Which allowed services can be defined (imap, pop3, etc.)
Hello,
I am using Dovecot with an LDAP-backend for authentication.
According to the documentation at https://wiki.dovecot.org/Authentication/RestrictAccess with LDAP and "pass_filter" it is possible to filter allowed services for the user with:
pass_filter = (&(objectClass=posixAccount)(uid=%u)(service=%s))
Thats pretty cool. Now, in the LDAP-settings I created corresponding fields (service) and added the allowed services to tthese fields (imap, pop3, etc.). After that change, certain services were not available to that user anymore. So it seems that more services are there and after explicitly setting the services which are allowed, the other, not mentioned services stop to work.
Now two questions:
Is there any documented, full-featured list of the services that can be added?
Is it possible to "flip" that setting so its not allowing certain services but denying the ones that are added to the "service"-fields?
Cheers
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 6 Jun 2017, Malte Schmidt wrote:
pass_filter = (&(objectClass=posixAccount)(uid=%u)(service=%s))
Thats pretty cool. Now, in the LDAP-settings I created corresponding fields (service) and added the allowed services to tthese fields (imap, pop3, etc.). After that change, certain services were not available to that user anymore. So it seems that more services are there and after explicitly setting the services which are allowed, the other, not mentioned services stop to work.
Is it possible to "flip" that setting so its not allowing certain services but denying the ones that are added to the "service"-fields?
(!(service=%s))
or better name this attribute
deniedService
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBWTarunz1H7kL/d9rAQJS8gf8CMBPSi99lYOKNQMou/pxXvVAwmJg74Qt rNjHAK3w8G3NoIlSReSYdBURtL6vN6z3iY2cmY7XYFuV5cz/SK2itVIYF20KvhaS R8I4m2AP087AQeC1AAAyErca5fiC9fzKLg3VRugTs/lCiZ0YQnp/d5LvJ5B5XxAW 8j7L76roTOj2o6YM6n1AfyGoYH6sRE2cMwZmEknteZO6rxMYJFqYv503fGEnKXz1 gKp7J5Ug25TEJLHIMNwEj3EZcJ33us75TZ7GTZB3CrEotvzaPzZVQKIvBmDEx3PO lwKB45X5L4lZil9BSWMtrO7nGb+OxL3/IcbolYBZ3KawjD5W7JYHDQ== =agQv -----END PGP SIGNATURE-----
On 06/06/2017 03:18 PM, Steffen Kaiser wrote:
(!(service=%s))
or better name this attribute
deniedService
Thanks, this is quite helpful already.
Regarding the other question about all the services that can be used there, I tried to grep the source code for certain keywords but could not really find anything useful with "service", "services" and some service names (e. g. "imap", "smtp", "pop").
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 8 Jun 2017, Malte Schmidt wrote:
On 06/06/2017 03:18 PM, Steffen Kaiser wrote:
(!(service=%s))
or better name this attribute
deniedService
Thanks, this is quite helpful already.
Regarding the other question about all the services that can be used there, I tried to grep the source code for certain keywords but could not really find anything useful with "service", "services" and some service names (e. g. "imap", "smtp", "pop").
I guess, there is no complete list, because it will grow. Furthermore:
https://wiki.dovecot.org/Design/AuthProtocol?highlight=(service)
Everybody can use the Dovecot Auth service with self-created service names.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBWTjoxHz1H7kL/d9rAQIHwgf/ZwTaYzjkX4e/5nJklgIY4eQT7GOaU3Z0 KdL1TKDQPmaO1w+BILPU8svbjdBQI/eGREzs5SsBUodIsABOeMo4vLp7qooU7/K5 kEgqwqzjIbe55bRKQW5DjcU4s2qW7n2uLVom1yerN7Yvdb5jJPoZrc1tUP1fDC/B idQoelX3nh/JZR4BMRnTbuF29PShLD2YIQWCj6IlLNX8uBRYVARbuuzpnx4VcA2v OVoG05iSqKsjh401hNkXFbF6QH5JRVJS8IkXF2T71EwGdCGuM3lqep3xCkn1Qdqi IVAnA8PYpJN8xMu6WrVFAoPMTrirqmtpUv82+4sGxf5HGAHF5ZNMRg== =YsHu -----END PGP SIGNATURE-----
participants (2)
-
Malte Schmidt
-
Steffen Kaiser