[horde] Re: separation of horde users from application users

[Jan Schneider]

Zitat von Mike Culbertson <mike at infoleak.com>:

> IMP at http://server.domain.com
> After authenticating to the default IMAP server via IMP, users can access
> Turba and Kronolith but NOT anything else in Horde.

That doesn't make sense, unless you set application specific permissions.

> Following the FAQ, IMP was easy to set up as the server root, but then I
> changed my authentication from the default auto-login and I immediately
> noticed a problem: I can see no clear way to differentiate users of one
> application from users of the entire Horde+apps installation. Here are
> examples:

You can't do that generally, only for IMP and Gollem that need seperate 
logins. You can only set application level permissions for users or 
groups.

> auto-authentication:
>
> With authentication set to auto-login, acessing 
> http://server.domain.com gives
> an IMP login, so far so good. A user can access their mail as normal. But if
> one accesses Turba or Kronolith, they are automatically authenticated as
> whoever is set to auto-login for Horde, thereby resulting in every IMP user
> seeing the _same_ calendar and contacts.

That's exactly what auto-authentication is for.

> application (IMP)  auth:
>
> The result is that if I access http://server.domain.com or
> http://server.domain.com/horde/imp/, I  get dumped to a Horde login.  I can
> successfully login using my IMAP user/pass but then I am presented with the
> left-side tree menu (since I logged into horde, not just IMP), and if I try
> to view my inbox, or any other feature, I get yet another login prompt in the
> display frame. Inbox, etc, are viewable if I log in every time I click
> something, but that is undestandably not acceptable.

Then you have set up something wrong. Probably the cookie path was not 
adopted to the fact that horde is now in the webroot.

> IMAP authentication:
>
> Users can log in using the same user/pass as they would for IMP alone, but
> then I still end up with users getting access to everything in Horde, not
> just IMP (and any other specific apps).

See above, this is not possible (by login, only by perms).

> SQL or any other auth:
>
> Sort of the reverse problem to auto-auth, users get dumped to a horde login
> because there is no Horde account for them, and never even get a chance to
> use IMP.

Of course you need users in whatever backend you choose to authenticate 
against.

> The main problem problem seems obvious, if I want a user to use IMP only, it
> seems they need to authenticate to Horde (not just the IMAP server) in order
> to use any other apps (Turba, etc). This makes sense, until I want to
> segregate IMP users from the rest of the Horde functions, and also when I
> want to manage administrators.

No, unless you use hordeauth in IMP or application authentication in 
Horde through IMP, you always need to login to IMP separately. And this 
doesn't have anything to do with admins.

> If I use application(IMP) or IMAP auth, am I supposed to create a user on the
> imap server just so I can access administration functions of Horde?

Yes.

> Am I supposed to create Horde users for every IMAP user that might 
> want to use
> IMP? If so, how am I supposed to manage password sync? (the IMAP server uses
> PAM and local files, no central mechanism like LDAP, and changing this is not
> an option)

No.

> Is it at all possible to require different authentication requirements per
> application, so that I may give IMP users access to Turba, Kronolith, without
> giving them access to every other app under Horde?

Through permissions, yes.

> If I'm not doing auto-login, how do I force users to the IMP login 
> prompt, not
> the Horde login prompt (assuming I can somehow segregate the two).

Depends on your setup, you have many options, so you first need to 
choose what authentication scheme you want.

Jan.

-- 
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/