[Dovecot] Dovecot's as ip/user based login filter?

Bernd Holzmüller tigger at tiggerswelt.net
Mon Apr 10 14:40:27 EEST 2006


Sysadmin schrieb:
> > Actually I do not know wheter Dovecot can do it by itself.
> > On my server I use a customized PAM-Module to authenticate and authorize
> > my users. The module also performs a check on the host where the users
> > comes from and checks wheter there is a rule to allow/deny access from
> > this host.
>
> It's sounds wonderful. Can You kindly share this customized pam module
> for me?

I would do if it could be helpful in any way for you, but I belive it
won't fit your needs. It's an SQL-based PAM-Module with an DB2-Backend
that is also highly customized to fit my customer-database.

If you have any experiences with writing PAM-Modules I'll give you the
assistance you need.

All I do is to retrive the hostname and compare it with the database.
A short example:

  const char *Host = NULL;
  const char *User = NULL;
  char *SQL = NULL;

  if ((pam_get_user(pamh, &User, NULL) != PAM_SUCCESS) || (User == NULL)
    return PAM_USER_UNKNOWN;

  /* Retrive Password and authenticate user here */

  if (pam_get_item(pamh, PAM_RHOST, (const void **)&Host) != PAM_SUCCESS)
    retrun PAM_AUTH_ERR;

  /*
    Generate the query, 0.0.0.0 means the default rule for this user.
    Netmasks aren't supported.
  */
  snprintf(SQL, strlen(User) + strlen(Host) + 106,
                "SELECT Rule FROM access_table WHERE User='%s' AND
(Host='%s' OR Host='0.0.0.0') ORDER BY Host DESC LIMIT 0,1;", User, Host);

  /* Execute query and process result here */


I would like to help more, but I can not - I hope you apologize this.


Bernd


More information about the dovecot mailing list