auth-deny : from file to LDAP

Thomas HUMMEL hummel at pasteur.fr
Thu Jan 8 14:47:12 UTC 2015


On Thu, Jan 08, 2015 at 02:48:47PM +0100, hummel at pasteur.fr wrote:
> Hello Timo,

> a) should I
> 
>  . change the driver of the first passdb from passwd-file to ldap
>  . for user to be rejected, add an LDAP attribute named "foo" with a value of "yes" and map it with something like this :
> 
>   pass_attrs = ....,foo=deny in dovecot-ldap.conf.ext ?
> 

This doesn't seem to work but maybe am I misunderstanding the logic : 

I thought that in the passdb{} section of auth-deny.conf.ext, you could comment
"deny = yes" as long as the passdb returned an extra_field mapped on "deny"
with the value of "yes" for users you'd want to deny access to: is that the
case ?

Maybe it's just something like : "if user is found in passdb but "deny =
yes" is not stated in the passdb{} section, then access is granted ?


> b) or could I use only one ldap passdb by changing the pass_filter
> 
> from
> 
>   pass_filter = (&(objectClass=posixAccount)(uid=%u))
> 
> to something like
> 
>   pass_filter = (&(objectClass=posixAccount)(uid=%u)(!foo=yes))
> 
> ?

This is working but I don't know if this is the recommended way of doing it.

Thanks.

-- 
Thomas Hummel 	    | Institut Pasteur
<hummel at pasteur.fr> | Groupe Exploitation et Infrastructure


More information about the dovecot mailing list