IMAP account without login account ? (separate authentication file ?)

IMAP account without login account ? (separate authentication file ?)

Post by Doug Eldr » Thu, 28 May 1998 04:00:00




> Is it possible to give users mail accounts with
> IMAPd (currently using Cyrus) without giving them
> login accounts in /etc/master.password ?

> ie. Making Imapd use a separate file for user
> authentication ?

> Thank you very much,

> chas


> access to DN is intermittent. Thank you very much,

I'm not familiar with Cyrus, but it's certainly possible to do what you
want.  Our "IntraStore Server" does just that, for both POP and IMAP
users; authentication is done via X.500.  In fact we DISCOURAGE having
"real" user accounts on the mail server, except for the admin types.

Doug

 
 
 

IMAP account without login account ? (separate authentication file ?)

Post by Lyndon Nerenber » Thu, 28 May 1998 04:00:00



> Is it possible to give users mail accounts with
> IMAPd (currently using Cyrus) without giving them
> login accounts in /etc/master.password ?

If you're only using plaintext LOGIN you can do this quite easily
by replacing the getpwnam()/crypt() calls in pwcheck with your
own routines.

--lyndon

 
 
 

IMAP account without login account ? (separate authentication file ?)

Post by Jan L. Peters » Thu, 28 May 1998 04:00:00


We did exactly that at my former company.  We hacked the pwcheck
daemon to use a dbm file separate from the system password.  This file
was maintained through a CGI interface, so we could delegate account
maintenance (creation, deletion, password changes, etc) to department
managers in various locations.

The only "real" accounts on the system were for the technical staff.

This was with Cyrus on a FreeBSD box.  Worked great.

        -jan-
--
Jan L. Peterson         PartNET                    tel. +1 801 581 1118
Senior Systems Admin    423 Wakara Way, Suite 216  fax  +1 801 581 1785

 
 
 

IMAP account without login account ? (separate authentication file ?)

Post by Martin Kraf » Fri, 29 May 1998 04:00:00



> Is it possible to give users mail accounts with
> IMAPd (currently using Cyrus) without giving them
> login accounts in /etc/master.password ?

This was exactly what I wanted. And the reason why I decided to install
cyrus. Meanwhile I understood, that the only way to
keep mailbox users out of the system user database, is to use Kerberos
authentication. Probably this would be a good decision for everyone, but:

Since I never configured or even used Kerberos, i gave up and
entered the mail users into the passwd database. No shell, no
home directory.

Besides of that, cyrus works well for us.

Martin Kraft

 
 
 

IMAP account without login account ? (separate authentication file ?)

Post by Lyndon Nerenber » Sat, 30 May 1998 04:00:00



> This was exactly what I wanted. And the reason why I decided to install
> cyrus. Meanwhile I understood, that the only way to
> keep mailbox users out of the system user database, is to use Kerberos
> authentication. Probably this would be a good decision for everyone, but:

Go into pwcheck and replace the calls to getpwnam() with your own
routine that looks things up in a private password-style file.

Alternatively, if you're willing to spend a few $$$, our server
(Simeon) has it's own "blackbox" account database that works
with the SASL CRAM-MD5 and PLAIN mechanisms, and plaintext LOGIN.

Quote:> Since I never configured or even used Kerberos, i gave up and
> entered the mail users into the passwd database. No shell, no
> home directory.

Kerberos is a bit scary to set up the first time. Once you've done it
once, though, it's not that bad. (We have quite a few customer sites
where we helped set up a Kerberos infrastructure, and showed them how
to maintain it.)

--lyndon

 
 
 

IMAP account without login account ? (separate authentication file ?)

Post by Tim Showalte » Sat, 30 May 1998 04:00:00



> Date: 29 May 1998 11:38:49 -0600

> Alternatively, if you're willing to spend a few $$$, our server
> (Simeon) has it's own "blackbox" account database that works
> with the SASL CRAM-MD5 and PLAIN mechanisms, and plaintext LOGIN.

Incidentially, if anyone knows of a freely availible blackbox account
database, I'd like to know about it.  Lots of people are unhappy with
the /etc/passwd support -- they, quite reasonably, want to put the
password database somewhere else -- but this code shouldn't be a part of
Cyrus.

If anyone is interested in setting up something else, or has done so and
is willing to package up and distribute the code (freely), please let me
know.

(Or you could send Esys money.  That works, too. :-))

--

 
 
 

IMAP account without login account ? (separate authentication file ?)

Post by John Frien » Sat, 30 May 1998 04:00:00




> > Date: 29 May 1998 11:38:49 -0600

> > Alternatively, if you're willing to spend a few $$$, our server
> > (Simeon) has it's own "blackbox" account database that works
> > with the SASL CRAM-MD5 and PLAIN mechanisms, and plaintext LOGIN.

> Incidentially, if anyone knows of a freely availible blackbox account
> database, I'd like to know about it.  Lots of people are unhappy with
> the /etc/passwd support -- they, quite reasonably, want to put the
> password database somewhere else -- but this code shouldn't be a part of
> Cyrus.

> If anyone is interested in setting up something else, or has done so and
> is willing to package up and distribute the code (freely), please let me
> know.

Couldn't you use the University of Michigan LDAP server (code is available),
an LDAP SDK (code is available) for talking to the server and use LDAP as
your user database?  Once you've done that, you can then leverage this with
as many other applications as you wish.

In essence, this is the way all of Netscape's servers work.  It's an
open-standard, it's scalable, replicatable and straightforward to manage.

--John

 
 
 

IMAP account without login account ? (separate authentication file ?)

Post by Clayton Donle » Sat, 30 May 1998 04:00:00


Actually, as far as LDAP, we used a 'pwcheck-ldap' type thing to do
basically this.  An example implementation of this is at
http://www.wwa.com/~donley/.  We eventually moved to Netscape Messaging
server, which also allows us to use LDAP for authentication and access
control.

The actual patch that we used is not the one posted, but is somewhat
similar  A better way to implement this functionality would be to have
the pwcheck daemon do the following.

- Check for Null password (NULL passwords succeed as a reference bind)
- Search for DN using UID (filter might include checking for the
        current hostname in a 'mailhost' attribute)
- Bind to LDAP server using DN and Password Specified
- On Successful bind, login correct...

Thus, you are actually having the LDAP server validate a person's
password, with the mail server simply verifying that your mail is
actually on the server you connected and that you can correctly bind to
the LDAP server.

This would basically allow all users to be administered in an LDAP
directory.  Simply set their password and mailhost information in LDAP.

You would still need to create the mailbox and set permissios, but this
is relatively easy to do with Cyrus using IMAP.

As for security, some servers (Netscape) support SSL and many LDAPv3
servers will eventually start supporting TLS (next version of SSL).

Clayton



> > Incidentially, if anyone knows of a freely availible blackbox account
> > database, I'd like to know about it.  Lots of people are unhappy with
> > the /etc/passwd support -- they, quite reasonably, want to put the
> > password database somewhere else -- but this code shouldn't be a part of
> > Cyrus.

> > If anyone is interested in setting up something else, or has done so and
> > is willing to package up and distribute the code (freely), please let me
> > know.

> Couldn't you use the University of Michigan LDAP server (code is available),
> an LDAP SDK (code is available) for talking to the server and use LDAP as
> your user database?  Once you've done that, you can then leverage this with
> as many other applications as you wish.

> In essence, this is the way all of Netscape's servers work.  It's an
> open-standard, it's scalable, replicatable and straightforward to manage.

> --John

 
 
 

IMAP account without login account ? (separate authentication file ?)

Post by Tim Showalte » Tue, 02 Jun 1998 04:00:00



> Date: Fri, 29 May 1998 13:43:38 -0700

> > Incidentially, if anyone knows of a freely availible blackbox account
> > database, I'd like to know about it.  Lots of people are unhappy with
> > the /etc/passwd support -- they, quite reasonably, want to put the
> > password database somewhere else -- but this code shouldn't be a part of
> > Cyrus.

> > If anyone is interested in setting up something else, or has done so and
> > is willing to package up and distribute the code (freely), please let me
> > know.

> Couldn't you use the University of Michigan LDAP server (code is available),
> an LDAP SDK (code is available) for talking to the server and use LDAP as
> your user database?  Once you've done that, you can then leverage this with
> as many other applications as you wish.

> In essence, this is the way all of Netscape's servers work.  It's an
> open-standard, it's scalable, replicatable and straightforward to manage.

Ok, my questions: Where is the schema for user passwords defined?  Are
they stored in cleartext?  How is it replicatable?  I thought
replication and authentication were very unsolved problems in LDAPv3 --
at least, that's what the RFC says.  How does the UMich server handle
replication?  How well does the UMich server scale?  (I'm not familiar
with it.)  How does management work?

The major problem with this solution is that it is very complex and I
don't believe it solves the problem people are asking for a solution to:
a simple, secure authentication database.  But if there were a good,
secure way to do it, an implementation of it would be a good thing.

The minor problem with this is it presumably has to be sprinkled with
the SSL security pixie dust which is not something I'm fond of.  This
may simply be a matter of taste, and I'm sure I could get over it --
perhaps once TLS is in wide deployment.

--

 
 
 

1. POP accounts for users w/o login accounts

Hi.
I'd like to set up POP accounts on my server for folks who won't have
login  or shell accounts. To do this, I'll need a local pop mailer that
can deliver mail to a user defined somewhere other than /etc/passwd
(unlike 'mail'). I've already got the POP server installed - I'm just
lacking this one piece. Anyone know where I might find this? I've heard
of something called 'spop' which comes as part of the MH mail system.  
Any ideas? Thanks.

**************************
Mark Kidwell                            

Arizona State University
**************************

2. motherboard and video: recommendations?

3. Mail accounts without login

4. Registering application in web browser

5. Autocreate POP3 accounts without making user accounts?

6. HELP ME NOW

7. e-mail accounts without shell accounts

8. Inetpub/Scripts

9. Unix accounts without email accounts ?

10. pop3 accounts without /etc/passwd accounts

11. Mail accounts without shell accounts?

12. Several IMAP accounts - problem with automatic login

13. script to map yp/nis accounts to imap accounts wanted