thr3ads.net - dovecot - auth-deny : from file to LDAP [Jan 2015]

If this information is useful, please help other people find it:
Share via:

hummel at pasteur.fr

2015-Jan-08 13:48 UTC

auth-deny : from file to LDAP

Hello Timo,

I want to deny access to some users. For now I'm doing it using 2
passdb's and listing users in a text file.

!include auth-deny.conf.ext -> passwd-file driver
!include auth-ldap.conf.ext -> ldap driver

I want to do the same using only LDAP. I'm not quite sure how to do it :

a) should I

 . change the driver of the first passdb from passwd-file to ldap
 . for user to be rejected, add an LDAP attribute named "foo" with a
value of "yes" and map it with something like this :

  pass_attrs = ....,foo=deny in dovecot-ldap.conf.ext ?

b) or could I use only one ldap passdb by changing the pass_filter

from

  pass_filter = (&(objectClass=posixAccount)(uid=%u))

to something like

  pass_filter = (&(objectClass=posixAccount)(uid=%u)(!foo=yes))

?

Thanks

-- 
Thomas Hummel 	    | Institut Pasteur
<hummel at pasteur.fr> | Groupe Exploitation et Infrastructure

Thomas HUMMEL

2015-Jan-08 14:47 UTC

head link

auth-deny : from file to LDAP

On Thu, Jan 08, 2015 at 02:48:47PM +0100, hummel at pasteur.fr
wrote:> Hello Timo,
> a) should I
> 
>  . change the driver of the first passdb from passwd-file to ldap
>  . for user to be rejected, add an LDAP attribute named "foo"
with a value of "yes" and map it with something like this :
> 
>   pass_attrs = ....,foo=deny in dovecot-ldap.conf.ext ?
> 
This doesn't seem to work but maybe am I misunderstanding the logic : 

I thought that in the passdb{} section of auth-deny.conf.ext, you could comment
"deny = yes" as long as the passdb returned an extra_field mapped on
"deny"
with the value of "yes" for users you'd want to deny access to: is
that the
case ?

Maybe it's just something like : "if user is found in passdb but
"deny yes" is not stated in the passdb{} section, then access is
granted ?

> b) or could I use only one ldap passdb by changing the pass_filter
> 
> from
> 
>   pass_filter = (&(objectClass=posixAccount)(uid=%u))
> 
> to something like
> 
>   pass_filter = (&(objectClass=posixAccount)(uid=%u)(!foo=yes))
> 
> ?
This is working but I don't know if this is the recommended way of doing it.

Thanks.

-- 
Thomas Hummel 	    | Institut Pasteur
<hummel at pasteur.fr> | Groupe Exploitation et Infrastructure

Steffen Kaiser

2015-Jan-09 08:00 UTC

head link

auth-deny : from file to LDAP

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 8 Jan 2015, Thomas HUMMEL wrote:> On Thu, Jan 08, 2015 at 02:48:47PM +0100, hummel at pasteur.fr wrote:
>> Hello Timo,
>
>> a) should I
>>
>>  . change the driver of the first passdb from passwd-file to ldap
>>  . for user to be rejected, add an LDAP attribute named "foo"
with a value of "yes" and map it with something like this :
>>
>>   pass_attrs = ....,foo=deny in dovecot-ldap.conf.ext ?
>>
>
> This doesn't seem to work but maybe am I misunderstanding the logic :
>
> I thought that in the passdb{} section of auth-deny.conf.ext, you could
comment
> "deny = yes" as long as the passdb returned an extra_field mapped
on "deny"
> with the value of "yes" for users you'd want to deny access
to: is that the
> case ?
>
> Maybe it's just something like : "if user is found in passdb but
"deny > yes" is not stated in the passdb{} section, then access is
granted ?
>
The deny=yes is a special syntax: If this passdb matches -> deny, there is 
no ExtraField "deny".
>> b) or could I use only one ldap passdb by changing the pass_filter
>>
>> from
>>
>>   pass_filter = (&(objectClass=posixAccount)(uid=%u))
>>
>> to something like
>>
>>   pass_filter = (&(objectClass=posixAccount)(uid=%u)(!foo=yes))
>>
>
> This is working but I don't know if this is the recommended way of
doing it.
Actually I use "(!(deniedService=%Ls))", but keep in mind that you do
not
"deny" an user knowingly, but that this user is not found. The
semantic is
different.

What you could try - I do not remember anybody posting something like this 
- - is to combine a ldap passdb with deny=yes. The doc 
http://wiki2.dovecot.org/PasswordDatabase does not restrict the deny=yes 
to just passwd-file, hence, if you create yet another LDAP conf file that 
matches only denied users and write:

passdb {
   driver = ldap

   args = /etc/dovecot/dovecot-ldap_denied_users.conf.ext

   deny = yes
}


- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBVK+Ktnz1H7kL/d9rAQJo7wgAmDYddi3TShOOiOhcFYrM3YN9T3OaMex7
EU9BKMIn2l8DcPBixWSemwDpOsiprzKgMa0hqxVK9jXT0a5FaQaJqo/l0u7/x5uB
EPEw71baztB1YPwiyyU2HLL5CIBVdWaXlMNtQyKoh14GWiMgdJaTcvM9nZGteaYJ
qAxPD3zifcpZRoU2L2TpMJRyMVdnAgm8p90hulCEXOGY3QNxzKa6BEUuZsZTrV/e
quqwDWYxe1Mkng36lz4K2bh5xB6NVsbyq0OzdhfJe5RODCVu0dptHn8KJPMvgB5a
2qYPraXoenNr6NBNfUvFGD+x+rjse3SB5AoKiO5KZRS3XelOIECiRA==ztWz
-----END PGP SIGNATURE-----

Reasonably Related Threads

Search for more maybe matching threads

dovecot - Jan 2015 - auth-deny : from file to LDAP

auth-deny : from file to LDAP

auth-deny : from file to LDAP

auth-deny : from file to LDAP

Reasonably Related Threads