1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
|
<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
<meta charset="utf-8" /><meta name="generator" content="Docutils 0.19: https://docutils.sourceforge.io/" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Access Control Identifier (ACI) — Cyrus IMAP 3.12.1 documentation</title>
<link rel="stylesheet" href="../../../../_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="../../../../_static/css/theme.css" type="text/css" />
<link rel="stylesheet" href="../../../../_static/graphviz.css" type="text/css" />
<link rel="stylesheet" href="../../../../_static/cyrus.css" type="text/css" />
<script data-url_root="../../../../" id="documentation_options" src="../../../../_static/documentation_options.js"></script>
<script src="../../../../_static/jquery.js"></script>
<script src="../../../../_static/underscore.js"></script>
<script src="../../../../_static/_sphinx_javascript_frameworks_compat.js"></script>
<script src="../../../../_static/doctools.js"></script>
<script src="../../../../_static/sphinx_highlight.js"></script>
<script src="../../../../_static/js/theme.js"></script>
<link rel="index" title="Index" href="../../../../genindex.html" />
<link rel="search" title="Search" href="../../../../search.html" />
<link rel="next" title="Access Control Lists Rights Reference" href="rights-reference.html" />
<link rel="prev" title="Access Control Defaults" href="defaults.html" />
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" >
<a href="../../../../index.html" class="icon icon-home">
Cyrus IMAP
</a>
<div class="version">
3.12.1
</div>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="../../../../search.html" method="get">
<input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
<p class="caption" role="heading"><span class="caption-text">Cyrus IMAP</span></p>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../../../download.html">Download</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../../quickstart.html">Quickstart Guide</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../../overview.html">Overview</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../../setup.html">Setup</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../../../../operations.html">Operations</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../../manpages/index.html">Man pages</a></li>
<li class="toctree-l2 current"><a class="reference internal" href="../../admin.html">Administrator Guide</a><ul class="current">
<li class="toctree-l3"><a class="reference internal" href="../../admin.html#architecture">Architecture</a></li>
<li class="toctree-l3 current"><a class="reference internal" href="../../admin.html#management">Management</a><ul class="current">
<li class="toctree-l4"><a class="reference internal" href="../locations.html">File & Directory Locations</a></li>
<li class="toctree-l4"><a class="reference internal" href="../ports-sockets.html">Ports and Sockets</a></li>
<li class="toctree-l4 current"><a class="reference internal" href="../access-control.html">Access Control</a></li>
<li class="toctree-l4"><a class="reference internal" href="../quotas.html">Quotas</a></li>
<li class="toctree-l4"><a class="reference internal" href="../sieve.html">Cyrus Sieve</a></li>
<li class="toctree-l4"><a class="reference internal" href="../nntp.html">Cyrus NNTP</a></li>
<li class="toctree-l4"><a class="reference internal" href="../protlayer.html">Cyrus Prot Layer</a></li>
<li class="toctree-l4"><a class="reference internal" href="../sop.html">Standard Operating Procedures</a></li>
<li class="toctree-l4"><a class="reference internal" href="../eventsource.html">Cyrus Event Source</a></li>
<li class="toctree-l4"><a class="reference internal" href="../monitoring.html">Monitoring</a></li>
<li class="toctree-l4"><a class="reference internal" href="../config-mailboxdistribution.html">Mailbox Distribution</a></li>
<li class="toctree-l4"><a class="reference internal" href="../murder/murder.html">Cyrus Murder</a></li>
<li class="toctree-l4"><a class="reference internal" href="../tweaking.html">Tweaking Cyrus IMAP</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../faq.html">Frequently Asked Questions</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../../developers.html">Developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../../support.html">Support/Community</a></li>
</ul>
<p class="caption" role="heading"><span class="caption-text">Cyrus SASL</span></p>
<ul>
<li class="toctree-l1"><a class="reference external" href="http://www.cyrusimap.org/sasl">Cyrus SASL</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"><nav class="wy-nav-top" aria-label="Mobile navigation menu" >
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="../../../../index.html">Cyrus IMAP</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="Page navigation">
<ul class="wy-breadcrumbs">
<li><a href="../../../../index.html" class="icon icon-home" aria-label="Home"></a></li>
<li class="breadcrumb-item"><a href="../../../../operations.html">Operations</a></li>
<li class="breadcrumb-item"><a href="../../admin.html">Administrator Guide</a></li>
<li class="breadcrumb-item"><a href="../access-control.html">Access Control</a></li>
<li class="breadcrumb-item active">Access Control Identifier (ACI)</li>
<li class="wy-breadcrumbs-aside">
<a href="https://github.com/cyrusimap/cyrus-imapd/blob/master/docsrc/imap/reference/admin/access-control/identifiers.rst" class="fa fa-github"> Edit on GitHub</a>
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<section id="access-control-identifier-aci">
<span id="imap-admin-access-control-identifiers"></span><h1>Access Control Identifier (ACI)<a class="headerlink" href="#access-control-identifier-aci" title="Permalink to this heading"></a></h1>
<p>The Access Control Identifier (ACI) part of an ACL entry specifies the
user or group for which the entry applies. Group identifiers are
distinguished by the prefix "group:". For example, "group:accounting".</p>
<p>There are two special identifiers, "anonymous", and "anyone". The meaning of
other identifiers usually depends on the
<a class="reference internal" href="#imap-admin-access-control-authorization-mechanisms"><span class="std std-ref">authorization mechanism</span></a>
being used.</p>
<section id="anonymous-and-anyone">
<h2><code class="docutils literal notranslate"><span class="pre">anonymous</span></code> and <code class="docutils literal notranslate"><span class="pre">anyone</span></code><a class="headerlink" href="#anonymous-and-anyone" title="Permalink to this heading"></a></h2>
<p>With any authorization mechanism, two special identifiers are defined.
The identifier <code class="docutils literal notranslate"><span class="pre">anonymous</span></code> refers to the anonymous, or unauthenticated
user. The identifier <code class="docutils literal notranslate"><span class="pre">anyone</span></code> refers to all users, including the
anonymous user.</p>
<p>Both <code class="docutils literal notranslate"><span class="pre">anonymous</span></code> and <code class="docutils literal notranslate"><span class="pre">anyone</span></code> may commonly be used with the <strong>post</strong>
right <code class="docutils literal notranslate"><span class="pre">p</span></code> to allow message insertion to mailboxes.</p>
</section>
</section>
<section id="authorization-mechanisms">
<span id="imap-admin-access-control-authorization-mechanisms"></span><h1>Authorization Mechanisms<a class="headerlink" href="#authorization-mechanisms" title="Permalink to this heading"></a></h1>
<p>The Cyrus IMAP server comes with four authorization mechanisms, one is
compatible with Unix-style (<code class="docutils literal notranslate"><span class="pre">/etc/passwd</span></code>) authorization, one called
<code class="docutils literal notranslate"><span class="pre">mboxgroups</span></code>, one for use with Kerberos 5, and one for use with an
external authorization process (ptloader) which can interface with
other group databases (e.g. AFS PTS groups, LDAP Groups, etc).</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p><strong>Authentication !== Authorization</strong></p>
<p>Note that authorization is <em>not</em> the same thing as authentication.
Authentication is the act of proving who you are. Authorization is
the act of determining what rights you have. Authentication is
discussed in the <a class="reference internal" href="../../../concepts/overview_and_concepts.html#imap-concepts-login-authentication"><span class="std std-ref">Login Authentication</span></a> part of
this document.</p>
</div>
<p>The authorization mechanism in use is determined by the <code class="docutils literal notranslate"><span class="pre">auth_mech</span></code>
<a class="reference internal" href="../../manpages/configs/imapd.conf.html#std-cyrusman-imapd.conf-5">imapd.conf(5)</a> option:</p>
<blockquote>
<div><blockquote>
<div><p><code class="docutils literal notranslate"><span class="pre">auth_mech:</span></code> unix</p>
<blockquote>
<div><p>The authorization mechanism to use.</p>
<p>Allowed values: <em>unix</em>, <em>pts</em>, <em>krb5</em>, <em>mboxgroups</em></p>
</div></blockquote>
</div></blockquote>
</div></blockquote>
<section id="unix-authorization">
<h2>Unix Authorization<a class="headerlink" href="#unix-authorization" title="Permalink to this heading"></a></h2>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">auth_mech</span><span class="p">:</span> <span class="n">unix</span>
</pre></div>
</div>
<p>In the Unix authorization mechanism, ACIs are either a valid userid or
the string <code class="docutils literal notranslate"><span class="pre">group:</span></code> followed by a group listed in <code class="docutils literal notranslate"><span class="pre">/etc/group</span></code>.
Thus:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">root</span> <span class="n">Refers</span> <span class="n">to</span> <span class="n">the</span> <span class="n">user</span> <span class="n">root</span>
<span class="n">group</span><span class="p">:</span><span class="n">staff</span> <span class="n">Refers</span> <span class="n">to</span> <span class="n">the</span> <span class="n">group</span> <span class="n">staff</span>
</pre></div>
</div>
<p>It is also possible to use unix groups with users authenticated through
a non-/etc/passwd backend. Note that using unix groups in this way
(without associated <code class="docutils literal notranslate"><span class="pre">/etc/passwd</span></code> entries) is not recommended.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Cyrus requires the getgrent(3) POSIX sysctl. As such, NSS needs to
be configured to have the groups available, one of which includes
"files", but could also include "ldap".</p>
<p>NSS augmentations, such as <code class="docutils literal notranslate"><span class="pre">nss_ldap</span></code>, <code class="docutils literal notranslate"><span class="pre">pam_ldap</span></code> or <code class="docutils literal notranslate"><span class="pre">sssd</span></code>
may be used to provide Cyrus access to group information via NSS.</p>
</div>
</section>
<section id="mboxgroups-authorization">
<span id="auth-mech-mboxgroups"></span><h2>mboxgroups Authorization<a class="headerlink" href="#mboxgroups-authorization" title="Permalink to this heading"></a></h2>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">auth_mech</span><span class="p">:</span> <span class="n">mboxgroups</span>
</pre></div>
</div>
<p>The mboxgroups authorization mechanism is like the Unix mechanism, but it
looks for groups stored in the mailboxes.db instead of the system groups file.</p>
<p>When this authorization mechanism is in use, imapd will report the capability
<code class="docutils literal notranslate"><span class="pre">XUSERGROUPS</span></code>, and admins can use the IMAP commands <code class="docutils literal notranslate"><span class="pre">GETUSERGROUP</span></code>,
<code class="docutils literal notranslate"><span class="pre">SETUSERGROUP</span></code>, and <code class="docutils literal notranslate"><span class="pre">UNSETUSERGROUP</span></code> for group management.</p>
<blockquote>
<div><p><strong>GETUSERGROUP</strong> <em>item</em></p>
<blockquote>
<div><p>If <em>item</em> is a userid, returns the groups the user belongs to. If
<em>item</em> is a group identifier, returns its members.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">C</span><span class="p">:</span> <span class="mi">8</span> <span class="n">GETUSERGROUP</span> <span class="n">cassandane</span>
<span class="n">S</span><span class="p">:</span> <span class="o">*</span> <span class="n">USERGROUP</span> <span class="n">cassandane</span> <span class="p">(</span><span class="s2">"group:group c"</span> <span class="s2">"group:group co"</span><span class="p">)</span>
<span class="n">S</span><span class="p">:</span> <span class="mi">8</span> <span class="n">OK</span> <span class="n">Completed</span>
<span class="n">C</span><span class="p">:</span> <span class="mi">9</span> <span class="n">GETUSERGROUP</span> <span class="s2">"group:group co"</span>
<span class="n">S</span><span class="p">:</span> <span class="o">*</span> <span class="n">USERGROUP</span> <span class="s2">"group:group co"</span> <span class="p">(</span><span class="n">cassandane</span> <span class="n">otheruser</span><span class="p">)</span>
<span class="n">S</span><span class="p">:</span> <span class="mi">9</span> <span class="n">OK</span> <span class="n">Completed</span>
</pre></div>
</div>
</div></blockquote>
<p><strong>SETUSERGROUP</strong> <em>userid</em> <em>group</em></p>
<blockquote>
<div><p>Adds <em>userid</em> as a member of <em>group</em></p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">C</span><span class="p">:</span> <span class="mi">9</span> <span class="n">SETUSERGROUP</span> <span class="n">cassandane</span> <span class="s2">"group:new group"</span>
<span class="n">S</span><span class="p">:</span> <span class="mi">9</span> <span class="n">OK</span> <span class="n">Completed</span>
</pre></div>
</div>
</div></blockquote>
<p><strong>UNSETUSERGROUP</strong> <em>userid</em> <em>group</em></p>
<blockquote>
<div><p>Removes <em>userid</em> from <em>group</em></p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">C</span><span class="p">:</span> <span class="mi">9</span> <span class="n">UNSETUSERGROUP</span> <span class="n">cassandane</span> <span class="s2">"group:group c"</span>
<span class="n">S</span><span class="p">:</span> <span class="mi">9</span> <span class="n">OK</span> <span class="n">Completed</span>
</pre></div>
</div>
</div></blockquote>
</div></blockquote>
</section>
<section id="kerberos-authorization">
<h2>Kerberos Authorization<a class="headerlink" href="#kerberos-authorization" title="Permalink to this heading"></a></h2>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">auth_mech</span><span class="p">:</span> <span class="n">krb5</span>
</pre></div>
</div>
<p>Using the Kerberos authorization mechanism, ACIs are of the form:</p>
<blockquote>
<div><p><em>$principal</em>.*$instance*@*$realm*</p>
</div></blockquote>
<p>If <code class="docutils literal notranslate"><span class="pre">$instance</span></code> is omitted, it defaults to the null string. If
<code class="docutils literal notranslate"><span class="pre">$realm</span></code> is omitted, it defaults to the local realm.</p>
</section>
<section id="pts-authorization">
<h2>PTS Authorization<a class="headerlink" href="#pts-authorization" title="Permalink to this heading"></a></h2>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">auth_mech</span><span class="p">:</span> <span class="n">pts</span>
</pre></div>
</div>
<p>The PTS authorization mechanism is modular, with the module selected by the
<code class="docutils literal notranslate"><span class="pre">pts_module</span></code> <a class="reference internal" href="../../manpages/configs/imapd.conf.html#std-cyrusman-imapd.conf-5">imapd.conf(5)</a> option:</p>
<blockquote>
<div><blockquote>
<div><p><code class="docutils literal notranslate"><span class="pre">pts_module:</span></code> afskrb</p>
<blockquote>
<div><p>The PTS module to use.</p>
<p>Allowed values: <em>afskrb</em>, <em>ldap</em>, <em>http</em></p>
</div></blockquote>
</div></blockquote>
</div></blockquote>
<p>The meaning of identifiers depends on the PTS module being used.</p>
<section id="afskrb-authorization-using-pts">
<h3>AFSKRB Authorization using PTS<a class="headerlink" href="#afskrb-authorization-using-pts" title="Permalink to this heading"></a></h3>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">auth_mech</span><span class="p">:</span> <span class="n">pts</span>
<span class="n">pts_module</span><span class="p">:</span> <span class="n">afskrb</span>
</pre></div>
</div>
<p>Document this! Probably by linking to a separate document.</p>
</section>
<section id="http-authorization-using-pts">
<h3>HTTP Authorization using PTS<a class="headerlink" href="#http-authorization-using-pts" title="Permalink to this heading"></a></h3>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">auth_mech</span><span class="p">:</span> <span class="n">pts</span>
<span class="n">pts_module</span><span class="p">:</span> <span class="n">http</span>
</pre></div>
</div>
<p>Document this! Probably by linking to a separate document.</p>
</section>
<section id="ldap-authorization-using-pts">
<h3>LDAP Authorization using PTS<a class="headerlink" href="#ldap-authorization-using-pts" title="Permalink to this heading"></a></h3>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">auth_mech</span><span class="p">:</span> <span class="n">pts</span>
<span class="n">pts_module</span><span class="p">:</span> <span class="n">ldap</span>
</pre></div>
</div>
<p>Document this! Probably by linking to a separate document.</p>
</section>
<section id="alternative-authorization-using-pts">
<h3>Alternative Authorization using PTS<a class="headerlink" href="#alternative-authorization-using-pts" title="Permalink to this heading"></a></h3>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>auth_mech: pts
pts_module: ???
</pre></div>
</div>
<p>A site may wish to write their own authorization mechanism, perhaps to
implement a local group mechanism. You do this by implementing a custom
PTS module. The form and meaning of identifiers will be up to the
implementation.</p>
</section>
</section>
</section>
</div>
</div>
<footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
<a href="defaults.html" class="btn btn-neutral float-left" title="Access Control Defaults" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
<a href="rights-reference.html" class="btn btn-neutral float-right" title="Access Control Lists Rights Reference" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
</div>
<hr/>
<div role="contentinfo">
<p>© Copyright 1993–2025, The Cyrus Team.</p>
</div>
Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
<a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<script>
jQuery(function () {
SphinxRtdTheme.Navigation.enable(true);
});
</script>
</body>
</html>
|
