cyrus autorization identifier trick
Andrew Morgan
morgan at orst.edu
Fri Apr 20 16:12:40 EDT 2007
On Thu, 19 Apr 2007, Nestor A. Diaz wrote:
> Andrew Morgan wrote:
>> Easy. When you want to look at another user's mail, just modify the
>> permissions on their mailbox. You can do this with cyradm like so:
>>
>> sam user.foo adminuser all
>>
>> We use a perl script that does this recursively for each folder that
>> belongs to a specify user, and a second script that recursively removes the
>> permission when we are finished.
>>
>> After granting these permissions, you'll see the user's mailbox in your
>> IMAP namespace as "Other Users.foo".
> Ok, that's clear for me, but since i am going to have a huge mailstore i
> don't like the idea of the person having to subscribe to each user mailbox,
> or modifying the user mailbox acl each time the person want to access data,
> so as an easy way i was thinking on using sasl as a helper, if that's not
> possible what i am thinking to create at first time, is that when the admin
> (which is really a supervisor with just read privilegies) wants to see others
> users mailbox, it just open a web application, that ask for their password,
> if validation went ok, then ask for the mailbox he wants to see and
> recurisvely change permissions, this way the Supervisor can see what others
> user have into their mailbox without using cyradm command line.
You don't want to have these permissions set for all users, continuously.
It is also a bad idea to have any of your Cyrus admin users (ones defined
in imapd.conf as admins) have mailboxes.
Your idea of using a web page to temporarily grant access sounds like a
reasonable idea to me.
Andy
More information about the Info-cyrus
mailing list