Hello,
we are searching for a possibility to configure a user login on behalf
of another user with a PAM backend. This reminds to the behavior of a
master user. But a master user can access the mailboxes of all users. We
need this more restricted.
Example:
User "user1" and "user2" shall get access to the mailbox "info". We
define the accounts "info~user1" and "info~user2" with the same home
directory like "info".
Until now, we use a passwd-file backend. With this setup we can simply
copy the password hash from "user1" to "info~user1" and from "user2" to
"info~user2". But we intend to change the passdb backend from a flat
file to PAM for authentication against Active Directory. This seems to
be simple with pam_krb5. But then we can't simply copy password hashes
anymore. Is their another possibility for configuring this?
Surely the preferable alternative would be the use of ACLs to give
acccess to other users mailboxes. But we started this setup with Dovecot
1.0 or 1.1. And with these versions, ACLs weren't available. And now we
have too much accounts and clients, which are configured this way and
can't change this for the short term.
The passdb/userdb file from the above example looks like this:
info:!:501:501:Info:/home/mail01/info::
info~user1:PASSWORD_USER1:501:501:Info:/home/mail01/info:: \
userdb_mail=maildir:~/Maildir: \
INDEX=/srv/dovecot/index/info: \
CONTROL=/srv/dovecot/control/info
info~user2:PASSWORD_USER2:501:501:Info:/home/mail01/info:: \
userdb_mail=maildir:~/Maildir: \
INDEX=/srv/dovecot/index/info: \
CONTROL=/srv/dovecot/control/info
user1:PASSWORD_USER1:501:501:Info:/home/mail01/user1::
user2:PASSWORD_USER2:501:501:Info:/home/mail01/user2::
Ingo Rogalsky
