ActiveSync credential separation and disabled users
Onno Hensgen
onno.hensgen at aquaduna.com
Sat Feb 9 21:34:40 CET 2013
> If the use-case is a hosted environment where individuals only get
> their own basic @hotmail.com-style mailbox (and no sharing folders
> between users is required), then an NGINX proxy in front of a bunch of
> standalone IMAP servers would do the trick.
>
> If the use-case is to host all employee's mailboxes for a large
> organization, it is clear that one Cyrus IMAP server may not suffice.
> But, since one employee should be able to share its folders with any
> other employee, and since that other employee very likely has its
> mailbox on a different Cyrus IMAP server, one would need to run a Cyrus
> IMAP Murder (of any kind of topology) in order to make sure that the
> client IMAP connection is proxied to the IMAP server that the targeted
> folder resides on (and not merely the IMAP server the user's INBOX
> resides on).
I played the last day with NGINX and found out, it allows to define the imap server to use on a per-user basis. You can use an attribute like the mailHost in the ldap directory to choose the correct server.
But as far as I understand, that only allows to transparently scale horizontal but still no sharing folders between servers, right?
If one can live with the disadvantages (we for example won't need to scale for a long time, we have 25 users right now...), I found the NGINX stuff pretty straight forward to configure. On the other hand I never tried the Cyrus Murder deployment. But as far as I can tell, the charm of the NGINX solution for me is, that I do not have to touch the existing imap server in any way to achieve what I want.
> (&(objectClass=kolabInetOrgPerson)(nsRoleDn=cn=external-imap-user,dc=example,dc=org))
>
> I think the means to achieve what you want are readily available in the
> form of roles.
Nice! Thats much easier and I can configure with the kolab-webadmin. Thanks!
> I would definitely appreciate your notes and thoughts!
I started a documentation on my progress and published it here for now. I also wrote a bit about our use-case and deployment.
https://server.hensgen.net/docs/Kolab3-nginx
>>> Said IMAP frontend(s) - you would hit these specifically from the
>>> ActiveSync web-servers only - can use a different LDAP attribute
>>> (than
>>> userPassword) using a fast_bind(), or not use LDAP at all (and
>>> instead
>>> do sasldb2, or SQL, or ...).
The IMAP proxy works now and respects the user roles. I'm searching how I can tell syncroton to use that imap proxy (same host, different port). I found some stuff in /usr/share/kolab-syncroton, but the config files are shared with roundcube mail. So is it safe to use an actual copy of the config and change
$rcmail_config['default_port'] = 143;
in main.inc.php?
Or is there a more elegant way?
Kind regards,
Onno
More information about the users
mailing list