Hello,
I'm playing with allow_nets function. It is really cool!
In a filebased passwd backend you simply add
"allow_nets=192.0.2.143/32"
as mentioned in http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets
But if I use an LDAP backend it looks different.
Following http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds and
http://wiki2.dovecot.org/AuthDatabase/LDAP/Userdb#Attribute_templates_.28v2.1.29
my pass_attrs looks this:
pass_attrs = =user=%{ldap:uid}, \
=allow_nets=%{ldap:allownets}
Using this syntax I could add an attribute "allownets" in the
ldapserver
to limit access for a user.
A problem occour if the attribute is not present. For example if a user
should not be limited or only some but not any user should be limited.
So I extend my pass_attrs with a default.
pass_attrs = =user=%{ldap:uid}, \
=allow_nets=%{ldap:allownets:10.0.0.0/8}
Again, that's fine. Any user was allowed to connect from my private network.
But then some users connect via ipv6. I tried to extend my default to
pass_attrs = =user=%{ldap:uid}, \
=allow_nets=%{ldap:allownets:10.0.0.0/8,fec0::/16}
That syntax, a comma separated list, produces errors no matter if quoting using
" or ' or no quoting at all.
So I looked at the source (thanks, it's open!) and wrote a little patch to
allow simple defaults:
- ALL -> allow any address
- NONE -> deny any address
Now I could write
pass_attrs = =user=%{ldap:uid}, =allow_nets=%{ldap:allownets:ALL}
or
pass_attrs = =user=%{ldap:uid}, =allow_nets=%{ldap:allownets:NONE}
to allow or deny any ldap account not having an attribute allownets.
Maybe there are other solutions, but that's my way...
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: allow_nets_defaults.patch
Type: text/x-diff
Size: 786 bytes
Desc: not available
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20140125/006227c7/attachment-0001.bin>