[Dovecot] delegation of admin rights
Hello,
We're a rather largish university (largest in Israel), with some 60-70k users, using Dovecot 1.2.14 (we're cautious about moving to 2.0.x for now).
We need to provide admin rights to faculty computer/IT staff, so they can have access to the mailboxes of their respective users. We use LDAP as an authentication/authorization backend.
Currently, dovecot has a "master user" which can access allmailboxes. I am looking for a solution, preferably within dovecot, to create a delegation type of administration, allowing certain users to access the mailboxes of other users based on an LDAP filter or LDAP attribute value. If possible, allowing per protocol access(that is, I would like to give them IMAP access and not POP3) and within IMAP allowing only to view a mailbox, but not to change it, that would be even better.
Does anyone on this list know of any IMAP proxy providing suchabilities, and also, would the Dovecot team consider this as a candidate for a request for enhancement ? This would be very useful in a delegated administration environment, like most larger organizations, hosting & ISP, and other environments where delegation is an important and very much needed ability.
thanks a bunch,
-- Ariel
Ariel Biener e-mail: ariel@post.tau.ac.il PGP: http://www.tau.ac.il/~ariel/pgp.html
On 23/05/2011 16:07, Ariel Biener wrote:
We need to provide admin rights to faculty computer/IT staff, so they can have access to the mailboxes of their respective users. We use LDAP as an authentication/authorization backend.
Currently, dovecot has a "master user" which can access allmailboxes. I am looking for a solution, preferably within dovecot, to create a delegation type of administration, allowing certain users to access the mailboxes of other users based on an LDAP filter or LDAP attribute value. If possible, allowing per protocol access(that is, I would like to give them IMAP access and not POP3) and within IMAP allowing only to view a mailbox, but not to change it, that would be even better.
If I were doing this in SQL, then I would construct my SQL query to basically be true IFF some complicated where clause confirms the delegation?
Possibly you can do a similar query in LDAP?
Note one significant limitation is that the username is in the format "admin*user" in variable %u. This makes all your queries quite tricky... I would recommend considering sponsoring some feature request to have this split into two extra variables with the admin and usernames split out? In the case of LDAP that should make it possible to filter on some admin attribute?
Also you have Checkpassword script option and you can do anything you like in that script?
Good luck
Ed W
On 23.5.2011, at 18.38, Ed W wrote:
Note one significant limitation is that the username is in the format "admin*user" in variable %u.
I don't think this is true.
Also you have Checkpassword script option and you can do anything you like in that script?
Maybe something like that.. I think all of the pieces for this already exist in Dovecot. They just need to be put together in a way that works nicely. ACLs can be given to master user (although there still is no "default ACL" which makes this annoying). The checkpassword can anyway figure out if user X can be allowed to give user Y rights. I think all users then need to be both master users and passdb users.
participants (3)
-
Ariel Biener
-
Ed W
-
Timo Sirainen