[horde] separation of horde users from application users

[Mike Culbertson]

Real questions are at the bottom if you want to skip my excessive 
verbosity ;-P

I am quite confused about how to achieve this.  I have Horde, IMP, Turba, 
Kronolith and Gollem installed. Each is working fine, but the overall setup 
is not making sense to me.  I am trying to achieve this:

IMP at http://server.domain.com
After authenticating to the default IMAP server via IMP, users can access 
Turba and Kronolith but NOT anything else in Horde.

Following the FAQ, IMP was easy to set up as the server root, but then I 
changed my authentication from the default auto-login and I immediately 
noticed a problem: I can see no clear way to differentiate users of one 
application from users of the entire Horde+apps installation. Here are 
examples:

auto-authentication:

With authentication set to auto-login, acessing http://server.domain.com gives 
an IMP login, so far so good. A user can access their mail as normal. But if 
one accesses Turba or Kronolith, they are automatically authenticated as 
whoever is set to auto-login for Horde, thereby resulting in every IMP user 
seeing the _same_ calendar and contacts.

application (IMP)  auth:

The result is that if I access http://server.domain.com or 
http://server.domain.com/horde/imp/, I  get dumped to a Horde login.  I can 
successfully login using my IMAP user/pass but then I am presented with the 
left-side tree menu (since I logged into horde, not just IMP), and if I try 
to view my inbox, or any other feature, I get yet another login prompt in the 
display frame. Inbox, etc, are viewable if I log in every time I click 
something, but that is undestandably not acceptable.

IMAP authentication:

Users can log in using the same user/pass as they would for IMP alone, but 
then I still end up with users getting access to everything in Horde, not 
just IMP (and any other specific apps).

SQL or any other auth:

Sort of the reverse problem to auto-auth, users get dumped to a horde login 
because there is no Horde account for them, and never even get a chance to 
use IMP.


The main problem problem seems obvious, if I want a user to use IMP only, it 
seems they need to authenticate to Horde (not just the IMAP server) in order 
to use any other apps (Turba, etc). This makes sense, until I want to 
segregate IMP users from the rest of the Horde functions, and also when I 
want to manage administrators. 

If I use application(IMP) or IMAP auth, am I supposed to create a user on the 
imap server just so I can access administration functions of Horde? 

Am I supposed to create Horde users for every IMAP user that might want to use 
IMP? If so, how am I supposed to manage password sync? (the IMAP server uses 
PAM and local files, no central mechanism like LDAP, and changing this is not 
an option)

Is it at all possible to require different authentication requirements per 
application, so that I may give IMP users access to Turba, Kronolith, without 
giving them access to every other app under Horde?

If I'm not doing auto-login, how do I force users to the IMP login prompt, not 
the Horde login prompt (assuming I can somehow segregate the two).

TIA, sorry for the long ramble, it was harder to explain than I thought it 
would be.

-- Mike Culbertson