Re: under some kind of attack
As per my post: checkpassword. You can then use one password on Mondays, Wednesdays, and Fridays, alternate passwords on Tuesdays and Thursday fetched from a rot-13 database, and only from prime numbered IP addresses on weekends, if that's what you want.
Having read the wiki page on checkpassword, I am unsure how this would work with an ldap backend.
Could you elaborate on that?
You are essentially writing your own backend by taking over authentication. You'll be accepting user/password inputs into your checkpassword executable, then use the LDAP API (or some other system that will do it for you) to authenticate. (You can Google around for code snippets.) You'll have direct control over all aspects of authentication (if/when/where/etc) that a generic backend can't provide.
You can choose do implement using shell/PERL/etc script, or compile to executable from C sources. It's more work, but if you need to do everything on your wish list, I can't see any eaiser option.
One of the drawbacks is that a working password depends on both time and source address, which will be adversely affect performance on a busy server as authentication data cannot be cached.
Joseph Tam <jtam.home@gmail.com>
Hi Joseph
On 07/24/2017 04:51 AM, Joseph Tam wrote:> You are essentially writing your own backend by taking over
authentication. You'll be accepting user/password inputs into your checkpassword executable, then use the LDAP API (or some other system...snip and source address, which will be adversely affect performance on a busy server as authentication data cannot be cached.
While this sounds awesome, it can do much more than what I was/am after, and appears lot more complicated to setup than what I had figured myself.
Shouldn't I be able to do something like this:
passdb { driver = passwd-file # application specific passwd-file should work from anywhere # (so: no allow_nets) args = /etc/dovecot/dovecot-application-specific } passdb { # only allowed to use this from within local 192.168.1.0/24 args = /etc/dovecot/dovecot-ldap.conf.ext allow_nets=192.168.1.0/24 driver = ldap }
Where I would generate lines in dovecot-application-specific using a script or some webpage, and generate lines like:
username1:randomONE:vmail:vmail::/var/vmail/username1: username1:randomTWO:vmail:vmail::/var/vmail/username1: username2:randomTHREE:vmail:vmail::/var/vmail/username2: username2:randomFOUR:vmail:vmail::/var/vmail/username2:
And the result would be: username1 can login from anywhere, using passwords "randomONE" & "randomTWO", plus the password in ldap when coming from the internal network.
We have only one domain, one 'set of users', one ldap database.and
In my tests, I can't get the allow_nets to work, so I'm doing something wrong. Can anyone point out what is wrong with the above logic?
Or perhaps convert the above pseudo-conf into *real* dovecot.conf?
MJ
participants (2)
-
Joseph Tam
-
mourik jan c heupink