[Kolab-devel] [issue1579] admins in imapd.conf doesn't contains any defined administrator

Thu Jan 25 14:20:00 CET 2007

New submission from Alain Spineux <alain.spineux at gmail.com>:

The problem is @@@cyrus-admins@@@ used for field admins in imapd.conf.template
is not updated with defined administrator, maintainer nor domain-maintainer!

Cyrus will let these listed admins to use cyradm and sieveshell to manage user
account.
Cyrus know 2 kinds of admins: GLOBAL admin and DOMAIN admin.
The difference between both is done by the naming convention.

GLOBAL admin, like "manager" access any mailboxes, and cannot have any @ in it's
name.
DOMAIN admin, like "domain.admin at mydomain.com" access only mailboxes in domain
"mydomain.com".

But kolab don't make the difference that way, their is no naming limitation.
The webadmin could force this naming convention and force the UID to contains or
not a @ !
Another problem is, the webadmin let give to domain-maintainer, management right
to multiple domain ! This is not compatible with cyrus limitation. Cyrus domain
admin can manage only one domain, defined by its name! 

To not loose any compatibility with previous version I propose to fill in
@@@cyrus-admins@@@ this way :

- add any UID of administrator or maintainer that doesn't contain any @ characters
- add any formated "username at domain.name" UID of domain-maintainer, if and only
if this domain-maintainer has admin right on "domain.name" (meaning the UID is
listed like a member in  "cn=domain.name ,cn=domains,cn=internal,dc=asxnet,dc=loc"

To help the administrator to use this feature, we could add the following
advertisement in the webadmin near the UID  field :

For administrator and maintainer :
If you want this administrator (or maintainer) be able to use cyradm or
sieveshell, don't insert any "@" characters in its UID

For domain-maintainer:
If you want this domain-maintainer be able to use cyradm or sieveshell for one
domain (because cyrus imap let domain-maintainer have admin right to only ONE
domain), end its UID by "@domain.name" where "domain.name" is the corresponding
domain name.

THE OTHER POSSIBILITY is to limit the domain-maintainer to only one domain, BUT
this will break the compatibility with previous kolab version.

Notes: imapd.conf, include also two other field : 

      imap_admins: <none>
            A  list of users that have imap admin rights, in addition to those
            listed in the admins: entry.

       sieve_admins: <none>
            A list of users that have sieve admin rights, in addition to those
            listed in the admins: entry.

These fields lets us define a more fine grained security, these could be used by
adding 2 more checkboxes in the webadmin and define 2 more groups in LDAP. But
I'm not convinced this is useful.

You can test this is working by using cyradm and sieveshell like this :

# cyradm -u domain.maintainer at mydomain.loc  localhost
IMAP Password:
fc6-eg.asxnet.loc> lm
user/me (\HasChildren)
user/me/Drafts (\HasNoChildren)
user/me/Sent (\HasNoChildren)
user/me/Trash (\HasNoChildren)
user/b1 (\HasNoChildren)
user/b2 (\HasNoChildren)
fc6-eg.asxnet.loc> quit

[root at fc6-eg trunk]# /kolab/bin/sieveshell -u b1 at mydomain.loc -a
domain.maintainer at mydomain.loc  localhost
connecting to localhost
Please enter your password:
> list
kolab-forward.siv
kolab-vacation.siv
kolab-deliver.siv
> quit 

Tanks for reading till here :-)

----------
messages: 9455
nosy: alain.spineux at gmail.com
priority: bug
status: unread
title: admins in imapd.conf doesn't  contains any defined administrator
________________________________________________
Kolab issue tracker <kolab-issues at intevation.de>
<https://intevation.de/roundup/kolab/issue1579>
________________________________________________