[imp] permisos de usuarios

[Eric Rostetter]

Quoting Rodolfo <segleaur at mechanus.org>:

> ok guys, i'm going to assume you can read the version numbers of what he's
> running. what he says in the rest is that he's got a group of users that
> shouldn't be able to access imp, but they do need mail accounts. he's
> currently
> authenticating against IMAP, which means they're real users (as in PAM).

That's a tough issue.

> now, correct me if i'm wrong, but as far as i understand PAM authentication,
> as
> long as the user belongs to the right groups, he'll have access to anything
> he
> wants;

No, you can limit it per service in PAM, or write your own PAM module
to check things as you like.

In this case, he wants to change /etc/pam.d/imap.  By default it uses
system authentication. He needs to change this.  It could be changed
for example to only allow people in a particular system group access.

> webpages being served by apache don't really follow this model -
> anyone
> with a web browser could surf onto the page.

Unless restricted with httpd protections.

> my first thought was to develop a custom hook, where it looked for a file
> with
> the usernames that shouldn't authenticate and simply fumble their password so
> they can never log in - but there are two problems, he's using IMAP (which
> the
> custom hook wouldn't work - or so it says in the conf.php file) and it would
> really jarble the log file.

Haven't checked, but I don't know why you couldn't use a hook with IMAP.

> WU-IMAP that comes with redhat 8.0 has no way to limiting who can access it

I think that is wrong.   The way is PAM.  By default, it doesn't restrict
people, but you can change that via /etc/pam.d/imap.

> (and
> obviously that's not what he wants - since certain users need to access
> mail).

No, it is exactly what he wants.  To allow some, and deny others.  It could
do so completely, or by originating IP address (don't allow access from the
Horde IP, but allow it from elsewhere), or any other critia.

> the point that the access has to be stopped is at the Horde level - any

No, it doesn't.  It can be at the server level, or at Horde.

> suggestions on how someone could block a user from accessing Horde if they're
> a
> system user?

Hooks I would guess...  Not sure why you (or the docs) would say it can't
be done with IMAP.  Seems like that would work to me.

> Cheers,
>
> Rodolfo

--
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Why get even? Get odd!