auth-deny : from file to LDAP
Hello Timo,
I want to deny access to some users. For now I'm doing it using 2 passdb's and listing users in a text file.
!include auth-deny.conf.ext -> passwd-file driver !include auth-ldap.conf.ext -> ldap driver
I want to do the same using only LDAP. I'm not quite sure how to do it :
a) should I
. change the driver of the first passdb from passwd-file to ldap . for user to be rejected, add an LDAP attribute named "foo" with a value of "yes" and map it with something like this :
pass_attrs = ....,foo=deny in dovecot-ldap.conf.ext ?
b) or could I use only one ldap passdb by changing the pass_filter
from
pass_filter = (&(objectClass=posixAccount)(uid=%u))
to something like
pass_filter = (&(objectClass=posixAccount)(uid=%u)(!foo=yes))
?
Thanks
-- Thomas Hummel | Institut Pasteur <hummel@pasteur.fr> | Groupe Exploitation et Infrastructure
On Thu, Jan 08, 2015 at 02:48:47PM +0100, hummel@pasteur.fr wrote:
Hello Timo,
This doesn't seem to work but maybe am I misunderstanding the logic :
I thought that in the passdb{} section of auth-deny.conf.ext, you could comment "deny = yes" as long as the passdb returned an extra_field mapped on "deny" with the value of "yes" for users you'd want to deny access to: is that the case ?
Maybe it's just something like : "if user is found in passdb but "deny = yes" is not stated in the passdb{} section, then access is granted ?
This is working but I don't know if this is the recommended way of doing it.
Thanks.
-- Thomas Hummel | Institut Pasteur <hummel@pasteur.fr> | Groupe Exploitation et Infrastructure
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 8 Jan 2015, Thomas HUMMEL wrote:
The deny=yes is a special syntax: If this passdb matches -> deny, there is no ExtraField "deny".
Actually I use "(!(deniedService=%Ls))", but keep in mind that you do not "deny" an user knowingly, but that this user is not found. The semantic is different.
What you could try - I do not remember anybody posting something like this
- is to combine a ldap passdb with deny=yes. The doc http://wiki2.dovecot.org/PasswordDatabase does not restrict the deny=yes to just passwd-file, hence, if you create yet another LDAP conf file that matches only denied users and write:
passdb { driver = ldap
args = /etc/dovecot/dovecot-ldap_denied_users.conf.ext
deny = yes }
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVK+Ktnz1H7kL/d9rAQJo7wgAmDYddi3TShOOiOhcFYrM3YN9T3OaMex7 EU9BKMIn2l8DcPBixWSemwDpOsiprzKgMa0hqxVK9jXT0a5FaQaJqo/l0u7/x5uB EPEw71baztB1YPwiyyU2HLL5CIBVdWaXlMNtQyKoh14GWiMgdJaTcvM9nZGteaYJ qAxPD3zifcpZRoU2L2TpMJRyMVdnAgm8p90hulCEXOGY3QNxzKa6BEUuZsZTrV/e quqwDWYxe1Mkng36lz4K2bh5xB6NVsbyq0OzdhfJe5RODCVu0dptHn8KJPMvgB5a 2qYPraXoenNr6NBNfUvFGD+x+rjse3SB5AoKiO5KZRS3XelOIECiRA== =ztWz -----END PGP SIGNATURE-----
On Fri, Jan 09, 2015 at 09:00:53AM +0100, Steffen Kaiser wrote:
The deny=yes is a special syntax: If this passdb matches -> deny, there is no ExtraField "deny".
Thanks for your answer. That's what I thought after my tests. This explains why I was still able to log in...
but keep in mind that you do not "deny" an user knowingly, but that this user is not found. The semantic is different.
I know, I thought about that. But still what could be the unwanted side effects ?
I thought about that too, but that would mean setting up another LDAP directory, which I find a little bit overkill.
Thanks.
-- Thomas Hummel | Institut Pasteur <hummel@pasteur.fr> | Groupe Exploitation et Infrastructure
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, 9 Jan 2015, Thomas HUMMEL wrote:
The logs contain different entries. Denied users show up as failed login attempts and if you might have running a log analyzer that acts on that security breach.
Also, later you might add another passdb, which could succeed on that user, who is denied in LDAP.
You need not no 2nd LDAP directory, but another configuration file with another LDAP search filter, that hits denied users only. This could be implemented by a new attribute. You will gain the log information about the denied user.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVK/U73z1H7kL/d9rAQL8EQf+OpSOGTlFaiqH+VGvsnK6BHkywXGjkgML 0+360Agc2WwI/2GLHbOS0vRjs2Wzm91FVyXXD5kd1CXTOjF1Xp7rVoaR1B9aQtoi m1DOTdzJ/CbKH8b2NOvEpUdRJVj/qGCD6DWkIOppWA4pjSr45xX5znCJA45Y7xxi C6kfUMx8tRmb5byUR5qyjrZeMxHF1mrmoH4UaIa3mvFHiv1WSFom8NM+pnJ99yoH IOz3ZQ5mxP3l6jAV5c3w1P/6fgDVazHvji5ecvj+JncmEhEvwV4XeGrbfTuk9DnB f9JwygXXBmSA58Ncgz1eJi/E7dDSijrPG3+7QR2obDIoqJLjzEOBEQ== =WZji -----END PGP SIGNATURE-----
participants (3)
-
hummel@pasteur.fr
-
Steffen Kaiser
-
Thomas HUMMEL