auth-deny : from file to LDAP
Steffen Kaiser
skdovecot at smail.inf.fh-brs.de
Fri Jan 9 13:17:35 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, 9 Jan 2015, Thomas HUMMEL wrote:
> On Fri, Jan 09, 2015 at 09:00:53AM +0100, Steffen Kaiser wrote:
>
>> The deny=yes is a special syntax: If this passdb matches -> deny, there is
>> no ExtraField "deny".
>
> Thanks for your answer. That's what I thought after my tests. This explains why
> I was still able to log in...
>
>> but keep in mind that you do not "deny" an user knowingly, but that this user
>> is not found. The semantic is different.
>
> I know, I thought about that. But still what could be the unwanted side effects
> ?
The logs contain different entries. Denied users show up as failed login
attempts and if you might have running a log analyzer that acts on that
security breach.
Also, later you might add another passdb, which could succeed on that
user, who is denied in LDAP.
>> What you could try - I do not remember anybody posting something like this -
>> - is to combine a ldap passdb with deny=yes.
>
> I thought about that too, but that would mean setting up another LDAP
> directory, which I find a little bit overkill.
You need not no 2nd LDAP directory, but another configuration file with
another LDAP search filter, that hits denied users only. This could be
implemented by a new attribute. You will gain the log information about
the denied user.
- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEVAwUBVK/U73z1H7kL/d9rAQL8EQf+OpSOGTlFaiqH+VGvsnK6BHkywXGjkgML
0+360Agc2WwI/2GLHbOS0vRjs2Wzm91FVyXXD5kd1CXTOjF1Xp7rVoaR1B9aQtoi
m1DOTdzJ/CbKH8b2NOvEpUdRJVj/qGCD6DWkIOppWA4pjSr45xX5znCJA45Y7xxi
C6kfUMx8tRmb5byUR5qyjrZeMxHF1mrmoH4UaIa3mvFHiv1WSFom8NM+pnJ99yoH
IOz3ZQ5mxP3l6jAV5c3w1P/6fgDVazHvji5ecvj+JncmEhEvwV4XeGrbfTuk9DnB
f9JwygXXBmSA58Ncgz1eJi/E7dDSijrPG3+7QR2obDIoqJLjzEOBEQ==
=WZji
-----END PGP SIGNATURE-----
More information about the dovecot
mailing list