Malte Schmidt
2017-Jun-06 11:01 UTC
Which allowed services can be defined (imap, pop3, etc.)
Hello, I am using Dovecot with an LDAP-backend for authentication. According to the documentation at https://wiki.dovecot.org/Authentication/RestrictAccess with LDAP and "pass_filter" it is possible to filter allowed services for the user with: pass_filter = (&(objectClass=posixAccount)(uid=%u)(service=%s)) Thats pretty cool. Now, in the LDAP-settings I created corresponding fields (service) and added the allowed services to tthese fields (imap, pop3, etc.). After that change, certain services were not available to that user anymore. So it seems that more services are there and after explicitly setting the services which are allowed, the other, not mentioned services stop to work. Now two questions: Is there any documented, full-featured list of the services that can be added? Is it possible to "flip" that setting so its not allowing certain services but denying the ones that are added to the "service"-fields? Cheers -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xFF379C0C.asc Type: application/pgp-keys Size: 37590 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20170606/d5a62585/attachment-0001.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20170606/d5a62585/attachment-0001.sig>
Steffen Kaiser
2017-Jun-06 13:18 UTC
Which allowed services can be defined (imap, pop3, etc.)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 6 Jun 2017, Malte Schmidt wrote:> pass_filter = (&(objectClass=posixAccount)(uid=%u)(service=%s)) > > Thats pretty cool. Now, in the LDAP-settings I created corresponding > fields (service) and added the allowed services to tthese fields (imap, > pop3, etc.). > After that change, certain services were not available to that user > anymore. So it seems that more services are there and after explicitly > setting the services which are allowed, the other, not mentioned > services stop to work. >> Is it possible to "flip" that setting so its not allowing certain > services but denying the ones that are added to the "service"-fields?(!(service=%s)) or better name this attribute deniedService - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBWTarunz1H7kL/d9rAQJS8gf8CMBPSi99lYOKNQMou/pxXvVAwmJg74Qt rNjHAK3w8G3NoIlSReSYdBURtL6vN6z3iY2cmY7XYFuV5cz/SK2itVIYF20KvhaS R8I4m2AP087AQeC1AAAyErca5fiC9fzKLg3VRugTs/lCiZ0YQnp/d5LvJ5B5XxAW 8j7L76roTOj2o6YM6n1AfyGoYH6sRE2cMwZmEknteZO6rxMYJFqYv503fGEnKXz1 gKp7J5Ug25TEJLHIMNwEj3EZcJ33us75TZ7GTZB3CrEotvzaPzZVQKIvBmDEx3PO lwKB45X5L4lZil9BSWMtrO7nGb+OxL3/IcbolYBZ3KawjD5W7JYHDQ==agQv -----END PGP SIGNATURE-----
Malte Schmidt
2017-Jun-08 04:28 UTC
Which allowed services can be defined (imap, pop3, etc.)
On 06/06/2017 03:18 PM, Steffen Kaiser wrote:> (!(service=%s)) > > or better name this attribute > > deniedServiceThanks, this is quite helpful already. Regarding the other question about all the services that can be used there, I tried to grep the source code for certain keywords but could not really find anything useful with "service", "services" and some service names (e. g. "imap", "smtp", "pop"). -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xFF379C0C.asc Type: application/pgp-keys Size: 37590 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20170608/dc0d2f71/attachment-0001.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20170608/dc0d2f71/attachment-0001.sig>