New Auditor / Master Admin privileges not effected.
Issue #186
resolved
When I create a user as an Auditor or Master Admin, and then I login as that user, I find that the his web Windows displays only Regular user privileges. He gets the same web screen as a Regular user rather than as an Auditor or Admin. I have also tried to create a user initially as a Regular User, then converted him as an Auditors, but to no avail.
SCENARIO:
The Default admin@local User Management correctly displays him as an auditor. This is the sample of what I fill in when creating him:
Email address: jon@abc.com Username: jon@abc.com Realname: Jon Domain: abc.com Search domains: Domains: abc.com Search groups: Groups: Folders: Admin user: Auditor
I have tried restarting piler / apache /even the host :) This issue is still present in latest Master Branch. Its either I am overlooking something in my setup, or its an issue
Regards,
Clemo
Comments (6)
-
repo owner
-
reporter
I have done it at Demo site and it is working. I created the admin/auditor user the same way I am doing but on my installation its not working.
Clemo
-
reporter
I have noticed where the issue might be. In my Piler setup, users authenticate via IMAP server. When I disable IMAP authentication and use local domain, my auditors and admins privileges options are displayed. But with IMAP authentication activated, those options disappear immediately.
Of course with well over a hundred of users it is much better if users authenticate via IMAP (which works very well) rather than creating each of them individually as local users. But as it is, at present, administrators and auditor privileges are not possible with IMAP and one is forced to use the inbuilt administrator/auditor.
Maybe you have a solution to this.
Clemo
-
repo owner
The problem is that imap (unlike ldap) provides only an authenticated / not authenticated response, no other attributes. So it's impossible to say that user1@aaa.fu is a regular user, but user2@aaa.fu is an auditor.
However the way the gui authenticates users gives you an options to solve this issue. You can add an account in the @local domain (as you did), eg. auditor2@local, and make it an auditor.
Or you may create a non-existing account in your real domain (eg. @aaa.fu), eg. auditor@aaa.fu. Since it's a non-existing account in your domain, the imap auth will fail, however it will continue to lookup local users/email tables.
With ldap it's possible to define a OU=...,DC=...,DC=... description or better, a container for membership info, that if a user is a member of it, then auditor roles is granted.
I can't do that with imap, however with a little extra I think it's possible to create a pcre regex (or two), and if the email address matches either of them, then we grant either auditor or administrator role. Do you think it makes sense? If so then it's possible to eliminate all local accounts.
-
reporter
Aha, at least now I understand the structure as per your explanation. If IMAP has this limitation I would not think it is advisable to go so much out of the way and create regex, etc. Furthermore since the accounts concerned (admin/auditor) are administrative I think it is ok if they remain as local (and separate from the other user accounts) as they should will not be frequently accessed.
I believe you can mark this post as resolved.
Thanks for your great assistance.
Regards,
Clemo
-
repo owner
- changed status to resolved
You are welcome, I set the status to resolved.
- Log in to comment
Can you try it on the demo site? http://www.mailpiler.org/en/demo.html