[Dovecot] allow_nets + default + ldap
Hello,
I'm playing with allow_nets function. It is really cool! In a filebased passwd backend you simply add "allow_nets=192.0.2.143/32" as mentioned in http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/AllowNets
But if I use an LDAP backend it looks different. Following http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds and http://wiki2.dovecot.org/AuthDatabase/LDAP/Userdb#Attribute_templates_.28v2.... my pass_attrs looks this:
pass_attrs = =user=%{ldap:uid},
=allow_nets=%{ldap:allownets}
Using this syntax I could add an attribute "allownets" in the ldapserver to limit access for a user.
A problem occour if the attribute is not present. For example if a user should not be limited or only some but not any user should be limited. So I extend my pass_attrs with a default.
pass_attrs = =user=%{ldap:uid},
=allow_nets=%{ldap:allownets:10.0.0.0/8}
Again, that's fine. Any user was allowed to connect from my private network. But then some users connect via ipv6. I tried to extend my default to
pass_attrs = =user=%{ldap:uid},
=allow_nets=%{ldap:allownets:10.0.0.0/8,fec0::/16}
That syntax, a comma separated list, produces errors no matter if quoting using " or ' or no quoting at all.
So I looked at the source (thanks, it's open!) and wrote a little patch to allow simple defaults:
- ALL -> allow any address
- NONE -> deny any address
Now I could write pass_attrs = =user=%{ldap:uid}, =allow_nets=%{ldap:allownets:ALL} or pass_attrs = =user=%{ldap:uid}, =allow_nets=%{ldap:allownets:NONE} to allow or deny any ldap account not having an attribute allownets.
Maybe there are other solutions, but that's my way...
Andreas
Andreas Schulze: in January: http://dovecot.org/list/dovecot/2014-January/094606.html
Hello,
looks like there is only little interest on allow_nets + ldap :-/
I step forward to put this feature in our production environment. So I like to ask again if the patch may be included in dovecot and reviewed be an expert programmer.
Thanks, Andreas
On 20.5.2014, at 12.41, Andreas Schulze <sca@andreasschulze.de> wrote:
Andreas Schulze: in January: http://dovecot.org/list/dovecot/2014-January/094606.html
Hello,
looks like there is only little interest on allow_nets + ldap :-/
I step forward to put this feature in our production environment. So I like to ask again if the patch may be included in dovecot and reviewed be an expert programmer.
This looks scary, wouldn't it work without it? : request->failed = FALSE;
Also, don't these work already?
any = 0.0.0.0/0 none = 0.0.0.0/32
Or I'm not sure if the 0.0.0.0/0 matches IPv6, maybe that's a problem..
Also I don't really like to use uppercase values, strcasecmp() would be better I think.
Timo,
thanks for having a look at my message...
This looks scary, wouldn't it work without it? : request->failed = FALSE; I simply copied the logic from existing code in the same function.
Also, don't these work already? any = 0.0.0.0/0 none = 0.0.0.0/32
Or I'm not sure if the 0.0.0.0/0 matches IPv6, maybe that's a problem.. Right, thats one problem as I remember. This is in my ldap.conf:
pass_filter = (uid=%Lu)
pass_attrs = =user=%{ldap:uid},
=allow_nets=%{ldap:allownets:ALL},
=userdb_uid=%{ldap:uidNumber:1000},
=userdb_gid=%{ldap:gidNumber:1000},
=userdb_home=%{ldap:homeDirectory:/mail/%Ln}
I have to declare a default value for "allow_nets" for accounts
without specifies LDAP attribute "allownets".
0.0.0.0/0 will work, but the comma fail. Also only an IPv6 is impossible ":"
For this reasons I came up with my patch solution. The other
possibility is to explicit allaw all requests
if the variable networks in
src/auth/auth-request.c/auth_request_validate_networks is empty.
Also I don't really like to use uppercase values, strcasecmp() would
be better I think. there is no strong need for uppercase.
As I said, the solution may be not optimal.
Andreas
participants (2)
-
Andreas Schulze
-
Timo Sirainen