subject:"\[Dovecot\] dovecot 2.1.13, proxy and nologin extras field"

Re: [Dovecot] dovecot 2.1.13, proxy and nologin extras field

2013-01-24 Thread Thomas Leuxner

* Marco Giunta giu...@sissa.it 2013.01.23 13:44:

 Jan 23 09:16:33 localhost dovecot: auth: Debug: client passdb out: 
 OK#0111#011user=prova#011proxy#011host=imap.example.it#011nologin#011hostip=192.168.11.136#011pass=password

It needs to be either 'nologin=y' notice the y passed or 'allow_nets='.

Regards
Thomas


signature.asc
Description: Digital signature

Re: [Dovecot] dovecot 2.1.13, proxy and nologin extras field

2013-01-24 Thread Marco Giunta


On 2013-01-24 09:07, Thomas Leuxner wrote:

It needs to be either 'nologin=y' notice the y passed or 'allow_nets='.
The problem is that even if I configure 'pass_attrs' to return always 
'nologin=y' :


pass_attrs = uid=user,userPassword=password,\
  
=userdb_home=/var/spool/mail/%1u/%u,uidNumber=userdb_uid,gidNumber=userdb_gid,\

  =proxy=y,=host=imap.sissa.it,\
  =nologin=y,=reason=Reason

users are allowed to login:

Jan 23 09:16:33 localhost dovecot: auth: Debug: client passdb out: 
OK#0111#011user=prova#011proxy#011host=imap.example.it#011nologin#011hostip=192.168.11.136#011pass=password


It is something wrong in my 'pass_attrs' ???

  Marco

Re: [Dovecot] dovecot 2.1.13, proxy and nologin extras field

2013-01-24 Thread Timo Sirainen

On Wed, 2013-01-23 at 13:44 +0100, Marco Giunta wrote:
 Hi at all,
 in our test environment, I'm playing with dovecot 2.1.13 configured as 
 imap/pop/managesieve proxy. It is configured to authenticate users with 
 ldap and it works very well.
 
 Now, I'd like to temporary disable some users's login, because we are 
 moving to another storage, and I wouldn't stop imap service at all.
 
 I've found on Dovecot wiki that I could use 'nologin' extra field, but I 
 wasn't been able to get it work. My dovecot configuration is:

nologin field doesn't work with proxying. You'd have to return neither
proxy nor host field. With host+nologin it would be treated as a
login referral:
http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Host

Of course it would be possible to add yet another check where proxy+host
+nologin returned would be treated in yet another way, but that gets too
confusing..

I guess it was a mistake to use nologin for login referrals in the
first place. And I guess just about no one uses them anyway. So them, so
it would be possible to change this behavior..

Re: [Dovecot] dovecot 2.1.13, proxy and nologin extras field

2013-01-24 Thread Marco Giunta


On 2013-01-24 11:59, Timo Sirainen wrote:

On Wed, 2013-01-23 at 13:44 +0100, Marco Giunta wrote:

Hi at all,
in our test environment, I'm playing with dovecot 2.1.13 configured as
imap/pop/managesieve proxy. It is configured to authenticate users with
ldap and it works very well.

Now, I'd like to temporary disable some users's login, because we are
moving to another storage, and I wouldn't stop imap service at all.

I've found on Dovecot wiki that I could use 'nologin' extra field, but I
wasn't been able to get it work. My dovecot configuration is:

nologin field doesn't work with proxying. You'd have to return neither
proxy nor host field. With host+nologin it would be treated as a
login referral:
http://wiki2.dovecot.org/PasswordDatabase/ExtraFields/Host

Of course it would be possible to add yet another check where proxy+host
+nologin returned would be treated in yet another way, but that gets too
confusing..

I guess it was a mistake to use nologin for login referrals in the
first place. And I guess just about no one uses them anyway. So them, so
it would be possible to change this behavior..


Ok, thank you for the explanation. In this case, I'll use a 'deny' 
passdb or a different ldap filter ...


Cheers,
  Marco

--
 ---
|Marco Giunta - SISSA Computer Staff|
|Via Bonomea, 265   |
|34136 - Trieste, Italy |
|Tel: +39-40-3787-503   |
|Fax: +39-040-3787-244  |
|e-mail: marco.giunta AT sissa.it   |
 ---

[Dovecot] dovecot 2.1.13, proxy and nologin extras field

2013-01-23 Thread Marco Giunta


Hi at all,
in our test environment, I'm playing with dovecot 2.1.13 configured as 
imap/pop/managesieve proxy. It is configured to authenticate users with 
ldap and it works very well.


Now, I'd like to temporary disable some users's login, because we are 
moving to another storage, and I wouldn't stop imap service at all.


I've found on Dovecot wiki that I could use 'nologin' extra field, but I 
wasn't been able to get it work. My dovecot configuration is:



# 2.1.13: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-279.19.1.el6.x86_64 x86_64 ...
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
listen = *
mail_debug = yes
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope 
encoded-character vacation subaddress comparator-i;ascii-numeric 
relational regex imap4flags copy include variables body enotify 
environment mailbox date ihave

mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
special_use = \Drafts
  }
  mailbox Junk {
special_use = \Junk
  }
  mailbox Sent {
special_use = \Sent
  }
  mailbox Sent Messages {
special_use = \Sent
  }
  mailbox Trash {
special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap
}
plugin {
  sieve = ~/.dovecot.sieve
  sieve_dir = ~/sieve
}
protocols = imap pop3 sieve
service managesieve-login {
  inet_listener sieve {
port = 4190
  }
  inet_listener sieve_deprecated {
port = 2000
  }
}
ssl = no
ssl_cert = /etc/pki/dovecot/certs/dovecot.pem
ssl_key = /etc/pki/dovecot/private/dovecot.pem
userdb {
  driver = prefetch
}


and my 'dovecot-ldap.conf.ext' is:

uris = ldap://ldap.example.it/
dn = cn=Reader,dc=example,dc=it
dnpass = password
base = ou=People,dc=example,dc=it
pass_attrs = uid=user,userPassword=password,\
  
=userdb_home=/var/spool/mail/%1u/%u,uidNumber=userdb_uid,gidNumber=userdb_gid,\

  =proxy=y,=host=imap.example.it,\
  =nologin=y
pass_filter = ((objectClass=qmailUser)(uid=%u)(accountStatus=active))


With this configuration, all users can login, and log said:

Jan 23 09:16:18 localhost dovecot: master: Dovecot v2.1.13 starting up 
(core dumps disabled)
Jan 23 09:16:33 localhost dovecot: auth: Debug: Loading modules from 
directory: /usr/lib64/dovecot/auth
Jan 23 09:16:33 localhost dovecot: auth: Debug: Module loaded: 
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Jan 23 09:16:33 localhost dovecot: auth: Debug: Loading modules from 
directory: /usr/lib64/dovecot/auth
Jan 23 09:16:33 localhost dovecot: auth: Debug: Module loaded: 
/usr/lib64/dovecot/auth/libauthdb_ldap.so
Jan 23 09:16:33 localhost dovecot: auth: Debug: auth client connected 
(pid=3660)
Jan 23 09:16:33 localhost dovecot: auth: Debug: client in: 
AUTH#0111#011PLAIN#011service=imap#011session=PsbzT/DT+gCTeiwf#011lip=192.168.129.109#011rip=192.168.44.31#011lport=143#011rport=53754
Jan 23 09:16:33 localhost dovecot: auth: Debug: client passdb out: 
CONT#0111#011
Jan 23 09:16:33 localhost dovecot: auth: Debug: client in: 
CONT#0111#011AHByb3ZhZm0AY2hlcGFsbGU=
Jan 23 09:16:33 localhost dovecot: auth: Debug: 
ldap(prova,147.122.44.31,PsbzT/DT+gCTeiwf): pass search: 
base=ou=People,dc=example,dc=it scope=subtree 
filter=((objectClass=qmailUser)(uid=prova)(accountStatus=active)) 
fields=uid,userPassword,uidNumber,gidNumber,uid,uid
Jan 23 09:16:33 localhost dovecot: auth: Debug: 
ldap(prova,192.168.44.31,PsbzT/DT+gCTeiwf): result: uid=prova 
uidNumber=2944 gidNumber=650 userPassword={MD5}BjbsTtSovVAs1csswBTI7Q==
Jan 23 09:16:33 localhost dovecot: auth: Debug: client passdb out: 
OK#0111#011user=prova#011proxy#011host=imap.example.it#011nologin#011hostip=192.168.11.136#011pass=password
Jan 23 09:16:33 localhost dovecot: imap-login: proxy(prova): started 
proxying to imap.example.it:143: user=prova, method=PLAIN, 
rip=192.168.44.31, lip=192.168.129.109, session=PsbzT/DT+gCTeiwf


As you can see 'nologin' field is present in 'passdb' answer, but it 
doesn't seem to work.


If instead I try to disable login with 'allow_nets' extra field, it 
works as expected:


'dovecot-ldap.conf.ext':
...
pass_attrs = uid=user,userPassword=password,\
  
=userdb_home=/var/spool/mail/%1u/%u,uidNumber=userdb_uid,gidNumber=userdb_gid,\

  =proxy=y,=host=imap.example.it,\
  =allow_nets=127.0.0.0/8

dovecot log:

Jan 22 18:28:19 localhost dovecot: master: Dovecot v2.1.13 starting up 
(core dumps disabled)
Jan 22 18:28:32 localhost dovecot: auth: Debug: Loading modules from 
directory: /usr/lib64/dovecot/auth
Jan 22 18:28:32 localhost dovecot: auth: Debug: Module loaded: 
/usr/lib64/dovecot/auth/libdriver_mysql.so
Jan 22 18:28:32 localhost dovecot: auth: Debug: Module loaded: 
/usr/lib64/dovecot/auth/libdriver_pgsql.so
Jan 22 18:28:32 localhost dovecot: auth: Debug: Module loaded: 
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Jan 22 18:28:32 localhost dovecot: auth: Debug: Loading modules from 
directory:

Re: [Dovecot] dovecot 2.1.13, proxy and nologin extras field

Re: [Dovecot] dovecot 2.1.13, proxy and nologin extras field

Re: [Dovecot] dovecot 2.1.13, proxy and nologin extras field

Re: [Dovecot] dovecot 2.1.13, proxy and nologin extras field

[Dovecot] dovecot 2.1.13, proxy and nologin extras field

5 matches

Site Navigation

Mail list logo

Footer information