is it safe to have two backed used for the same user?
hi everybody
I wonder if it is safe (and wise) to have two passw-user databases for the same one user. I'm thinking, mail to me via pam mail to me@this.domain via ldap
whole Maildir would be essentially the same one storage target, I see permissions have to be mangled, available to write for both vmail and actual uid.
what do you think? Is it how it's done?
regards
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 23 Jun 2015, lejeczek wrote:
I wonder if it is safe (and wise) to have two passw-user databases for the same one user. I'm thinking, mail to me via pam mail to me@this.domain via ldap
the first passdb wins. No problem.
whole Maildir would be essentially the same one storage target, I see permissions have to be mangled, available to write for both vmail and actual uid.
again, the first userdb wins. Your users can auth agains pam, but the data may come from LDAP or a static userdb. If you auth agains PAM successfully, does _not_ mean that you automatically use system users or Dovecot changes uids or something. All such information come from the userdb. If both users match the same userdb entry, they appear the same for Dovecot.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVYluhnz1H7kL/d9rAQI4gAgAy1K6C96H/L26Jb67AElPtOZ/2YUZQdqA IZQP6aD+WVEfy1brpwEkOs4EOYBRNGTN3ifTQSyKu5lcDffFIOEloXSc3PLuqR/e oc0l/g9qBzuCdITPHvDer+37pPn/lg70Ye/Aqc8EIiuNNNtt1EXnF0TMZYOLv/Uj SgWlCkW31iJBq83DJ/hRDQQO1CvDA/3pPl33vLRBXepICZXiPJhvMkzeqsy2wAEL VanIWuPRVhautE23ko7u/hjzIDKHEkFmXQgDQxVR9/bT5D0BGW6Ma+13EIGnnKZe /8aYu3l+TTzIcnyK3rXdW2tME0nqhGAg5bX/FgnBJ5uHGldg63zDjg== =QLx9 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 23 Jun 2015, Steffen Kaiser wrote:
On Tue, 23 Jun 2015, lejeczek wrote:
I wonder if it is safe (and wise) to have two passw-user databases for the same one user. I'm thinking, mail to me via pam mail to me@this.domain via ldap
the first passdb wins. No problem.
whole Maildir would be essentially the same one storage target, I see permissions have to be mangled, available to write for both vmail and actual uid.
again, the first userdb wins. Your users can auth agains pam, but the data may come from LDAP or a static userdb. If you auth agains PAM successfully, does _not_ mean that you automatically use system users or Dovecot changes uids or something. All such information come from the userdb. If both users match the same userdb entry, they appear the same for Dovecot.
To make it more clear:
you can have
passdb { driver = pam } passdb { driver = ldap ... }
userdb { driver = ldap .... }
you do not need no userdb { driver = passwd }, unless you require user data from this source. Or use userdb { driver = static } instead the LDAP one, because you do not use LDAP attributes anyway.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVYlwA3z1H7kL/d9rAQLL6Af/SsS6K2oHv1X6DdNhCMPJrURf+IWWJQx0 pmmOHVPMLsuw3A6cQaMfxm7i3K4OdQA4CLPq2SER3Zxp98LigTLUdsHvPVfdD3x7 KHkIZ689emmmQZxJ1DXtAcu4ICu+0zdicpqaL8iOm7qlbYjLmB4TF2jTWvPpb3g4 GqiDgCrjzgyRKx0ppBRqdXMIuhtsmOyUX7qUc+TbE5C4dWs9gOllUp6haW+Am7pX cTVA/tAxCs+mqbCbOJSEGBC8xVD0gCfyg7DevYjZSOlbCLnR+tYZxIVQt5/KSIwg Ak0e64k9sy5wc95pZ8V49o2yaVyxkQdzEHbqlfUAuOahDTsx72yVpA== =UvLB -----END PGP SIGNATURE-----
On 23/06/15 15:41, Steffen Kaiser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 23 Jun 2015, Steffen Kaiser wrote:
On Tue, 23 Jun 2015, lejeczek wrote:
I wonder if it is safe (and wise) to have two passw-user databases for the same one user. I'm thinking, mail to me via pam mail to me@this.domain via ldap
the first passdb wins. No problem.
whole Maildir would be essentially the same one storage target, I see permissions have to be mangled, available to write for both vmail and actual uid.
again, the first userdb wins. Your users can auth agains pam, but the data may come from LDAP or a static userdb. If you auth agains PAM successfully, does _not_ mean that you automatically use system users or Dovecot changes uids or something. All such information come from the userdb. If both users match the same userdb entry, they appear the same for Dovecot.
To make it more clear:
you can have
passdb { driver = pam } passdb { driver = ldap ... }
userdb { driver = ldap .... }
you do not need no userdb { driver = passwd }, unless you require user data from this source. Or use userdb { driver = static } instead the LDAP one, because you do not use LDAP attributes anyway. OK, I see, can a querying pam backed be custom? eg. how does one looks up me@some.thing ? many thanks Steffen for all your help.
- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVYlwA3z1H7kL/d9rAQLL6Af/SsS6K2oHv1X6DdNhCMPJrURf+IWWJQx0
pmmOHVPMLsuw3A6cQaMfxm7i3K4OdQA4CLPq2SER3Zxp98LigTLUdsHvPVfdD3x7
KHkIZ689emmmQZxJ1DXtAcu4ICu+0zdicpqaL8iOm7qlbYjLmB4TF2jTWvPpb3g4
GqiDgCrjzgyRKx0ppBRqdXMIuhtsmOyUX7qUc+TbE5C4dWs9gOllUp6haW+Am7pX
cTVA/tAxCs+mqbCbOJSEGBC8xVD0gCfyg7DevYjZSOlbCLnR+tYZxIVQt5/KSIwg
Ak0e64k9sy5wc95pZ8V49o2yaVyxkQdzEHbqlfUAuOahDTsx72yVpA== =UvLB -----END PGP SIGNATURE-----
On 23/06/15 15:34, Steffen Kaiser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 23 Jun 2015, lejeczek wrote:
I wonder if it is safe (and wise) to have two passw-user databases for the same one user. I'm thinking, mail to me via pam mail to me@this.domain via ldap
the first passdb wins. No problem.
whole Maildir would be essentially the same one storage target, I see permissions have to be mangled, available to write for both vmail and actual uid.
again, the first userdb wins. Your users can auth agains pam, but the data may come from LDAP or a static userdb. If you auth agains PAM successfully, does _not_ mean that you automatically use system users or Dovecot changes uids or something. All such information come from the userdb. If both users match the same userdb entry, they appear the same for Dovecot. my working setup as above brakes if the target storage misses o=rwx (very weird again) Even if I stick an ACL to it with vmail=rwX it still fails and quite silently leaving one clueless. me via pam = actual UID me@this.domain via ldap = vmail UID and that shared storage target seems must have o=rwx ??? (Or I still got it wrong somewhere?)
- -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVYluhnz1H7kL/d9rAQI4gAgAy1K6C96H/L26Jb67AElPtOZ/2YUZQdqA
IZQP6aD+WVEfy1brpwEkOs4EOYBRNGTN3ifTQSyKu5lcDffFIOEloXSc3PLuqR/e
oc0l/g9qBzuCdITPHvDer+37pPn/lg70Ye/Aqc8EIiuNNNtt1EXnF0TMZYOLv/Uj
SgWlCkW31iJBq83DJ/hRDQQO1CvDA/3pPl33vLRBXepICZXiPJhvMkzeqsy2wAEL
VanIWuPRVhautE23ko7u/hjzIDKHEkFmXQgDQxVR9/bT5D0BGW6Ma+13EIGnnKZe
/8aYu3l+TTzIcnyK3rXdW2tME0nqhGAg5bX/FgnBJ5uHGldg63zDjg== =QLx9 -----END PGP SIGNATURE-----
participants (2)
-
lejeczek
-
Steffen Kaiser