2012/11/13 Ben Morrow <b...@morrow.me.uk>: > At 2PM +0100 on 13/11/12 you (Marco Gatti) wrote: >> 2012/11/13 Robert Schetterer <r...@sys4.de>: >> > Am 13.11.2012 11:35, schrieb Marco Gatti: >> >> Hi, I was looking for a particular case of dovecot configuration I >> >> cannot find anywhere. >> >> Is there a way dovecot can authenticate via ldap different windows >> >> 2008 AD users that have access to the same e-mail account (like user >> >> authorization in ms exchange)? >> >> For example I want to extend AD schema to let users have 10 email >> >> accounts (with multiple domain support). If they are private accounts >> >> I think there is no problem at all. But if I want two or more users to >> >> access the same mail account what happens? Can I do it with dovecot? >> >> Or should I create AD groups and add members to that, to let user >> >> access the same mail account? > <snip> >> I'll try to give more details. >> I have to build a multiple domain mail server with the use of windows >> AD authentication. >> I've managed to add some extra filed in the AD schema like this: >> >> mail1: accou...@example1.com >> box1: /example1.com/account1/ >> enabled1: TRUE >> quota1: 1000000 >> >> mail2: accou...@example2.com >> box2: /example2.com/account2/ >> enabled2: TRUE >> quota2: 1000000 > > This isn't a good schema to use for this. The mail1, mail2 &c attributes > represent the same property of different addresses, so they should be > the same attribute on different objects. > > I don't know much about AD's LDAP server, is it straightforward to > create brand new objectclasses? If I were doing this in an ordinary LDAP > server I might create a class of objects which looked like > > mailboxAddr: accou...@example1.com > mailboxLocation: /example1/account1 > mailboxEnabled: TRUE > mailboxQuota: 1000000 > > with mailboxAddr as the RDN, and then give each user a multi-valued > mailbox attribute with the addresses that user has access to.
You mean multi-valued mailboxAddr, mailboxLocation, and so on? How can I extract a single one and be sure it's correct? >> There could be 10 or 50 of them for each AD user. >> If I use NTLM or PAM authentication (after joining the AD) I have to >> use AD usernames to login with dovecot and I don't know how then to >> deal with different email addresses configured per user. >> If I use LDAP lookup I have to use the email address as username but >> then if different AD users have to access the same email account how >> dovecot can manage it??? > > If you want the user to be able to log in and see just one address at a > time you have to have the user tell dovecot which user and which address > they want when they log in. Since (usually) the only fields you have are > 'user' and 'password', they will need to stuff both components into the > user field somehow; perhaps by logging on with a user name of > > u...@domain.ad!accou...@example.com > > You would then need (probably) to write a checkpassword userdb script to > split this into username and account name, verify the user is authorized > for the account, look up the mailbox location using the account name, > and pass the username back to be checked against the password. So, it > could be done, but it would be messy and users would get it wrong all > the time. Since users don't configure mail clients on their own it could be a solution! > Alternatively, you could have the user log in with their ordinary AD > account name, and then present them with *all* the email accounts they > have access to, as separate (trees of) folders. You can do this with a > post-login script which sets up a namespace for each account: see the > example at the bottom of http://wiki2.dovecot.org/PostLoginScripting for > something vaguely similar. You would need to use Net::LDAP (or some > equivalent in some other language) to look up the user's accounts in the > AD, and then create the relevant environment variables. > > (I'm not sure what to do about INBOX in a setup like this: I don't think > you're allowed to *not* have an INBOX. Probably each user should have > one 'canonical' private account, which contains their IMAP INBOX. If you > didn't want to do this I expect you could set up a default namespace > which is read-only, with just an empty INBOX in it.) > > If you want to try this, and you're having trouble getting the scripting > right, I'd be happy to help you through it if you can post enough > information about the LDAP schema you eventually decide on. > > Ben > All accounts in a tree sounds bad since users won't clearly understand which is which. Thank you Ben! -- Marco
