Hello,
I'm playing with allow_nets function. It is really cool! In a filebased passwd backend you simply add "allow_nets=192.0.2.143/32" as mentioned in http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets
But if I use an LDAP backend it looks different. Following http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds and http://wiki2.dovecot.org/AuthDatabase/LDAP/Userdb#Attribute_templates_.28v2.... my pass_attrs looks this:
pass_attrs = =user=%{ldap:uid},
=allow_nets=%{ldap:allownets}
Using this syntax I could add an attribute "allownets" in the ldapserver to limit access for a user.
A problem occour if the attribute is not present. For example if a user should not be limited or only some but not any user should be limited. So I extend my pass_attrs with a default.
pass_attrs = =user=%{ldap:uid},
=allow_nets=%{ldap:allownets:10.0.0.0/8}
Again, that's fine. Any user was allowed to connect from my private network. But then some users connect via ipv6. I tried to extend my default to
pass_attrs = =user=%{ldap:uid},
=allow_nets=%{ldap:allownets:10.0.0.0/8,fec0::/16}
That syntax, a comma separated list, produces errors no matter if quoting using " or ' or no quoting at all.
So I looked at the source (thanks, it's open!) and wrote a little patch to allow simple defaults:
- ALL -> allow any address
- NONE -> deny any address
Now I could write pass_attrs = =user=%{ldap:uid}, =allow_nets=%{ldap:allownets:ALL} or pass_attrs = =user=%{ldap:uid}, =allow_nets=%{ldap:allownets:NONE} to allow or deny any ldap account not having an attribute allownets.
Maybe there are other solutions, but that's my way...
Andreas