auth-deny : from file to LDAP

[Steffen Kaiser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 9 Jan 2015, Thomas HUMMEL wrote:
> On Fri, Jan 09, 2015 at 09:00:53AM +0100, Steffen Kaiser wrote:
>
>> The deny=yes is a special syntax: If this passdb matches -> deny, there is
>> no ExtraField "deny".
>
> Thanks for your answer. That's what I thought after my tests. This explains why
> I was still able to log in...
>
>> but keep in mind that you do not "deny" an user knowingly, but that this user
>> is not found. The semantic is different.
>
> I know, I thought about that. But still what could be the unwanted side effects
> ?

The logs contain different entries. Denied users show up as failed login 
attempts and if you might have running a log analyzer that acts on that 
security breach.

Also, later you might add another passdb, which could succeed on that 
user, who is denied in LDAP.

>> What you could try - I do not remember anybody posting something like this -
>> - is to combine a ldap passdb with deny=yes.
>
> I thought about that too, but that would mean setting up another LDAP
> directory, which I find a little bit overkill.

You need not no 2nd LDAP directory, but another configuration file with 
another LDAP search filter, that hits denied users only. This could be 
implemented by a new attribute. You will gain the log information about 
the denied user.

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBVK/U73z1H7kL/d9rAQL8EQf+OpSOGTlFaiqH+VGvsnK6BHkywXGjkgML
0+360Agc2WwI/2GLHbOS0vRjs2Wzm91FVyXXD5kd1CXTOjF1Xp7rVoaR1B9aQtoi
m1DOTdzJ/CbKH8b2NOvEpUdRJVj/qGCD6DWkIOppWA4pjSr45xX5znCJA45Y7xxi
C6kfUMx8tRmb5byUR5qyjrZeMxHF1mrmoH4UaIa3mvFHiv1WSFom8NM+pnJ99yoH
IOz3ZQ5mxP3l6jAV5c3w1P/6fgDVazHvji5ecvj+JncmEhEvwV4XeGrbfTuk9DnB
f9JwygXXBmSA58Ncgz1eJi/E7dDSijrPG3+7QR2obDIoqJLjzEOBEQ==
=WZji
-----END PGP SIGNATURE-----