-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 8 Jan 2015, Thomas HUMMEL wrote:> On Thu, Jan 08, 2015 at 02:48:47PM +0100, hummel at pasteur.fr wrote: >> Hello Timo, > >> a) should I >> >> . change the driver of the first passdb from passwd-file to ldap >> . for user to be rejected, add an LDAP attribute named "foo" with a value of "yes" and map it with something like this : >> >> pass_attrs = ....,foo=deny in dovecot-ldap.conf.ext ? >> > > This doesn't seem to work but maybe am I misunderstanding the logic : > > I thought that in the passdb{} section of auth-deny.conf.ext, you could comment > "deny = yes" as long as the passdb returned an extra_field mapped on "deny" > with the value of "yes" for users you'd want to deny access to: is that the > case ? > > Maybe it's just something like : "if user is found in passdb but "deny > yes" is not stated in the passdb{} section, then access is granted ? >The deny=yes is a special syntax: If this passdb matches -> deny, there is no ExtraField "deny".>> b) or could I use only one ldap passdb by changing the pass_filter >> >> from >> >> pass_filter = (&(objectClass=posixAccount)(uid=%u)) >> >> to something like >> >> pass_filter = (&(objectClass=posixAccount)(uid=%u)(!foo=yes)) >> > > This is working but I don't know if this is the recommended way of doing it.Actually I use "(!(deniedService=%Ls))", but keep in mind that you do not "deny" an user knowingly, but that this user is not found. The semantic is different. What you could try - I do not remember anybody posting something like this - - is to combine a ldap passdb with deny=yes. The doc http://wiki2.dovecot.org/PasswordDatabase does not restrict the deny=yes to just passwd-file, hence, if you create yet another LDAP conf file that matches only denied users and write: passdb { driver = ldap args = /etc/dovecot/dovecot-ldap_denied_users.conf.ext deny = yes } - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBVK+Ktnz1H7kL/d9rAQJo7wgAmDYddi3TShOOiOhcFYrM3YN9T3OaMex7 EU9BKMIn2l8DcPBixWSemwDpOsiprzKgMa0hqxVK9jXT0a5FaQaJqo/l0u7/x5uB EPEw71baztB1YPwiyyU2HLL5CIBVdWaXlMNtQyKoh14GWiMgdJaTcvM9nZGteaYJ qAxPD3zifcpZRoU2L2TpMJRyMVdnAgm8p90hulCEXOGY3QNxzKa6BEUuZsZTrV/e quqwDWYxe1Mkng36lz4K2bh5xB6NVsbyq0OzdhfJe5RODCVu0dptHn8KJPMvgB5a 2qYPraXoenNr6NBNfUvFGD+x+rjse3SB5AoKiO5KZRS3XelOIECiRA==ztWz -----END PGP SIGNATURE-----
On Fri, Jan 09, 2015 at 09:00:53AM +0100, Steffen Kaiser wrote:> The deny=yes is a special syntax: If this passdb matches -> deny, there is > no ExtraField "deny".Thanks for your answer. That's what I thought after my tests. This explains why I was still able to log in...> but keep in mind that you do not "deny" an user knowingly, but that this user > is not found. The semantic is different.I know, I thought about that. But still what could be the unwanted side effects ?> What you could try - I do not remember anybody posting something like this - > - is to combine a ldap passdb with deny=yes.I thought about that too, but that would mean setting up another LDAP directory, which I find a little bit overkill. Thanks. -- Thomas Hummel | Institut Pasteur <hummel at pasteur.fr> | Groupe Exploitation et Infrastructure
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 9 Jan 2015, Thomas HUMMEL wrote:> On Fri, Jan 09, 2015 at 09:00:53AM +0100, Steffen Kaiser wrote: > >> The deny=yes is a special syntax: If this passdb matches -> deny, there is >> no ExtraField "deny". > > Thanks for your answer. That's what I thought after my tests. This explains why > I was still able to log in... > >> but keep in mind that you do not "deny" an user knowingly, but that this user >> is not found. The semantic is different. > > I know, I thought about that. But still what could be the unwanted side effects > ?The logs contain different entries. Denied users show up as failed login attempts and if you might have running a log analyzer that acts on that security breach. Also, later you might add another passdb, which could succeed on that user, who is denied in LDAP.>> What you could try - I do not remember anybody posting something like this - >> - is to combine a ldap passdb with deny=yes. > > I thought about that too, but that would mean setting up another LDAP > directory, which I find a little bit overkill.You need not no 2nd LDAP directory, but another configuration file with another LDAP search filter, that hits denied users only. This could be implemented by a new attribute. You will gain the log information about the denied user. - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBVK/U73z1H7kL/d9rAQL8EQf+OpSOGTlFaiqH+VGvsnK6BHkywXGjkgML 0+360Agc2WwI/2GLHbOS0vRjs2Wzm91FVyXXD5kd1CXTOjF1Xp7rVoaR1B9aQtoi m1DOTdzJ/CbKH8b2NOvEpUdRJVj/qGCD6DWkIOppWA4pjSr45xX5znCJA45Y7xxi C6kfUMx8tRmb5byUR5qyjrZeMxHF1mrmoH4UaIa3mvFHiv1WSFom8NM+pnJ99yoH IOz3ZQ5mxP3l6jAV5c3w1P/6fgDVazHvji5ecvj+JncmEhEvwV4XeGrbfTuk9DnB f9JwygXXBmSA58Ncgz1eJi/E7dDSijrPG3+7QR2obDIoqJLjzEOBEQ==WZji -----END PGP SIGNATURE-----