auth-deny : from file to LDAP

Steffen Kaiser skdovecot at smail.inf.fh-brs.de
Fri Jan 9 08:00:53 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 8 Jan 2015, Thomas HUMMEL wrote:
> On Thu, Jan 08, 2015 at 02:48:47PM +0100, hummel at pasteur.fr wrote:
>> Hello Timo,
>
>> a) should I
>>
>>  . change the driver of the first passdb from passwd-file to ldap
>>  . for user to be rejected, add an LDAP attribute named "foo" with a value of "yes" and map it with something like this :
>>
>>   pass_attrs = ....,foo=deny in dovecot-ldap.conf.ext ?
>>
>
> This doesn't seem to work but maybe am I misunderstanding the logic :
>
> I thought that in the passdb{} section of auth-deny.conf.ext, you could comment
> "deny = yes" as long as the passdb returned an extra_field mapped on "deny"
> with the value of "yes" for users you'd want to deny access to: is that the
> case ?
>
> Maybe it's just something like : "if user is found in passdb but "deny =
> yes" is not stated in the passdb{} section, then access is granted ?
>

The deny=yes is a special syntax: If this passdb matches -> deny, there is 
no ExtraField "deny".

>> b) or could I use only one ldap passdb by changing the pass_filter
>>
>> from
>>
>>   pass_filter = (&(objectClass=posixAccount)(uid=%u))
>>
>> to something like
>>
>>   pass_filter = (&(objectClass=posixAccount)(uid=%u)(!foo=yes))
>>
>
> This is working but I don't know if this is the recommended way of doing it.

Actually I use "(!(deniedService=%Ls))", but keep in mind that you do not 
"deny" an user knowingly, but that this user is not found. The semantic is 
different.

What you could try - I do not remember anybody posting something like this 
- - is to combine a ldap passdb with deny=yes. The doc 
http://wiki2.dovecot.org/PasswordDatabase does not restrict the deny=yes 
to just passwd-file, hence, if you create yet another LDAP conf file that 
matches only denied users and write:

passdb {
   driver = ldap

   args = /etc/dovecot/dovecot-ldap_denied_users.conf.ext

   deny = yes
}


- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBVK+Ktnz1H7kL/d9rAQJo7wgAmDYddi3TShOOiOhcFYrM3YN9T3OaMex7
EU9BKMIn2l8DcPBixWSemwDpOsiprzKgMa0hqxVK9jXT0a5FaQaJqo/l0u7/x5uB
EPEw71baztB1YPwiyyU2HLL5CIBVdWaXlMNtQyKoh14GWiMgdJaTcvM9nZGteaYJ
qAxPD3zifcpZRoU2L2TpMJRyMVdnAgm8p90hulCEXOGY3QNxzKa6BEUuZsZTrV/e
quqwDWYxe1Mkng36lz4K2bh5xB6NVsbyq0OzdhfJe5RODCVu0dptHn8KJPMvgB5a
2qYPraXoenNr6NBNfUvFGD+x+rjse3SB5AoKiO5KZRS3XelOIECiRA==
=ztWz
-----END PGP SIGNATURE-----


More information about the dovecot mailing list