SfR Fresh: [dovecot-1.0.15.tar.gz] Member Authentication.MasterUsers.txt (do ...

"SfR Fresh" - the SfR Freeware/Shareware Archive

Member "dovecot-1.0.15/doc/wiki/Authentication.MasterUsers.txt" of archive dovecot-1.0.15.tar.gz:

As a special service "SfR Fresh" has tried to format the requested source page into HTML format using source code syntax highlighting with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. That can be also achieved for any archive member file by clicking within an archive contents listing on the first character of the file(path) respectively on the according byte size field.
    1 
    2 
    3 Master users/passwords
    4 ======================
    5 
    6 
    7 It's possible to configure master users who are able to log in as other users. It's also possible to directly log in as any user using a master password, although this isn't recommended. 
    8 
    9 
   10 Master users
   11 ============
   12 
   13 
   14 There are two ways for master users to log in as other users: 
   15 
   16  1. Give the login username in >>SASL mechanism's<< authorization ID field. Currently only PLAIN SASL mechanism supports this. 
   17  2. Specify both the master username and the login username in the same username field. The usernames are separated by a string configured in 'auth_master_user_separator' setting. UW-IMAP uses "*" as the separator, so that could be a good choice. Using "*" as the separator, the master user would log in as "login_user*master_user". 
   18 Master users are configured by adding a new >>passdb<< with 'master=yes' setting. The users in the master passdb cannot log in as themselves, only as other people. That means they don't need to exist in the >>userdb<<, because the userdb lookup is done only for the user they're logging in as. 
   19 You should also add 'pass=yes' setting to the master passdb if possible. It means that Dovecot verifies that the login user really exists before allowing the master user to log in. Without the setting if a non-existing login username is given, depending on the configuration it could either return an internal login error (the userdb lookup failed) or create a whole new user (with eg. >>static userdb<<). 'pass=yes' doesn't work with PAM or LDAP with 'auth_bind=yes', because both of them require knowing the user's password. 
   20 'pass=yes' is especially useful with >>Checkpassword<< passdb because the script gets both the login and the master username as environment variables. Other passdbs see only the login username in '%u'. In future there will probably be another setting to make the user verification to be done from userdb. 
   21 If you want master users to be able to log in as themselves, you'll need to either add the user to the normal passdb or add the passdb to 'dovecot.conf' twice, with and without the 'master=yes'. Note that if the passdbs point to different locations, the user can have a different password when logging in as other users than when logging in as himself. This is a good idea since it can avoid accidentally logging in as someone else. 
   22 Usually it's better to having only a few special master users that are used *only* to log in as other people. One example could be a special "spam" master user that trains the users' spam filters by reading the messages from the user's spam mailbox. 
   23 
   24 
   25 Example configuration
   26 =====================
   27 
   28 
   29 
   30 ---%<-------------------------------------------------------------------------
   31 auth_master_user_separator=*
   32 auth default {
   33   passdb passwd-file {
   34     args = /etc/dovecot/passwd.masterusers
   35     master = yes
   36     pass = yes
   37   }
   38   passdb shadow {
   39   }
   40   userdb passwd {
   41   }
   42 }
   43 ---%<-------------------------------------------------------------------------
   44 
   45 Where the 'passwd.masterusers' file would contain the master usernames and passwords: 
   46 
   47 ---%<-------------------------------------------------------------------------
   48 admin:{SHA1}nU4eI71bcnBGqeO0t9tXvY1u5oQ=
   49 admin2:{SHA1}i+UhJqb95FCnFio2UdWJu1HpV50=
   50 ---%<-------------------------------------------------------------------------
   51 
   52 One way to create this master file is to use the htaccess program as follows: 
   53 
   54 ---%<-------------------------------------------------------------------------
   55 htpasswd -b -c -s passwd.masterusers user password
   56 ---%<-------------------------------------------------------------------------
   57 
   58 
   59 
   60 SQL Example
   61 ===========
   62 
   63 
   64 The master passdb doesn't have to be passwd-file, it could be an SQL query as well: 
   65 
   66 ---%<-------------------------------------------------------------------------
   67 auth_master_user_separator=*
   68 auth default {
   69   passdb sql {
   70     args = /etc/dovecot/dovecot-sql-master.conf
   71     master = yes
   72     pass = yes
   73   }
   74   passdb sql {
   75     args = /etc/dovecot/dovecot-sql.conf
   76   }
   77   userdb sql {
   78     args = /etc/dovecot/dovecot-sql.conf
   79   }
   80 }
   81 ---%<-------------------------------------------------------------------------
   82 
   83 'dovecot-sql-master.conf' would contain all the normal connection settings and a 'password_query': 
   84 
   85 ---%<-------------------------------------------------------------------------
   86 password_query = SELECT password FROM users WHERE userid = '%u' and master_user = true
   87 ---%<-------------------------------------------------------------------------
   88 
   89 
   90 
   91 Testing
   92 =======
   93 
   94 
   95 
   96 ---%<-------------------------------------------------------------------------
   97 # telnet localhost 143
   98 Trying 127.0.0.1...
   99 Connected to localhost.
  100 Escape character is '^]'.
  101 * OK Dovecot ready.
  102 1 login loginuser*masteruser masterpass
  103 1 OK Logged in.
  104 ---%<-------------------------------------------------------------------------
  105 
  106 If you had any problems, set 'auth_debug=yes' and look at the logs. 
  107 
  108 
  109 Master passwords
  110 ================
  111 
  112 
  113 The easiest way to implement this is with SQL: 
  114 
  115 ---%<-------------------------------------------------------------------------
  116 password_query = SELECT user, 'master-password' AS password FROM users WHERE userid = '%u'
  117 ---%<-------------------------------------------------------------------------
  118 
  119 If you don't have the users in SQL database, you can still fake it: 
  120 
  121 ---%<-------------------------------------------------------------------------
  122 password_query = SELECT '%u' AS user, 'master-password' AS password
  123 ---%<-------------------------------------------------------------------------
  124 
  125 However note that the above will allow logins for any username using the master password, even those that don't really exist. 
  126 Then in your dovecot.conf, have something like: 
  127 
  128 ---%<-------------------------------------------------------------------------
  129 auth default {
  130 ..
  131   passdb pam {
  132   }
  133   passdb sql {
  134     args = /etc/dovecot-sql-master.conf
  135   }
  136 ..
  137 }
  138 ---%<-------------------------------------------------------------------------
  139 
  140 One way to do this without SQL is to create a >>passwd-file<< containing every user: 
  141 
  142 ---%<-------------------------------------------------------------------------
  143 user1:{plain}master-password
  144 user2:{plain}master-password
  145 ..etc..
  146 ---%<-------------------------------------------------------------------------
  147 
  148 (This file was created from the wiki on 2007-12-11 04:42)