[Dovecot] auth_bind_userdn patch -> logging with ldap and other sources

7 Jan 2006


      Quoting Timo Sirainen tss@iki.fi:
...
...
Jan  6 17:48:08 kusanagi dovecot: imap-login: Login:
user=, method=PLAIN, rip=127.0.0.1,
lip=127.0.0.1, secured
If you make LDAP's userdb query return the DN as "user", and also make
sure that you're not using %u in default_mail_env, you could have that.
I'm not sure if I'd want to make a separate "log-user" variable to
confuse things..
From a security perspective audit logs or access control mechanisms
have what's called SRA or subject resource action.  So in the simple
case of a website that's as follows:
subject:  user, also called user princple.
resource:  host + url + query string
action:  get (post, etc)
Or in the case of mail:
subject: user
resource:  mail file
action:  read / login / search / select.
However it seems that we have two subjects.  We have one for the passdb
and one of the userdb.  On my setup the passdb's subject is
theoretically the ldap dn and the userdb's subject is the /etc/passwd
getpwnam type unix account.  So we really have two subjects that need
to be logged in general unless they match of course.  Yeah that can be
messy, but perhaps worse not to know about both principles in the event
of a security incident.
Just food for thought.
Geff