more virtual domain funnyness
Christian Schulte
cs at schulte.it
Mon Dec 29 06:12:24 EST 2003
Kendrick Vargas schrieb:
> Hi folks,
>
> Ok, Igor, Ken, you both must be growing to hate me, but I'm starting to
> understand the present need for the defaultdomain paramater. I'm sorry :-)
>
> I have a question. Lets say I have a realm "example.com" and I have the
> defaultdomain paramater set to "example.com", and I also have "domain.com"
> and "otherdomain.com" on the system. Now, lets say I have "cyrus" users in
> each of those realms, and lets say I have the "admins" paramater set to
> "cyrus". Will the "cyrus" user from any of those domains be able to
> administrate the system, or will it just be the one from the default
> domain?
It should be only the unqualified cyrus user specified in the admins
line which can administrate the system. How the login of this
unqualified userid looks like is determined by defaultdomain setting and
by reverse-dns or servername. Try it out. All others are normal
mailboxes cyrus at domain without any admin rights.
>
> I'm starting to think that maybe there should be two different paramaters,
> "admins" (analogous to domain admins) and "globaladmins" (global admins)
> to allow more explicit declaration of who has which rights.
Why ? You can simply specifiy userids in the admins line. Unqualified
userids are global admins and fully-qualified userids only have admin
rights in theire domain. I do not know if "cyrus at defaultdomain" also is
a global admin...logging in as "cyrus at defaultdomain" will lead to
"defaultdomain" getting stripped, I think, so that "cyrus at defaultdomain"
in the admins line will not work with defaultdomain beeing set to
"defaultdomain" but I did not test that.
--
Christian
More information about the Info-cyrus
mailing list