R: admins and virtualdomains, where is authorisation enforced?

Toschi Pietro Pietro.Toschi at actalis.it
Fri Nov 9 03:53:13 EST 2007


Great!
A very useful  feature in a real multidomain environment I think!
I am currently busy working on logging some IMAP events patching imapd.c. I'll enforce your patch immediately after that and let you know my results.
Thank you a lot.

P
 
-----Messaggio originale-----
Da: Alain Spineux [mailto:aspineux at gmail.com] 
Inviato: giovedì 8 novembre 2007 18.27
A: Toschi Pietro
Cc: info-cyrus at lists.andrew.cmu.edu
Oggetto: Re: admins and virtualdomains, where is authorisation enforced?

Hi I wrote a patch for this

https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2998


On Oct 1, 2007 11:29 AM, Toschi Pietro <Pietro.Toschi at actalis.it> wrote:
>
>
>
>
> Hi list,
>
> I have a cyrus 2.3.9 test server with two virtual domains: aa.it and bb.it.
> Having "virtualdomains: yes", I've experimented with "admins" directive and
> I've added one account:
>
> "admins: cyrus user01 at aa.it "
>
> After a cyrus-imapd restart I've tried using imtest:
>
>
>
> [root at olimpo ~]# imtest -a utente01 at aa.it -w password -u utente02 at bb.it -v
> localhost
>
> S: * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN SASL-IR] olimpo
> Cyrus IMAP4 v2.3.9-Invoca-RPM-2.3.9-3 server ready
>
> C: C01 CAPABILITY
>
> S: * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID AUTH=PLAIN SASL-IR ACL
> RIGHTS=kxte QUOTA NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
> MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES
> ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE
> URLAUTH
>
> S: C01 OK Completed
>
> C: A01 AUTHENTICATE PLAIN
> dXRlbnRlMDJAYmIuaXQAdXRlbnRlMDFAYWEuaXQAdXRlbnRlMDE=
>
> S: A01 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL
> RIGHTS=kxte QUOTA NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
> MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES
> ANNOTATEMORE CATENATE CONDSTORE IDLE LISTEXT LIST-SUBSCRIBED X-NETSCAPE
> URLAUTH] Success (no protection)
>
> Authenticated.
>
> Security strength factor: 0
>
>
>
> I expected some authorization-related error message, but instead
> user01 at aa.it was able not only to authenticate (as expected, since I used
> the right credentials) but also to get authorized as user02 at bb.it, that is a
> normal user of a different domain.
>
> I expected that every "admin", in a virtualdomain environment, be able to
> manage only its or her accounts based of course on the domain part of the
> username.
>
>
>
> Is there something I missed in my config or maybe in my understanding of
> this feature?
>
>
>
>
>
> Thanks
>
> Pietro
>
>
>
>
>
> configdirectory:        /var/lib/imap
>
>
>
> partition-default:      /storage/mail
>
>
>
> admins:                 cyrus user01 at aa.it
>
>
>
> sievedir:               /var/lib/imap/sieve
>
>
>
> sendmail:               /usr/sbin/sendmail
>
>
>
> hashimapspool:          true
>
>
>
> sasl_pwcheck_method:    saslauthd
>
> sasl_mech_list:         PLAIN
>
>
>
> virtdomains:            yes
>
> defaultdomain:          localdomain
>
> unixhierarchysep:       yes
>  ________________________________
>
> ----
> Cyrus Home Page: http://cyrusimap.web.cmu.edu/
> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
>



-- 
Alain Spineux
aspineux gmail com
May the sources be with you


More information about the Info-cyrus mailing list