-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 9 Jan 2015, Thomas HUMMEL wrote:
On Fri, Jan 09, 2015 at 09:00:53AM +0100, Steffen Kaiser wrote:
The deny=yes is a special syntax: If this passdb matches -> deny, there is no ExtraField "deny".
Thanks for your answer. That's what I thought after my tests. This explains why I was still able to log in...
but keep in mind that you do not "deny" an user knowingly, but that this user is not found. The semantic is different.
I know, I thought about that. But still what could be the unwanted side effects ?
The logs contain different entries. Denied users show up as failed login attempts and if you might have running a log analyzer that acts on that security breach.
Also, later you might add another passdb, which could succeed on that user, who is denied in LDAP.
What you could try - I do not remember anybody posting something like this -
- is to combine a ldap passdb with deny=yes.
I thought about that too, but that would mean setting up another LDAP directory, which I find a little bit overkill.
You need not no 2nd LDAP directory, but another configuration file with another LDAP search filter, that hits denied users only. This could be implemented by a new attribute. You will gain the log information about the denied user.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVK/U73z1H7kL/d9rAQL8EQf+OpSOGTlFaiqH+VGvsnK6BHkywXGjkgML 0+360Agc2WwI/2GLHbOS0vRjs2Wzm91FVyXXD5kd1CXTOjF1Xp7rVoaR1B9aQtoi m1DOTdzJ/CbKH8b2NOvEpUdRJVj/qGCD6DWkIOppWA4pjSr45xX5znCJA45Y7xxi C6kfUMx8tRmb5byUR5qyjrZeMxHF1mrmoH4UaIa3mvFHiv1WSFom8NM+pnJ99yoH IOz3ZQ5mxP3l6jAV5c3w1P/6fgDVazHvji5ecvj+JncmEhEvwV4XeGrbfTuk9DnB f9JwygXXBmSA58Ncgz1eJi/E7dDSijrPG3+7QR2obDIoqJLjzEOBEQ== =WZji -----END PGP SIGNATURE-----