Cyrus ACL Query and Mulberry
Earl R Shannon
Earl_Shannon at ncsu.edu
Wed May 21 13:59:27 EDT 2003
Hello,
We do this by revoking the ability to authenticate. We use kerberos and
expire their password. This prevents them from accessing anything that
uses kerberos to authenticate, but generally if you need to revoke email
access you want to revoke ALL access. Works for us at least.
If possible I'd suggest you go a similar route.
Regards,
Earl Shannon
--
Systems Programmer, Unix Systems, Information Technology Division
North Carolina State University
ph: (919)-515-5480
http://www.earl.ncsu.edu
Lee Cashmore wrote:
> We are running Cyrus 2.1.11 and have 3000+ users on the system. We get
> requests from time to time to deny some students access to their email
> for misuse of the system etc.....
>
> I have been modifying the ACL's on a users account to do this but have
> hit upon a problem an example of which is shown below :
>
>
> mailbox for a user
>
> user.fred
>
> acl permissions set on the mailbox are
>
> fred lrswipcda
>
>
> Now after reading some of the documents i came across some information
> regarding the syntax -<user> <flags> which as i understand it removes
> the rights given by particular flags.
>
> So to deny access i have been setting the following rights
>
> -fred lrswipcda
>
> so the rights list now looks like
>
> fred lrswipcda
> -fred lrswipcda
>
> And if i login into the server using Mulberry (our email client) as fred
> sure enough the mailbox is reported as missing and is inacessible.
>
> The problem is that in Mulberry (and many other clients I am sure) you
> can still right click on the INBOX and select properties and look at the
> ACL's
>
> Then if as the user I say add an ACL for the user -fred
> And then Delete the ACL for the user -fred
>
> This Effectivly removes the lock which i Had placed.
>
> Even though i would have expected the -fred to have removed admin rights
> to that mailbox. I have done further tests and even if the user has NO
> rights to the mailbox e.g. permissions on the mailbox user.fred are :
>
> -fred lrswipcda
>
> as long as they can authenticate with a password they are able to change
> the access permissions for the mailbox regardless of any of the access
> controls set upon it.
>
> I don't know if this is a bug or just how it works, if this is how it
> works can someone suggest a way of locking (or denying access to) a
> mailbox for a particular user.
>
> Thanks for any help
>
> Lee
>
>
>
>
>
More information about the Info-cyrus
mailing list