[Dovecot] auth_bind_userdn patch -> logging with ldap and other
sources
Geff
boing at boing.com
Sat Jan 7 21:10:28 EET 2006
Quoting Timo Sirainen <tss at iki.fi>:
>> Jan 6 17:48:08 kusanagi dovecot: imap-login: Login:
>> user=<cn=boing,ou=people,o=boing>, method=PLAIN, rip=127.0.0.1,
>> lip=127.0.0.1, secured
>
> If you make LDAP's userdb query return the DN as "user", and also make
> sure that you're not using %u in default_mail_env, you could have that.
>
> I'm not sure if I'd want to make a separate "log-user" variable to
> confuse things..
From a security perspective audit logs or access control mechanisms
have what's called SRA or subject resource action. So in the simple
case of a website that's as follows:
subject: user, also called user princple.
resource: host + url + query string
action: get (post, etc)
Or in the case of mail:
subject: user
resource: mail file
action: read / login / search / select.
However it seems that we have two subjects. We have one for the passdb
and one of the userdb. On my setup the passdb's subject is
theoretically the ldap dn and the userdb's subject is the /etc/passwd
getpwnam type unix account. So we really have two subjects that need
to be logged in general unless they match of course. Yeah that can be
messy, but perhaps worse not to know about both principles in the event
of a security incident.
Just food for thought.
Geff
More information about the dovecot
mailing list