[Dovecot] multiple users to same e-mail account with ldap authentication
Hi, I was looking for a particular case of dovecot configuration I cannot find anywhere. Is there a way dovecot can authenticate via ldap different windows 2008 AD users that have access to the same e-mail account (like user authorization in ms exchange)? For example I want to extend AD schema to let users have 10 email accounts (with multiple domain support). If they are private accounts I think there is no problem at all. But if I want two or more users to access the same mail account what happens? Can I do it with dovecot? Or should I create AD groups and add members to that, to let user access the same mail account? Cheers
-- Marco
Am 13.11.2012 11:35, schrieb Marco Gatti:
Hi, I was looking for a particular case of dovecot configuration I cannot find anywhere. Is there a way dovecot can authenticate via ldap different windows 2008 AD users that have access to the same e-mail account (like user authorization in ms exchange)? For example I want to extend AD schema to let users have 10 email accounts (with multiple domain support). If they are private accounts I think there is no problem at all. But if I want two or more users to access the same mail account what happens? Can I do it with dovecot? Or should I create AD groups and add members to that, to let user access the same mail account? Cheers
there may more ways to goal this, for short looking one, way is described here
http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm
using ldap might be better
look i.e
http://blog.al-shami.net/2008/05/freebsd-postfix-dovecot-and-active-director... http://www.howtoforge.com/postfix-dovecot-authentication-against-active-dire...
for ideas
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
2012/11/13 Robert Schetterer rs@sys4.de:
Am 13.11.2012 11:35, schrieb Marco Gatti:
Hi, I was looking for a particular case of dovecot configuration I cannot find anywhere. Is there a way dovecot can authenticate via ldap different windows 2008 AD users that have access to the same e-mail account (like user authorization in ms exchange)? For example I want to extend AD schema to let users have 10 email accounts (with multiple domain support). If they are private accounts I think there is no problem at all. But if I want two or more users to access the same mail account what happens? Can I do it with dovecot? Or should I create AD groups and add members to that, to let user access the same mail account? Cheers
there may more ways to goal this, for short looking one, way is described here
http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm
using ldap might be better
look i.e
http://blog.al-shami.net/2008/05/freebsd-postfix-dovecot-and-active-director... http://www.howtoforge.com/postfix-dovecot-authentication-against-active-dire...
for ideas
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
Thank you Robert for the quick reply. I'm aware of the links you sent me, however they don't give me a clue if what I was asking may me done. I'll try to give more details. I have to build a multiple domain mail server with the use of windows AD authentication. I've managed to add some extra filed in the AD schema like this:
mail1: account1@example1.com box1: /example1.com/account1/ enabled1: TRUE quota1: 1000000
mail2: account2@example2.com box2: /example2.com/account2/ enabled2: TRUE quota2: 1000000
There could be 10 or 50 of them for each AD user. If I use NTLM or PAM authentication (after joining the AD) I have to use AD usernames to login with dovecot and I don't know how then to deal with different email addresses configured per user. If I use LDAP lookup I have to use the email address as username but then if different AD users have to access the same email account how dovecot can manage it??? For example the LDAP configuration for user and password lookup may be something like this:
user_attrs = sAMAccountName=mail=maildir:/var/mail/%d/%n,=uid=102,=gid=10050 user_filter = (&(objectClass=person)(|(&(mail1=%u)(enabled1=TRUE)) (&(mail2=%u)(enabled2=TRUE)))) pass_attrs = userPassword=password pass_filter = (&(objectClass=person)(|(&(mail1=%u)(enabled1=TRUE)) (&(mail2=%u)(enabled2=TRUE))))
I think I may be missing something important in how dovecot works, but cannot find any documentation about it. Regards
-- Marco
Am 13.11.2012 14:56, schrieb Marco Gatti:
2012/11/13 Robert Schetterer rs@sys4.de:
Am 13.11.2012 11:35, schrieb Marco Gatti:
Hi, I was looking for a particular case of dovecot configuration I cannot find anywhere. Is there a way dovecot can authenticate via ldap different windows 2008 AD users that have access to the same e-mail account (like user authorization in ms exchange)? For example I want to extend AD schema to let users have 10 email accounts (with multiple domain support). If they are private accounts I think there is no problem at all. But if I want two or more users to access the same mail account what happens? Can I do it with dovecot? Or should I create AD groups and add members to that, to let user access the same mail account? Cheers
there may more ways to goal this, for short looking one, way is described here
http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm
using ldap might be better
look i.e
http://blog.al-shami.net/2008/05/freebsd-postfix-dovecot-and-active-director... http://www.howtoforge.com/postfix-dovecot-authentication-against-active-dire...
for ideas
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
Thank you Robert for the quick reply. I'm aware of the links you sent me, however they don't give me a clue if what I was asking may me done. I'll try to give more details. I have to build a multiple domain mail server with the use of windows AD authentication. I've managed to add some extra filed in the AD schema like this:
mail1: account1@example1.com box1: /example1.com/account1/ enabled1: TRUE quota1: 1000000
mail2: account2@example2.com box2: /example2.com/account2/ enabled2: TRUE quota2: 1000000
There could be 10 or 50 of them for each AD user. If I use NTLM or PAM authentication (after joining the AD) I have to use AD usernames to login with dovecot and I don't know how then to deal with different email addresses configured per user. If I use LDAP lookup I have to use the email address as username but then if different AD users have to access the same email account how dovecot can manage it??? For example the LDAP configuration for user and password lookup may be something like this:
user_attrs = sAMAccountName=mail=maildir:/var/mail/%d/%n,=uid=102,=gid=10050 user_filter = (&(objectClass=person)(|(&(mail1=%u)(enabled1=TRUE)) (&(mail2=%u)(enabled2=TRUE)))) pass_attrs = userPassword=password pass_filter = (&(objectClass=person)(|(&(mail1=%u)(enabled1=TRUE)) (&(mail2=%u)(enabled2=TRUE))))
I think I may be missing something important in how dovecot works, but cannot find any documentation about it. Regards
hm thats complex, however i would not recommand trying change exchange/active dir schemas however the only reason i can think of for what you want is using dovecot as proxy?
so what about this ?
http://wiki2.dovecot.org/HowTo/ImapcProxy http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy http://wiki2.dovecot.org/Director
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
2012/11/13 Robert Schetterer rs@sys4.de:
Am 13.11.2012 14:56, schrieb Marco Gatti:
2012/11/13 Robert Schetterer rs@sys4.de:
Am 13.11.2012 11:35, schrieb Marco Gatti:
Hi, I was looking for a particular case of dovecot configuration I cannot find anywhere. Is there a way dovecot can authenticate via ldap different windows 2008 AD users that have access to the same e-mail account (like user authorization in ms exchange)? For example I want to extend AD schema to let users have 10 email accounts (with multiple domain support). If they are private accounts I think there is no problem at all. But if I want two or more users to access the same mail account what happens? Can I do it with dovecot? Or should I create AD groups and add members to that, to let user access the same mail account? Cheers
there may more ways to goal this, for short looking one, way is described here
http://wiki2.dovecot.org/HowTo/ActiveDirectoryNtlm
using ldap might be better
look i.e
http://blog.al-shami.net/2008/05/freebsd-postfix-dovecot-and-active-director... http://www.howtoforge.com/postfix-dovecot-authentication-against-active-dire...
for ideas
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
Thank you Robert for the quick reply. I'm aware of the links you sent me, however they don't give me a clue if what I was asking may me done. I'll try to give more details. I have to build a multiple domain mail server with the use of windows AD authentication. I've managed to add some extra filed in the AD schema like this:
mail1: account1@example1.com box1: /example1.com/account1/ enabled1: TRUE quota1: 1000000
mail2: account2@example2.com box2: /example2.com/account2/ enabled2: TRUE quota2: 1000000
There could be 10 or 50 of them for each AD user. If I use NTLM or PAM authentication (after joining the AD) I have to use AD usernames to login with dovecot and I don't know how then to deal with different email addresses configured per user. If I use LDAP lookup I have to use the email address as username but then if different AD users have to access the same email account how dovecot can manage it??? For example the LDAP configuration for user and password lookup may be something like this:
user_attrs = sAMAccountName=mail=maildir:/var/mail/%d/%n,=uid=102,=gid=10050 user_filter = (&(objectClass=person)(|(&(mail1=%u)(enabled1=TRUE)) (&(mail2=%u)(enabled2=TRUE)))) pass_attrs = userPassword=password pass_filter = (&(objectClass=person)(|(&(mail1=%u)(enabled1=TRUE)) (&(mail2=%u)(enabled2=TRUE))))
I think I may be missing something important in how dovecot works, but cannot find any documentation about it. Regards
hm thats complex, however i would not recommand trying change exchange/active dir schemas however the only reason i can think of for what you want is using dovecot as proxy?
so what about this ?
http://wiki2.dovecot.org/HowTo/ImapcProxy http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Proxy http://wiki2.dovecot.org/Director
Hmm I don't know honestly. I'll give it a try.
-- Marco
At 2PM +0100 on 13/11/12 you (Marco Gatti) wrote:
2012/11/13 Robert Schetterer rs@sys4.de:
Am 13.11.2012 11:35, schrieb Marco Gatti:
Hi, I was looking for a particular case of dovecot configuration I cannot find anywhere. Is there a way dovecot can authenticate via ldap different windows 2008 AD users that have access to the same e-mail account (like user authorization in ms exchange)? For example I want to extend AD schema to let users have 10 email accounts (with multiple domain support). If they are private accounts I think there is no problem at all. But if I want two or more users to access the same mail account what happens? Can I do it with dovecot? Or should I create AD groups and add members to that, to let user access the same mail account? <snip> I'll try to give more details. I have to build a multiple domain mail server with the use of windows AD authentication. I've managed to add some extra filed in the AD schema like this:
mail1: account1@example1.com box1: /example1.com/account1/ enabled1: TRUE quota1: 1000000
mail2: account2@example2.com box2: /example2.com/account2/ enabled2: TRUE quota2: 1000000
This isn't a good schema to use for this. The mail1, mail2 &c attributes represent the same property of different addresses, so they should be the same attribute on different objects.
I don't know much about AD's LDAP server, is it straightforward to create brand new objectclasses? If I were doing this in an ordinary LDAP server I might create a class of objects which looked like
mailboxAddr: account1@example1.com
mailboxLocation: /example1/account1
mailboxEnabled: TRUE
mailboxQuota: 1000000with mailboxAddr as the RDN, and then give each user a multi-valued mailbox attribute with the addresses that user has access to.
There could be 10 or 50 of them for each AD user. If I use NTLM or PAM authentication (after joining the AD) I have to use AD usernames to login with dovecot and I don't know how then to deal with different email addresses configured per user. If I use LDAP lookup I have to use the email address as username but then if different AD users have to access the same email account how dovecot can manage it???
If you want the user to be able to log in and see just one address at a time you have to have the user tell dovecot which user and which address they want when they log in. Since (usually) the only fields you have are 'user' and 'password', they will need to stuff both components into the user field somehow; perhaps by logging on with a user name of
user@domain.ad!account1@example.comYou would then need (probably) to write a checkpassword userdb script to split this into username and account name, verify the user is authorized for the account, look up the mailbox location using the account name, and pass the username back to be checked against the password. So, it could be done, but it would be messy and users would get it wrong all the time.
Alternatively, you could have the user log in with their ordinary AD account name, and then present them with *all* the email accounts they have access to, as separate (trees of) folders. You can do this with a post-login script which sets up a namespace for each account: see the example at the bottom of http://wiki2.dovecot.org/PostLoginScripting for something vaguely similar. You would need to use Net::LDAP (or some equivalent in some other language) to look up the user's accounts in the AD, and then create the relevant environment variables.
(I'm not sure what to do about INBOX in a setup like this: I don't think you're allowed to *not* have an INBOX. Probably each user should have one 'canonical' private account, which contains their IMAP INBOX. If you didn't want to do this I expect you could set up a default namespace which is read-only, with just an empty INBOX in it.)
If you want to try this, and you're having trouble getting the scripting right, I'd be happy to help you through it if you can post enough information about the LDAP schema you eventually decide on.
Ben
2012/11/13 Ben Morrow ben@morrow.me.uk:
At 2PM +0100 on 13/11/12 you (Marco Gatti) wrote:
2012/11/13 Robert Schetterer rs@sys4.de:
Am 13.11.2012 11:35, schrieb Marco Gatti:
Hi, I was looking for a particular case of dovecot configuration I cannot find anywhere. Is there a way dovecot can authenticate via ldap different windows 2008 AD users that have access to the same e-mail account (like user authorization in ms exchange)? For example I want to extend AD schema to let users have 10 email accounts (with multiple domain support). If they are private accounts I think there is no problem at all. But if I want two or more users to access the same mail account what happens? Can I do it with dovecot? Or should I create AD groups and add members to that, to let user access the same mail account? <snip> I'll try to give more details. I have to build a multiple domain mail server with the use of windows AD authentication. I've managed to add some extra filed in the AD schema like this:
mail1: account1@example1.com box1: /example1.com/account1/ enabled1: TRUE quota1: 1000000
mail2: account2@example2.com box2: /example2.com/account2/ enabled2: TRUE quota2: 1000000
This isn't a good schema to use for this. The mail1, mail2 &c attributes represent the same property of different addresses, so they should be the same attribute on different objects.
I don't know much about AD's LDAP server, is it straightforward to create brand new objectclasses? If I were doing this in an ordinary LDAP server I might create a class of objects which looked like
mailboxAddr: account1@example1.com mailboxLocation: /example1/account1 mailboxEnabled: TRUE mailboxQuota: 1000000with mailboxAddr as the RDN, and then give each user a multi-valued mailbox attribute with the addresses that user has access to.
You mean multi-valued mailboxAddr, mailboxLocation, and so on? How can I extract a single one and be sure it's correct?
There could be 10 or 50 of them for each AD user. If I use NTLM or PAM authentication (after joining the AD) I have to use AD usernames to login with dovecot and I don't know how then to deal with different email addresses configured per user. If I use LDAP lookup I have to use the email address as username but then if different AD users have to access the same email account how dovecot can manage it???
If you want the user to be able to log in and see just one address at a time you have to have the user tell dovecot which user and which address they want when they log in. Since (usually) the only fields you have are 'user' and 'password', they will need to stuff both components into the user field somehow; perhaps by logging on with a user name of
user@domain.ad!account1@example.comYou would then need (probably) to write a checkpassword userdb script to split this into username and account name, verify the user is authorized for the account, look up the mailbox location using the account name, and pass the username back to be checked against the password. So, it could be done, but it would be messy and users would get it wrong all the time.
Since users don't configure mail clients on their own it could be a solution!
Alternatively, you could have the user log in with their ordinary AD account name, and then present them with *all* the email accounts they have access to, as separate (trees of) folders. You can do this with a post-login script which sets up a namespace for each account: see the example at the bottom of http://wiki2.dovecot.org/PostLoginScripting for something vaguely similar. You would need to use Net::LDAP (or some equivalent in some other language) to look up the user's accounts in the AD, and then create the relevant environment variables.
(I'm not sure what to do about INBOX in a setup like this: I don't think you're allowed to *not* have an INBOX. Probably each user should have one 'canonical' private account, which contains their IMAP INBOX. If you didn't want to do this I expect you could set up a default namespace which is read-only, with just an empty INBOX in it.)
If you want to try this, and you're having trouble getting the scripting right, I'd be happy to help you through it if you can post enough information about the LDAP schema you eventually decide on.
Ben
All accounts in a tree sounds bad since users won't clearly understand which is which. Thank you Ben!
-- Marco
At 10AM +0100 on 14/11/12 you (Marco Gatti) wrote:
2012/11/13 Ben Morrow ben@morrow.me.uk:
At 2PM +0100 on 13/11/12 you (Marco Gatti) wrote: <snip>
I'll try to give more details. I have to build a multiple domain mail server with the use of windows AD authentication. I've managed to add some extra filed in the AD schema like this:
mail1: account1@example1.com box1: /example1.com/account1/ enabled1: TRUE quota1: 1000000
mail2: account2@example2.com box2: /example2.com/account2/ enabled2: TRUE quota2: 1000000
This isn't a good schema to use for this. The mail1, mail2 &c attributes represent the same property of different addresses, so they should be the same attribute on different objects.
I don't know much about AD's LDAP server, is it straightforward to create brand new objectclasses? If I were doing this in an ordinary LDAP server I might create a class of objects which looked like
mailboxAddr: account1@example1.com mailboxLocation: /example1/account1 mailboxEnabled: TRUE mailboxQuota: 1000000with mailboxAddr as the RDN, and then give each user a multi-valued mailbox attribute with the addresses that user has access to.
You mean multi-valued mailboxAddr, mailboxLocation, and so on? How can I extract a single one and be sure it's correct?
No. I mean you want separate objects for the mail accounts, completely distinct from the user objects (under a different branch of the LDAP tree). Each 'mail account' object has one Addr, one Location and so on. Then, each user who should have access to one of these accounts has a multi-valued 'mailbox' attribute pointing to the mail accounts that user can see. Something like (I don't really know how AD schemas work...)
dn: mailboxAddr=account1@example.com,ou=Mailboxes,dc=example,dc=com
mailboxAddr: account1@example.com
mailboxLocation: /example/account1
dn: mailboxAddr=account2@example.com,ou=Mailboxes,dc=example,dc=com
mailboxAddr: account2@example.com
mailboxLocation: /example/account2
dn: sAMAccountName=bob,ou=People,dc=example,dc=com
sAMAccountName: bob
mailbox: account1@example.com
mailbox: account2@example.com
dn: sAMAccountName=bill,ou=People,dc=example,dc=com
sAMAccountName: bill
mailbox: account2@example.comIf your 'mail account' attribute is sometimes called 'mail1' and sometimes called 'mail2' how do you expect to search for it?
There could be 10 or 50 of them for each AD user. If I use NTLM or PAM authentication (after joining the AD) I have to use AD usernames to login with dovecot and I don't know how then to deal with different email addresses configured per user. If I use LDAP lookup I have to use the email address as username but then if different AD users have to access the same email account how dovecot can manage it???
If you want the user to be able to log in and see just one address at a time you have to have the user tell dovecot which user and which address they want when they log in. Since (usually) the only fields you have are 'user' and 'password', they will need to stuff both components into the user field somehow; perhaps by logging on with a user name of
user@domain.ad!account1@example.comYou would then need (probably) to write a checkpassword userdb script to split this into username and account name, verify the user is authorized for the account, look up the mailbox location using the account name, and pass the username back to be checked against the password. So, it could be done, but it would be messy and users would get it wrong all the time.
Since users don't configure mail clients on their own it could be a solution!
If users don't know how to choose which username they are logging in with how will they choose which account they want to look at?
I *think* this is simpler than I thought: I think Dovecot's 'master user' stuff will work for this. You need to set up a master user passdb which looks up %u (or %n) as the AD account name and also checks that that user has a 'mailbox' attribute (whatever you decide to call it) of %{login_user}.
Alternatively, you could have the user log in with their ordinary AD account name, and then present them with *all* the email accounts they have access to, as separate (trees of) folders. <snip> All accounts in a tree sounds bad since users won't clearly understand which is which.
OK, if you say so. ISTM that having a number of top-level folders called (e.g.) 'account1@example.com' with the mail for account1@example.com in is much easier to deal with than magic usernames, but you know your users.
Ben
On 11/13/2012 03:35 AM, Marco Gatti wrote:
Is there a way dovecot can authenticate via ldap different windows 2008 AD users that have access to the same e-mail account (like user authorization in ms exchange)?
Symlinks on the Dovecot maildirs? You'd have to read up on the caveats of that: http://wiki.dovecot.org/SharedMailboxes/Symlinks
2012/11/13 Willie Gillespie wgillespie+dovecot@es2eng.com:
On 11/13/2012 03:35 AM, Marco Gatti wrote:
Is there a way dovecot can authenticate via ldap different windows 2008 AD users that have access to the same e-mail account (like user authorization in ms exchange)?
Symlinks on the Dovecot maildirs? You'd have to read up on the caveats of that: http://wiki.dovecot.org/SharedMailboxes/Symlinks
I would like to keep the configuration of new accounts on the Windows AD only and not to deal with links every time. But the problem I have is at authentication time: avoiding the "matched multiple objects" or a general authentication failure. Cheers
-- Marco
participants (4)
-
Ben Morrow
-
Marco Gatti
-
Robert Schetterer
-
Willie Gillespie