Re: auth-deny : from file to LDAP

Steffen Kaiser Fri, 09 Jan 2015 00:01:41 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 8 Jan 2015, Thomas HUMMEL wrote:

On Thu, Jan 08, 2015 at 02:48:47PM +0100, hum...@pasteur.fr wrote:

Hello Timo,

a) should I

 . change the driver of the first passdb from passwd-file to ldap
 . for user to be rejected, add an LDAP attribute named "foo" with a value of 
"yes" and map it with something like this :

  pass_attrs = ....,foo=deny in dovecot-ldap.conf.ext ?


This doesn't seem to work but maybe am I misunderstanding the logic :

I thought that in the passdb{} section of auth-deny.conf.ext, you could comment
"deny = yes" as long as the passdb returned an extra_field mapped on "deny"
with the value of "yes" for users you'd want to deny access to: is that the
case ?

Maybe it's just something like : "if user is found in passdb but "deny =
yes" is not stated in the passdb{} section, then access is granted ?

The deny=yes is a special syntax: If this passdb matches -> deny, there isno ExtraField "deny".

b) or could I use only one ldap passdb by changing the pass_filter

from

  pass_filter = (&(objectClass=posixAccount)(uid=%u))

to something like

  pass_filter = (&(objectClass=posixAccount)(uid=%u)(!foo=yes))


This is working but I don't know if this is the recommended way of doing it.

Actually I use "(!(deniedService=%Ls))", but keep in mind that you do not"deny" an user knowingly, but that this user is not found. The semantic isdifferent.

What you could try - I do not remember anybody posting something like this- - is to combine a ldap passdb with deny=yes. The dochttp://wiki2.dovecot.org/PasswordDatabase does not restrict the deny=yesto just passwd-file, hence, if you create yet another LDAP conf file thatmatches only denied users and write:


passdb {
  driver = ldap

  args = /etc/dovecot/dovecot-ldap_denied_users.conf.ext

  deny = yes
}

- --Steffen Kaiser

Re: auth-deny : from file to LDAP

Reply via email to