[horde] Authorisation and virtual mail users

Steffen skhorde at smail.inf.fh-bonn-rhein-sieg.de
Fri Feb 20 07:35:07 UTC 2015 

On Fri, 20 Feb 2015, Jānis wrote:
> Citēts Michael J Rubinsky <mrubinsk at horde.org>
> Thu, 19 Feb 2015 16:13:22 -0500:
>
>> Quoting Jānis <je at ktf.rtu.lv>:
>>> there is the linux system with real users but for some considerations 
>>> unknown to me it is of utmost importance to use virtual accounts for 
>>> e-mails (postfix/dovecot/postfix-admin/mysql).
>>> Currently evrth works, but the logging in twice is necessary - first - for 
>>> the Horde framework, except Imp, using sys user credentials and the second 
>>> - using virtual email address if one is going to read/send e-mails.
>>> 
>>> Sys users can not be virtualized because they have huge personal homes 
>>> there
>>> 
>>> Is it possible to achieve single authorization for such strange system?
>> 
>> If I understand your question correctly, it sounds like you are using the 
>> wrong authentication backend. You should use Application/IMP 
>> authentication, have the users login using the virtual account credentials, 
>> and make sure you set "hordeauth" to true in imp/config/backends.local.php.
>
> So the Horde users will be 100% virtual and, for example, task list will 
> belong to the virtual user at domain, not the user with sys account?
>
> What will happen if such "beast" would want to use ssh2 backend for Gollem in 
> order to access files on the system under his _system_ account? I think this 
> calls for the second authentification anyway, doesn't it?

yes. However you have some options:

1) have your IMAP & SMTP server honor the system user passwords in 
conjunctions with the ones of the virtual accounts. With Dovecot you can 
change the username in passdb{} queries to make that happen via 
ExtraFields.
http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/User

So the users log into Webmail with the system user, which password will 
work with gollem. Pure virtual users will be prompted for a password in 
Gollem.

2) have Horde access to a clear-text password for the user or whatsoever, 
you can pass to the SSH server in Gollem. You could configure the SSH 
server to not require the original user password, but some other - 
internal - one.

-- 
Steffen

More information about the horde mailing list