Hello, we are searching for a possibility to configure a user login on behalf of another user with a PAM backend. This reminds to the behavior of a master user. But a master user can access the mailboxes of all users. We need this more restricted. Example: User "user1" and "user2" shall get access to the mailbox "info". We define the accounts "info~user1" and "info~user2" with the same home directory like "info". Until now, we use a passwd-file backend. With this setup we can simply copy the password hash from "user1" to "info~user1" and from "user2" to "info~user2". But we intend to change the passdb backend from a flat file to PAM for authentication against Active Directory. This seems to be simple with pam_krb5. But then we can't simply copy password hashes anymore. Is their another possibility for configuring this? Surely the preferable alternative would be the use of ACLs to give acccess to other users mailboxes. But we started this setup with Dovecot 1.0 or 1.1. And with these versions, ACLs weren't available. And now we have too much accounts and clients, which are configured this way and can't change this for the short term. The passdb/userdb file from the above example looks like this: info:!:501:501:Info:/home/mail01/info:: info~user1:PASSWORD_USER1:501:501:Info:/home/mail01/info:: \ userdb_mail=maildir:~/Maildir: \ INDEX=/srv/dovecot/index/info: \ CONTROL=/srv/dovecot/control/info info~user2:PASSWORD_USER2:501:501:Info:/home/mail01/info:: \ userdb_mail=maildir:~/Maildir: \ INDEX=/srv/dovecot/index/info: \ CONTROL=/srv/dovecot/control/info user1:PASSWORD_USER1:501:501:Info:/home/mail01/user1:: user2:PASSWORD_USER2:501:501:Info:/home/mail01/user2:: Ingo Rogalsky
rog7993 at web.de wrote:> User "user1" and "user2" shall get access to the mailbox "info". We > define the accounts "info~user1" and "info~user2" with the same home > directory like "info".Isn't this the kind of scenario shared folders were made for? Gr??e, Sven. -- Sigmentation fault. Core dumped.
Den 2012-02-05 17:53, rog7993 at web.de skrev:> Surely the preferable alternative would be the use of ACLs to give > acccess to other users mailboxes. But we started this setup with > Dovecot 1.0 or 1.1. And with these versions, ACLs weren't available. > And now we have too much accounts and clients, which are configured > this way and can't change this for the short term.secureity wise i would also do this, had bots trying whole day here to get week passwords found to atleast find one login that works, if acl is used there is only one password found and the other user do not need to change his password, but only the acl or ask the other user to change his password, its still possible that both users is same user, imho it have no point if its pam users or not
On 5.2.2012, at 18.53, rog7993 at web.de wrote:> we are searching for a possibility to configure a user login on behalf of another user with a PAM backend. This reminds to the behavior of a master user. But a master user can access the mailboxes of all users. We need this more restricted.Master user doesn't necessarily have access to all users' mailboxes. In the passdb lookup you can decide if this master user is allowed to be this destination user. For example if you used passdb checkpassword, you could look at USER and MASTER_USER environment variables to figure out if this combination should be allowed or not. The checkpassword script can also do the actual authentication via PAM (I'd think there's a way to call it somehow).