1

Topic: Role-Based Access Control (RBAC)

==== Required information ====
- iRedMail version (check /etc/iredmail-release):     v0.9.5-1
- Linux/BSD distribution name and version: debian
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): nginx
- Manage mail accounts with iRedAdmin-Pro?
- Related log if you're reporting an issue:
====

Hi! It's possible use Role-Based Access Control (RBAC) to authenticate users?

Thanks!

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Role-Based Access Control (RBAC)

What do you do with this RBAC after authentication?

3

Re: Role-Based Access Control (RBAC)

Hi ZhangHuangbin!

On my intranet, I have some systems with centralized authentication in an RBAC service. So I checked if it is possible to authenticate the email service provided by iRedmail via RBAC, or if I will need to migrate everything to ldap.

My RBAC server is in python provided by the web2py framework.

4

Re: Role-Based Access Control (RBAC)

Thanks for sharing. but i didn't get the answer: i understand you have RBAC service, but what do you expect iRedMail to do with this RBAC service? for example, after authentication, how does RBAC impact user? any difference?

5

Re: Role-Based Access Control (RBAC)

I would like it to be a single user and password that each person uses in the various systems of my intranet, and if the user changes the password, this new password is valid in the various systems because the service that controls authentication is centralized.

In the case of iRedMail, the user verification and password to authenticate to the e-mail service was done through the active RBAC service on the network.

6

Re: Role-Based Access Control (RBAC)

Sounds like you need a central LDAP server to store mail accounts for central authentication. Am i right?

With iRedMail OpenLDAP backend, you can store mail accounts in the local OpenLDAP server (the one running on iRedMail server). Since iRedMail uses its own LDAP schema file, if you want to use an existing LDAP server in your intranet, it will be a challenge to integrate iRedMail schema file and Amavisd schema file -- uses those 2 schema files is easy, the point is how to define which ldap attributes/values your mail accounts should have. And i suppose it's not just for mail services, if your other applications use the same LDAP accounts for authentication (or even more functions), it's a challenge.