[horde] Authorisation and virtual mail users

Vilius Sumskas/LNK vilius at lnk.lt
Fri Feb 20 10:06:58 UTC 2015 

> On Fri, 20 Feb 2015, Vilius Sumskas/LNK wrote:
> >>> Quoting Jānis <je at ktf.rtu.lv>:
> >>>> there is the linux system with real users but for some
> >>>> considerations unknown to me it is of utmost importance to use
> >>>> virtual accounts for e-mails (postfix/dovecot/postfix-admin/mysql).
> >>>> Currently evrth works, but the logging in twice is necessary -
> >>>> first - for the Horde framework, except Imp, using sys user
> >>>> credentials and the second - using virtual email address if one is
> >>>> going to read/send e-mails.
> >>>>
> >>>> Sys users can not be virtualized because they have huge personal
> >> homes there
> >>>>
> >>>> Is it possible to achieve single authorization for such strange
> > system?
> >>>
> >>> If I understand your question correctly, it sounds like you are
> >>> using the wrong authentication backend. You should use
> >>> Application/IMP authentication, have the users login using the
> >>> virtual account credentials, and make sure you set "hordeauth" to
> >>> true in imp/config/backends.local.php.
> >>
> >> So the Horde users will be 100% virtual and, for example, task list
> >> will belong to the virtual user at domain, not the user with sys 
account?
> >>
> >> What will happen if such "beast" would want to use ssh2 backend for
> >> Gollem in order to access files on the system under his _system_
> >> account? I think this calls for the second authentification anyway,
> >> doesn't it?
> >
> > This calls for central username/password storage. LDAP or SQL. 
Configure
> > all your services (ssh, imap, etc.) to it and then configure Horde to
> > authenticate against it.
> 
> Some organisations do _not_ like to offer all services to one central 
> account/password pair, because they consider user's lack of sensibility 
> using certain passwords - e.g. reading mails in an internet cafe, 
storing 
> mail passwords on smartphones easily available to other people - and 
want 
> to protect other servers.
> Well, so I interprete the OP's "it is of utmost importance to use 
virtual 
> accounts for e-mails".
> 
> If that is not the intention, it should be easy to authentificate the 
> virtual users with the passwords of the system users.

This is only possible if the passwords for different services are 
different. If OP wants to login to different services from Horde only 
once, passwords must be the same for all backends, or the backend should 
be centralized. There is no other way.

-- 
   Vilius

More information about the horde mailing list