From 4ce691b560b037fc7a87219d92a175156c92f892 Mon Sep 17 00:00:00 2001 From: Matthijs Kooijman Date: Mon, 8 Feb 2010 15:52:04 +0100 Subject: [PATCH] pam: Make dovecot check the mailHost attribute. Previously (in an uncommited pam.d/dovecot file), dovecot just used the common-{auth,account}, which checked the "host" attribute. Now the mailHost attribute is checked, so only people that have their email delivered here can use IMAP. --- etc/pam.d/dovecot | 22 ++++++++++++++++++++++ etc/pam_ldap_dovecot.conf | 21 +++++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 etc/pam.d/dovecot create mode 100644 etc/pam_ldap_dovecot.conf diff --git a/etc/pam.d/dovecot b/etc/pam.d/dovecot new file mode 100644 index 0000000..ddf9a02 --- /dev/null +++ b/etc/pam.d/dovecot @@ -0,0 +1,22 @@ +#%PAM-1.0 + +# We have a common auth and account section, since we don't need to check the +# "host" attribute, but the "mailHost" attribute. It would be sufficient to +# use a custom account section, but pam_ldap only loads its config once, so we +# can't use a different config for just the accoun section. + +# These are just taken from common-{auth,account}, but with the config= +# parameter added. +auth required pam_ldap.so config=/etc/pam_ldap_dovecot.conf + +# pam_unix does general checks based on NSS info, so it also works for ldap +# users. +account required pam_unix.so + +# pam_ldap does additional checks (in particular checking the host ldap +# attribute) but needs to be ignored when it does not know about a user. +# We point the module to an alternative configuration file. +account [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=ignore default=bad] \ + pam_ldap.so config=/etc/pam_ldap_dovecot.conf + +@include common-session diff --git a/etc/pam_ldap_dovecot.conf b/etc/pam_ldap_dovecot.conf new file mode 100644 index 0000000..b5c31c8 --- /dev/null +++ b/etc/pam_ldap_dovecot.conf @@ -0,0 +1,21 @@ +# +# See /usr/share/libpam-ldap/ldap.conf for example configuration and more +# options. +# +# +# Dovecot-specific version of pam_ldap.conf that checks the mailHost attribute +# instead of the "host" attribute, so people without SSH access can still use +# IMAP, and only people whose mail is delivered on this host can use IMAP. + +# The distinguished name of the search base. +base dc=drsnuggles,dc=stderr,dc=nl + +# The LDAP server. ldaps:// is secure, ldapi:// is local socket +uri ldap://ldap.drsnuggles.stderr.nl + +# The LDAP version to use +ldap_version 3 + +# Only allow people to login to dovecot when their email is delivered here. +# Too bad this uses a hardcoded hostname, though... +pam_filter mailHost=mail.drsnuggles.stderr.nl -- 2.30.2