trying whole day here to get week passwords found to atleast find one login that works, if acl is used there is only one password found and the other user do not need to change his password, but only the acl or ask the other user to change his password, its still possible that both users is same user, imho it have no point if its pam users or not
On 5.2.2012, at 18.53, rog7993@web.de wrote:
we are searching for a possibility to configure a user login on behalf of another user with a PAM backend. This reminds to the behavior of a master user. But a master user can access the mailboxes of all users. We need this more restricted.
Master user doesn't necessarily have access to all users' mailboxes. In the passdb lookup you can decide if this master user is allowed to be this destination user. For example if you used passdb checkpassword, you could look at USER and MASTER_USER environment variables to figure out if this combination should be allowed or not. The checkpassword script can also do the actual authentication via PAM (I'd think there's a way to call it somehow).
Hello,
Am 06.02.2012 16:05, schrieb Timo Sirainen:
Master user doesn't necessarily have access to all users' mailboxes. In the passdb lookup you can decide if this master user is allowed to be this destination user. For example if you used passdb checkpassword, you could look at USER and MASTER_USER environment variables to figure out if this combination should be allowed or not. The checkpassword script can also do the actual authentication via PAM (I'd think there's a way to call it somehow).
Thank you. I got an idea, how I could configure this.
Ingo
participants (4)
-
Benny Pedersen
-
rog7993@web.de
-
Sven Hartge
-
Timo Sirainen