Re: Strange: deleted accounts can still POP in

Fri, 22 Oct 2004 14:19:09 -0700 

On Fri, Oct 22, 2004 at 05:37:58PM -0200, Bruno Negr�o wrote:
> Hi all,
> 
> I'm testing the removal of the e-mail accounts and I would like to adopt
> that "2 steps" removal:
> 
> 1 - I set the entry's 'accountStatus' attribute to 'deleted' 2 - a
> helper program running from cron will search the LDAP directory for
> 'accountStatus: deleted'  accounts, when it finds them, removes the
> Maildir directories from the filesystem. (optionally, it can remove the
> entry from the directory too)
> 
> What I found strange is, even if with the 'accountStatus: deleted'
> attribute set, the user can still log in via POP3 and search for new
> messages. Wasn't auth_pop suposed to check for this 'accountStatus' and
> block the users when 'deleted' is set?
> 
> Since steps 1 and 2 doesn't occur synchronously, there is a time when
> the user was already removed, but can still log in. Maybe I'll have to
> adopt a 3 steps approach:
> 
> 1 - same as step 1 mentioned earlier 2 - change the 'userPassword'
> attribute to something unthinkable, so he can't POP-in anymore. (it
> would be nice if I could save his password in another attribute, like
> userOIdPassword...) 3 - same as step 2 mentioned earlier
>  
> I think auth_pop is not working the best it could in this particular
> situation. Does someone disagree?
> 

YES, the check for deleted is missing. The attached patch should fix the
problem. Btw. qmail-lspawn has the correct check.

-- 
:wq Claudio

Index: checkpassword.c
===================================================================
RCS file: /home/cvs-djbware/CVS/qmail-ldap/checkpassword.c,v
retrieving revision 1.71
diff -u -p -r1.71 checkpassword.c
--- checkpassword.c     29 Jun 2004 17:29:42 -0000      1.71
+++ checkpassword.c     22 Oct 2004 21:19:47 -0000
@@ -136,7 +136,8 @@ check_ldap(stralloc *login, stralloc *au
 
        r = qldap_get_status(q, &status);
        if (r != OK) goto fail;
-       if (status == STATUS_BOUNCE || status == STATUS_NOACCESS) {
+       if (status == STATUS_BOUNCE || status == STATUS_NOACCESS ||
+           status == STATUS_DELETE) {
                qldap_free(q);
                return ACC_DISABLED;
        }

Reply via email to