[389-users] Do I need separate directory instances for Linux authentication and (for example) IMAP authentication?

Ray ray at renegade.zapto.org
Fri Aug 17 06:27:23 UTC 2012 

Am 16.08.2012 20:16, schrieb Stephen Ingram:
> On Thu, Aug 16, 2012 at 10:27 AM, Ray <ray at renegade.zapto.org> wrote:
>> Am 16.08.2012 19:03, schrieb Stephen Ingram:
>>
>>> On Thu, Aug 16, 2012 at 9:33 AM, Ray <ray at renegade.zapto.org> 
>>> wrote:
>>>>
>>>> Hi,
>>>>
>>>> I posted this before without getting a response. I think the 
>>>> question is
>>>> super simple to answer for LDAP experts. I'll try to rephrase the
>>>> quiestion
>>>> (in case it was unclear before…)
>>>>
>>>> I've geen googling quite a while on this topic trying all sorts of
>>>> keyword
>>>> combinations and found exactly nothing.
>>>>
>>>> LDAP appears to be commonplace, almost every server software I can 
>>>> think
>>>> of
>>>> comes with an LDAP authentication module. The services that use 
>>>> the
>>>> directory may need have different user bases (i.e. not every Linux 
>>>> user
>>>> needs to be an IMAP user also and not every IMAP user should
>>>> automatically
>>>> be able to SSH into servers).
>>>>
>>>> What is the right way to achieve the above?:
>>>>
>>>> 1) Have separate LDAP instances running, one for IMAP, the other 
>>>> one for
>>>> Linux authentication. As there are some users that need both IMAP 
>>>> and
>>>> Linux
>>>> access, some users would need to be set up twice.
>>>>
>>>> 2) Have all users in one LDAP instance, and have different sets of
>>>> attributes for IMAP and Linux authentication. Those users with 
>>>> IMAP
>>>> access
>>>> have their IMAP attributes filled in and those with Linux logins 
>>>> have
>>>> their
>>>> posix account settings filled with values. Some would have both. I 
>>>> do not
>>>> see how to assign different passwords for the two services for 
>>>> this
>>>> option.
>>>> Is there a way?
>>>>
>>>> Are there any other options?
>>>
>>>
>>> Generally the whole purpose of using a directory server (LDAP) is 
>>> to
>>> benefit from centralized and consistent configuration and
>>> authentication. As such, most setups use the same user base for
>>> everything (in your case IMAP access and shell logins). You just 
>>> need
>>> to point each service (login and IMAP) to your directory and filter
>>> based on the existence of certain attributes. For example, only 
>>> users
>>> with the objectclass=mailRecipient would be allowed to login to 
>>> your
>>> IMAP mail store. This can easily be accomplished through the
>>> authentication system of your IMAP software (one that supports LDAP
>>> authentication).
>>>
>>> Steve
>>
>>
>> Many thanks for these insights, Steve!
>>
>> There are two more questions I have:
>>
>> * Is mailRecipient defined somewhere (schema?) or are these 
>> objectClasses
>> free for me to choose?
>
> mailRecipient is already defined as part of the old Netscape mail
> server schemas. I'm not sure if it's included in the default 389ds or
> not. Ultimately, you can roll your own schemas, however, it not 
> always
> an easy task, and, thus many times easier to use an already available
> schema.

Ok, I see. Rich: also thanks for your reply on this.

>> * Is there a way to have separate passwords for IMAP? Specifically I 
>> would
>> like to run Cyrus-imap.
>
> No, there can only be one userpassword attribute. Out of curiosity,
> why would you want your users to have to use different passwords for
> each service? That sort of disposes of the whole idea of using LDAP
> auth to begin with. And, yes, Cyrus-IMAP works perfectly with LDAP
> authentication.

Steve & Rich:

I prefer different passwords because of security concerns: If a user 
(with both IMAP and SSH access) hacks his/her mail password into a 
comprimised box (keylogger, for instance, internet café…), then the 
expected damage would be limited to the mail account only. If the same 
password works for SSH also, then it's possible to screw up all files of 
that user; worse even, if there is some rights-elevation bug around at 
the time - then the entire box might be at risk.

Getting a second set of userpassword attributes then either would 
require me to run a second instance, or I would have to resort to the 
likes of sasldb for the mail side of things…

Would there be a way to patch some schema file with an extra password 
attribute ("mailuserpassword")? I have absolutely no clue about schema 
writing though… is there something you can recommend me to read (book, 
website, …) on this topic?

Cheers,
Ray

More information about the 389-users mailing list