hi everybody I wonder if it is safe (and wise) to have two passw-user databases for the same one user. I'm thinking, mail to me via pam mail to me at this.domain via ldap whole Maildir would be essentially the same one storage target, I see permissions have to be mangled, available to write for both vmail and actual uid. what do you think? Is it how it's done? regards
Steffen Kaiser
2015-Jun-23 14:34 UTC
is it safe to have two backed used for the same user?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 23 Jun 2015, lejeczek wrote:> I wonder if it is safe (and wise) to have two passw-user databases for the > same one user. > I'm thinking, > mail to me via pam > mail to me at this.domain via ldapthe first passdb wins. No problem.> whole Maildir would be essentially the same one storage target, I see > permissions have to be mangled, available to write for both vmail and actual > uid.again, the first userdb wins. Your users can auth agains pam, but the data may come from LDAP or a static userdb. If you auth agains PAM successfully, does _not_ mean that you automatically use system users or Dovecot changes uids or something. All such information come from the userdb. If both users match the same userdb entry, they appear the same for Dovecot. - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBVYluhnz1H7kL/d9rAQI4gAgAy1K6C96H/L26Jb67AElPtOZ/2YUZQdqA IZQP6aD+WVEfy1brpwEkOs4EOYBRNGTN3ifTQSyKu5lcDffFIOEloXSc3PLuqR/e oc0l/g9qBzuCdITPHvDer+37pPn/lg70Ye/Aqc8EIiuNNNtt1EXnF0TMZYOLv/Uj SgWlCkW31iJBq83DJ/hRDQQO1CvDA/3pPl33vLRBXepICZXiPJhvMkzeqsy2wAEL VanIWuPRVhautE23ko7u/hjzIDKHEkFmXQgDQxVR9/bT5D0BGW6Ma+13EIGnnKZe /8aYu3l+TTzIcnyK3rXdW2tME0nqhGAg5bX/FgnBJ5uHGldg63zDjg==QLx9 -----END PGP SIGNATURE-----
Steffen Kaiser
2015-Jun-23 14:41 UTC
is it safe to have two backed used for the same user?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 23 Jun 2015, Steffen Kaiser wrote:> On Tue, 23 Jun 2015, lejeczek wrote: > >> I wonder if it is safe (and wise) to have two passw-user databases for the >> same one user. >> I'm thinking, >> mail to me via pam >> mail to me at this.domain via ldap > > the first passdb wins. No problem. > >> whole Maildir would be essentially the same one storage target, I see >> permissions have to be mangled, available to write for both vmail and >> actual >> uid. > > again, the first userdb wins. Your users can auth agains pam, but the data > may come from LDAP or a static userdb. > If you auth agains PAM successfully, does _not_ mean that you > automatically use system users or Dovecot changes uids or something. All > such information come from the userdb. If both users match the same userdb > entry, they appear the same for Dovecot.To make it more clear: you can have passdb { driver = pam } passdb { driver = ldap ... } userdb { driver = ldap .... } you do not need no userdb { driver = passwd }, unless you require user data from this source. Or use userdb { driver = static } instead the LDAP one, because you do not use LDAP attributes anyway. - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBVYlwA3z1H7kL/d9rAQLL6Af/SsS6K2oHv1X6DdNhCMPJrURf+IWWJQx0 pmmOHVPMLsuw3A6cQaMfxm7i3K4OdQA4CLPq2SER3Zxp98LigTLUdsHvPVfdD3x7 KHkIZ689emmmQZxJ1DXtAcu4ICu+0zdicpqaL8iOm7qlbYjLmB4TF2jTWvPpb3g4 GqiDgCrjzgyRKx0ppBRqdXMIuhtsmOyUX7qUc+TbE5C4dWs9gOllUp6haW+Am7pX cTVA/tAxCs+mqbCbOJSEGBC8xVD0gCfyg7DevYjZSOlbCLnR+tYZxIVQt5/KSIwg Ak0e64k9sy5wc95pZ8V49o2yaVyxkQdzEHbqlfUAuOahDTsx72yVpA==UvLB -----END PGP SIGNATURE-----
On 23/06/15 15:34, Steffen Kaiser wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, 23 Jun 2015, lejeczek wrote: > >> I wonder if it is safe (and wise) to have two passw-user >> databases for the same one user. >> I'm thinking, >> mail to me via pam >> mail to me at this.domain via ldap > > the first passdb wins. No problem. > >> whole Maildir would be essentially the same one storage >> target, I see permissions have to be mangled, available >> to write for both vmail and actual uid. > > again, the first userdb wins. Your users can auth agains > pam, but the data may come from LDAP or a static userdb. > If you auth agains PAM successfully, does _not_ mean that > you automatically use system users or Dovecot changes uids > or something. All such information come from the userdb. > If both users match the same userdb entry, they appear the > same for Dovecot.my working setup as above brakes if the target storage misses o=rwx (very weird again) Even if I stick an ACL to it with vmail=rwX it still fails and quite silently leaving one clueless. me via pam = actual UID me at this.domain via ldap = vmail UID and that shared storage target seems must have o=rwx ??? (Or I still got it wrong somewhere?)> > - -- Steffen Kaiser > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQEVAwUBVYluhnz1H7kL/d9rAQI4gAgAy1K6C96H/L26Jb67AElPtOZ/2YUZQdqA > > IZQP6aD+WVEfy1brpwEkOs4EOYBRNGTN3ifTQSyKu5lcDffFIOEloXSc3PLuqR/e > > oc0l/g9qBzuCdITPHvDer+37pPn/lg70Ye/Aqc8EIiuNNNtt1EXnF0TMZYOLv/Uj > > SgWlCkW31iJBq83DJ/hRDQQO1CvDA/3pPl33vLRBXepICZXiPJhvMkzeqsy2wAEL > > VanIWuPRVhautE23ko7u/hjzIDKHEkFmXQgDQxVR9/bT5D0BGW6Ma+13EIGnnKZe > > /8aYu3l+TTzIcnyK3rXdW2tME0nqhGAg5bX/FgnBJ5uHGldg63zDjg=> =QLx9 > -----END PGP SIGNATURE----- >