Quotas Implementation


#11

Speaking of changes, I’ve been meaning to get around to adding support for external authentication ( External Authentication Repo? ), but I haven’t been able to fully grasp Keycloak and OpenLDAP. I feel like Mail-in-a-Box needs to get to a point where you can plug it into your existing environment, and streamline making everything work together (like Single-Sign-On).

For example, I want to run a full Nextcloud server, Collabora Office environment, MediaWiki, Wordpress, blaw blaw blaw, and want to give all my users ONE username and ONE password, where they sign into ONE login prompt. And when they switch between services, they stay logged in/out.

I know that Mail-in-a-Box is not an all-in-one magical solution, but I feel like it should get to a point where it can fit into the bigger picture of a business with all its applications.

…Oh the joys of ignorance and lack of time, but the eagerness to make the world a better place.

…Anyways, @jrsupplee, would you consider looking into implementing quotas into an LDAP user object thingy?.. I had looked at some documentation on LDAP schemas and stuff, but that was a couple of months ago.


#12

MIAB is not meant for business though - it’s for personal self-hosting…,… :confused:

Edit: Although, maybe implementing external ldap authentication would be dope. At the very least all the apps you mentioned support this too :slight_smile:


#13

Well, there are business applications that can be used for personal use. I mean Google G-Suite is for businesses, but I still use it for personal use for free. business-y personal use. It’s nice how going from Google mail magically signs me in when I go to YouTube, Google Docs, Google Drive, etc…


#14

Sorry, @Eliter I’m not done with the implementation of the quotas and that is my focus right now for MiaB changes. Also, if you need LDAP support you should probably be looking at something other than MiaB.

Specifically, quota calculations are only made when the IMAP server (Dovecot) is accessed. So if the user does not access Dovecot the mailbox size will not be updated and mail will continue to be delivered by Postfix regardless of any quota settings. At least that is how I understand the situation right now.

Postfix needs to be configured to check the quota status before delivering the mail. I’ll look at this when I can but if anyone has any experience with this I’m all ears.


#15

I made an edit to my post just before you posted this. External LDAP would be nice to have. But comparing G-Suite to MIAB is like comparing a Prius to a Commercial truck bro.


#16

So my main problem with how MIAB manages stuff is that there is no standard, especially in a median that is happy to be externally pushed/synced, so that means there’s no plug-n-play or good communication between applications.

Now, I did look into how MIAB manages stuff, and looked into how to tinker with it. MIAB puts all its stuff into two places–inside /home/www-data/blaw/blaw/blaw (in a directory, in maildir format), and in a SQLlite database located somewhere on the system (I forgot where). I forget it Postfix needs to access either of these.

So Dovecot uses the SQL/SQLlite plugin/mod, which makes an SQL query for the SQLlite file. When IMAP authentication requests hit the Dovecot server, Dovecot hits the SQLlite file, then responds accordingly to the SQLlite file. Nextcloud is configured to use IMAP authentication to the Dovecot server.

Now, I know that Dovecot supports LDAP. The problem WAS that Dovecot didn’t support LDAP on Ubuntu 14.04, but luckily we are not in that situation anymore with Ubuntu 18.04. So hopefully if Dovecot can be configured to use LDAP, then we’ll be golden… Hopefully. With these types of things, it is ALWAYS easier said than done.

I saw.

Who is Google and who is MIAB in this context? The commercial truck has a lot more power than a Prius, but presumably isn’t newer, is older, slow and with far less technology in it than a Prius. :smiley:


#17

commercial truck = Google
Prius = MIAB

Prius, small, light, ready for easy loads
truck, big, bloaty, heavy to steer, but can handle huge loads.


#18

From someone who has spent time configuring an LDAP server, trust me a SQLite database is much simpler. The amount of overhead required to run an LDAP server is not worth it when SQLite does the job.

I’m not saying your use case is invalid, just that you are asking to add another level of complexity that most people who use MiaB do not require.


#19

Well, I have looked into other external authentication protocols (looking to Keycloak’s supported authentication methods as an example), it seems LDAP has a lot more support and popularity than say openID or Oauth. I don’t know much about authentication jargain, but I know it would be nice to magically be able to go from MIAB to MediaWiki/Wordpress/other, and back without having to sign in/out for each, (possibly) having multiple passwords for each.

EDIT: Oh yes, Apache2 is a big reason for me. I wanted to figure out how to lock down the whole server, by forcing authentication. PHP authentication only goes so far, because clients can still access non-PHP files without authenticating.


#20

Luckily OpenLDAP is simple enough - but also MSAD is too.


#21

Then you should go for it.


#22

Yes, I would greatly appreciate help with my attempt to add external authentication to MIAB. [hint hint]


#23

Hi all.

There’s no reason Mail-in-a-Box shouldn’t be used for business purposes — there’s nothing specific about Mai-in-a-Box that precludes its use in a serious or commercial way.

But it is not an enterprise product for a large organization, and we’re not trying to make it one.

I think quotas are useful because in any environment disk usage should be monitored. But LDAP integration is not something that would occur outside of an enterprise environment, so I don’t think I would accept any changes along those lines.


#24

The only reason I suggest LDAP is that it is the most supported standard for authentication, and that would allow for plug-n-play between mail-in-a-box and other applications. The other thing is that Mail-in-a-box has a very simple (yet can be disappointing) system for handling users.

It would be nice to have username, password, then optional fields under it: firstname, lastname, personal email, and any other attributes that might be desired, to be associated with the user to be created. Oh yes, groups! Groups, groups, groups with permissions!

But projects like this start simple, then they build up. Rome was not built in a day. I want to get around to doing external authentication, first.


#25

Not always true, using openldap instead of sqlite for authentication has many benefits I think. For example: SSO for the different applications that MIAB offers would be nice. Also the ability to move away from SQLite since it has issues with a lot of users (unless the large user base issue was resolved or was caused by something else?)


#26

If SQLite has performance issues, then it needs indices. There is no way LDAP is faster than SQLite properly configured.


#27

I will also add that LDAP is rather difficult to manage. Years ago, I worked with OpenLDAP within a small business. It was a pain to get up and running along with keeping up with the management. I tried something similar to MiaB a while back that did include LDAP out of the box. I was trying it out and as soon as I made some changes to the domain, it stopped working and recovery was more complicated than it was worth. Finding MiaB was a huge relief since it kept the user model simple.

Sometimes configuring an application that consumes it isn’t too bad but applications sometimes use different schemas so it’s not a foregone conclusion that you’ll get what you want from it. If you don’t, you’ll need to learn the LDAP query language to do so.

For friends and family or a small company, MiaB’s model is perfect. There are some tools that aren’t too hard to integrate. For example, there is a script that will allow ejabberd to authenticate against nextcloud.

Of course, that doesn’t get to the core of what Eliter really wants. It’s not a shared log-in as much as it is Single Sign On. That’s possible with Kerberos, but that comes with a whole other level of difficulty.

If external authentication and/or user sync are possible, that’s the direction I personally prefer.


External Authentication/Single-Sign-On
#28

@jrsupplee

Hey John,

I love the quota’s included in your fork, thank you.

But, I have to ask … what if someone wants to revert BACK to the original MiaB? Can that easily be done? What would be the procedure?

Thanks again for this modification. :slight_smile:


#29

If I had to guess (pure speculation) running the installer for official MIAB would revert the changes.


External Authentication/Single-Sign-On
closed #30

This topic was automatically closed after 61 days. New replies are no longer allowed.