Hello,
We're a rather largish university (largest in Israel), with some
60-70k users, using Dovecot 1.2.14
(we're cautious about moving to 2.0.x for now).
We need to provide admin rights to faculty computer/IT staff, so they
can have access to the mailboxes
of their respective users. We use LDAP as an
authentication/authorization backend.
Currently, dovecot has a "master user" which can access all
mailboxes. I am looking for a solution,
preferably within dovecot, to create a delegation type of
administration, allowing certain users to
access the mailboxes of other users based on an LDAP filter or LDAP
attribute value. If possible,
allowing per protocol access(that is, I would like to give them IMAP
access and not POP3) and within IMAP
allowing only to view a mailbox, but not to change it, that would be
even better.
Does anyone on this list know of any IMAP proxy providing such
abilities, and also, would the Dovecot team
consider this as a candidate for a request for enhancement ? This would
be very useful in a delegated administration
environment, like most larger organizations, hosting & ISP, and other
environments where delegation is an important
and very much needed ability.
thanks a bunch,
-- Ariel
--
Ariel Biener
e-mail: ariel at post.tau.ac.il
PGP: http://www.tau.ac.il/~ariel/pgp.html
On 23/05/2011 16:07, Ariel Biener wrote:> We need to provide admin rights to faculty computer/IT staff, so they > can have access to the mailboxes > of their respective users. We use LDAP as an > authentication/authorization backend. > > Currently, dovecot has a "master user" which can access all > mailboxes. I am looking for a solution, > preferably within dovecot, to create a delegation type of > administration, allowing certain users to > access the mailboxes of other users based on an LDAP filter or LDAP > attribute value. If possible, > allowing per protocol access(that is, I would like to give them IMAP > access and not POP3) and within IMAP > allowing only to view a mailbox, but not to change it, that would be > even better.If I were doing this in SQL, then I would construct my SQL query to basically be true IFF some complicated where clause confirms the delegation? Possibly you can do a similar query in LDAP? Note one significant limitation is that the username is in the format "admin*user" in variable %u. This makes all your queries quite tricky... I would recommend considering sponsoring some feature request to have this split into two extra variables with the admin and usernames split out? In the case of LDAP that should make it possible to filter on some admin attribute? Also you have Checkpassword script option and you can do anything you like in that script? Good luck Ed W