"authz": Authorization Plugin for Squirrelmail

The "authz" plugin for Squirrelmail allows users and/or administrators to login to their IMAP servers via Squirrelmail, whilst using different authentication and authorization identifiers. This allows users and/or administrators to "proxy" as other users.

Possible uses for this feature include:

In order to use authz plugin, an IMAP server that allows proxy authentication via SASL and supports login mechanisms other than LOGIN is required. Any SASL mechanism other than LOGIN will do, such as PLAIN, DIGEST-MD5, CRAM-MD5.

Implementation in Squirrelmail

When enabling the authz plugin in Squirrelmail, the login procedure will be different in that a delimiter, by default the character ':' will be searched for in the login box.

Therefore, if a user or administrator is aware of the proxy feature, she can login as cyrusadmin:user, where cyrusadmin is the authorization identity (authz) and user is the authentication identity (authc).

The password entered must be the one that belongs to the cyrusadmin account.

If the password is correct, the webmail session will start and everything will behave as if the account of user had logged in.

Summary of Usage


Authentication ID
authcid
Authorization ID
authzid
Using the password of: SASL PLAIN example Squirrelmail Variables (Global & Session) Squirrelmail Login Box
Normal / Standard Request (Plain Users) uid uid | empty uid AUTHENTICATE PLAIN uid\0uid\0upass
or AUTHENTICATE PLAIN \0uid\0upass
$username = 'uid' 'uid'
Proxy Request (Admins or Proxy-enabled Users) uid cyrusadmin cyrusadmin AUTHENTICATE PLAIN \0cyrusadmin\0uid\0upass $username = 'uid'
$authz = 'cyrusadmin'
'cyrusadmin:uid'

Limitations

References