-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 8 Jan 2015, Thomas HUMMEL wrote:
On Thu, Jan 08, 2015 at 02:48:47PM +0100, hummel@pasteur.fr wrote:
Hello Timo,
a) should I
. change the driver of the first passdb from passwd-file to ldap . for user to be rejected, add an LDAP attribute named "foo" with a value of "yes" and map it with something like this :
pass_attrs = ....,foo=deny in dovecot-ldap.conf.ext ?
This doesn't seem to work but maybe am I misunderstanding the logic :
I thought that in the passdb{} section of auth-deny.conf.ext, you could comment "deny = yes" as long as the passdb returned an extra_field mapped on "deny" with the value of "yes" for users you'd want to deny access to: is that the case ?
Maybe it's just something like : "if user is found in passdb but "deny = yes" is not stated in the passdb{} section, then access is granted ?
The deny=yes is a special syntax: If this passdb matches -> deny, there is no ExtraField "deny".
b) or could I use only one ldap passdb by changing the pass_filter
from
pass_filter = (&(objectClass=posixAccount)(uid=%u))
to something like
pass_filter = (&(objectClass=posixAccount)(uid=%u)(!foo=yes))
This is working but I don't know if this is the recommended way of doing it.
Actually I use "(!(deniedService=%Ls))", but keep in mind that you do not "deny" an user knowingly, but that this user is not found. The semantic is different.
What you could try - I do not remember anybody posting something like this passdb {
- is to combine a ldap passdb with deny=yes. The doc http://wiki2.dovecot.org/PasswordDatabase does not restrict the deny=yes to just passwd-file, hence, if you create yet another LDAP conf file that matches only denied users and write:
driver = ldap
args = /etc/dovecot/dovecot-ldap_denied_users.conf.ext
deny = yes }
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVK+Ktnz1H7kL/d9rAQJo7wgAmDYddi3TShOOiOhcFYrM3YN9T3OaMex7 EU9BKMIn2l8DcPBixWSemwDpOsiprzKgMa0hqxVK9jXT0a5FaQaJqo/l0u7/x5uB EPEw71baztB1YPwiyyU2HLL5CIBVdWaXlMNtQyKoh14GWiMgdJaTcvM9nZGteaYJ qAxPD3zifcpZRoU2L2TpMJRyMVdnAgm8p90hulCEXOGY3QNxzKa6BEUuZsZTrV/e quqwDWYxe1Mkng36lz4K2bh5xB6NVsbyq0OzdhfJe5RODCVu0dptHn8KJPMvgB5a 2qYPraXoenNr6NBNfUvFGD+x+rjse3SB5AoKiO5KZRS3XelOIECiRA== =ztWz -----END PGP SIGNATURE-----