[Dovecot] multiple users to same e-mail account with ldap authentication

[Marco Gatti]

2012/11/13 Ben Morrow <ben at morrow.me.uk>:
> At  2PM +0100 on 13/11/12 you (Marco Gatti) wrote:
>> 2012/11/13 Robert Schetterer <rs at sys4.de>:
>> > Am 13.11.2012 11:35, schrieb Marco Gatti:
>> >> Hi, I was looking for a particular case of dovecot configuration I
>> >> cannot find anywhere.
>> >> Is there a way dovecot can authenticate via ldap different windows
>> >> 2008 AD users that have access to the same e-mail account (like user
>> >> authorization in ms exchange)?
>> >> For example I want to extend AD schema to let users have 10 email
>> >> accounts (with multiple domain support). If they are private accounts
>> >> I think there is no problem at all. But if I want two or more users to
>> >> access the same mail account what happens? Can I do it with dovecot?
>> >> Or should I create AD groups and add members to that, to let user
>> >> access the same mail account?
> <snip>
>> I'll try to give more details.
>> I have to build a multiple domain mail server with the use of windows
>> AD authentication.
>> I've managed to add some extra filed in the AD schema like this:
>>
>> mail1: account1 at example1.com
>> box1: /example1.com/account1/
>> enabled1: TRUE
>> quota1: 1000000
>>
>> mail2: account2 at example2.com
>> box2: /example2.com/account2/
>> enabled2: TRUE
>> quota2: 1000000
>
> This isn't a good schema to use for this. The mail1, mail2 &c attributes
> represent the same property of different addresses, so they should be
> the same attribute on different objects.
>
> I don't know much about AD's LDAP server, is it straightforward to
> create brand new objectclasses? If I were doing this in an ordinary LDAP
> server I might create a class of objects which looked like
>
>     mailboxAddr: account1 at example1.com
>     mailboxLocation: /example1/account1
>     mailboxEnabled: TRUE
>     mailboxQuota: 1000000
>
> with mailboxAddr as the RDN, and then give each user a multi-valued
> mailbox attribute with the addresses that user has access to.

You mean multi-valued mailboxAddr, mailboxLocation, and so on? How can
I extract a single one and be sure it's correct?

>> There could be 10 or 50 of them for each AD user.
>> If I use NTLM or PAM authentication (after joining the AD) I have to
>> use AD usernames to login with dovecot and I don't know how then to
>> deal with different email addresses configured per user.
>> If I use LDAP lookup I have to use the email address as username but
>> then if different AD users have to access the same email account how
>> dovecot can manage it???
>
> If you want the user to be able to log in and see just one address at a
> time you have to have the user tell dovecot which user and which address
> they want when they log in. Since (usually) the only fields you have are
> 'user' and 'password', they will need to stuff both components into the
> user field somehow; perhaps by logging on with a user name of
>
>     user at domain.ad!account1 at example.com
>
> You would then need (probably) to write a checkpassword userdb script to
> split this into username and account name, verify the user is authorized
> for the account, look up the mailbox location using the account name,
> and pass the username back to be checked against the password. So, it
> could be done, but it would be messy and users would get it wrong all
> the time.

Since users don't configure mail clients on their own it could be a solution!

> Alternatively, you could have the user log in with their ordinary AD
> account name, and then present them with *all* the email accounts they
> have access to, as separate (trees of) folders. You can do this with a
> post-login script which sets up a namespace for each account: see the
> example at the bottom of http://wiki2.dovecot.org/PostLoginScripting for
> something vaguely similar. You would need to use Net::LDAP (or some
> equivalent in some other language) to look up the user's accounts in the
> AD, and then create the relevant environment variables.
>
> (I'm not sure what to do about INBOX in a setup like this: I don't think
> you're allowed to *not* have an INBOX. Probably each user should have
> one 'canonical' private account, which contains their IMAP INBOX. If you
> didn't want to do this I expect you could set up a default namespace
> which is read-only, with just an empty INBOX in it.)
>
> If you want to try this, and you're having trouble getting the scripting
> right, I'd be happy to help you through it if you can post enough
> information about the LDAP schema you eventually decide on.
>
> Ben
>

All accounts in a tree sounds bad since users won't clearly understand
which is which.
Thank you Ben!

-- 
Marco