ActiveSync credential separation and disabled users
Jeroen van Meeuwen (Kolab Systems)
vanmeeuwen at kolabsys.com
Fri Feb 8 14:01:02 CET 2013
On 2013-02-08 12:39, Onno Hensgen wrote:
> Hello,
>
> I read, that the final version of Kolab3 supports credential
> separation for activeSync. How can I achieve this? Is it implemented
> yet?
>
There's two methodologies, based around the same concept.
A Cyrus IMAP frontend (or nginx proxy) can be made to authenticate the
user differently from how the main (set of) Cyrus IMAP servers do.
Said IMAP frontend(s) - you would hit these specifically from the
ActiveSync web-servers only - can use a different LDAP attribute (than
userPassword) using a fast_bind(), or not use LDAP at all (and instead
do sasldb2, or SQL, or ...). Frontends connect to IMAP backends using
proxy authorization, and so no user credentials are required further
down the line.
An alternative approach (I'm not a fan of) is to use proxy
authorization right from the start - this would avoid the need to proxy
the IMAP connection, as well as avoid the need to run a Cyrus IMAP
Murder topology, but makes a compromise in that of course, for
day-to-day individual user's operations the use of administrative
credentials should be avoided.
> And is it possible to allow only some users the use of activeSync and
> disable it for some others?
>
Similarly, such a frontend can be made to only allow users of a group,
or users with a certain role, or users with a certain (set of) attribute
value(s).
Kind regards,
Jeroen van Meeuwen
--
Systems Architect, Kolab Systems AG
e: vanmeeuwen at kolabsys.com
m: +44 74 2516 3817
w: http://www.kolabsys.com
pgp: 9342 BF08
More information about the users
mailing list