Univention Bugzilla – Bug 49307
Make it possible to configure a master password for dovecot
Last modified: 2021-01-18 20:31:26 CET
For the configuration of Single-Sign-On between UCS and OX, a Dovecot master password is required because OX no longer has the credentials available in the user session. Of course, this could also be relevant for other groupwares. So far there is only one master user under /etc/dovecot/master-users Unfortunately this does not work with OX. As far as I know, you can only define a password in OX. See com.openexchange.mail.masterPassword: https://documentation.open-xchange.com/7.8.4/middleware/components/saml/saml.html Therefore I asked OX additionally if you could also configure a name (e.g. dovecotadmin). The following article (section Master passwords) describes the possibilities to configure master passwords in Dovecot: https://wiki.dovecot.org/Authentication/MasterUsers
Feedback from OX: "Dovecot versteht das. OX kann das aber standardmäßig in dem Format nicht." Format: 1 login loginuser*masteruser masterpass
(In reply to Michel Smidt from comment #1) > 1 login loginuser*masteruser masterpass Our listener passes the IMAP user and IMAP password to OX. Has anyone tested, if the masterpassword works, if the listener automatically appends "*masteruser" to the IMAP username?
(In reply to Sönke Schwardt-Krummrich from comment #2) > (In reply to Michel Smidt from comment #1) > > 1 login loginuser*masteruser masterpass > > Our listener passes the IMAP user and IMAP password to OX. Has anyone > tested, if the masterpassword works, if the listener automatically appends > "*masteruser" to the IMAP username? No, not yet. Can you give me a hint how I can do that? I have a working test environment.
I would try something like this: Edit /usr/share/univention-ox/listener/ox-user.py and replace (line 336) groupwareoptions.append("--imaplogin=%s" % email) with groupwareoptions.append("--imaplogin=%s*dovecotadmin" % email) Then restart the Listener and create a new user.
This was also necessary in my case: cat <<_EOT_ACL_ >>/etc/dovecot/conf.d/90-acl.conf plugin { acl_user = %u } auth_master_user_separator = *" _EOT_ACL_ # See https://www.dovecot.nl/pipermail/dovecot/2019-April/115457.html
(In reply to Stefan Gohmann from comment #5) > This was also necessary in my case: > > cat <<_EOT_ACL_ >>/etc/dovecot/conf.d/90-acl.conf > plugin { > acl_user = %u > } > auth_master_user_separator = *" > _EOT_ACL_ > > # See https://www.dovecot.nl/pipermail/dovecot/2019-April/115457.html which would not survive the next ucr commit.
as a workaround one may consider placing the ACL-settings into /etc/dovecot/local.conf instead of /etc/dovecot/conf.d/90-acl.conf