# HG changeset patch # User Timo Sirainen # Date 1127566523 -10800 # Node ID ea2266d0a07f08d5e77c40c3c14d40d84d381bcd # Parent b86d4c76efdffa2cf6e7e6a25d3e10bf67c27148 Added deny password databases. diff -r b86d4c76efdf -r ea2266d0a07f dovecot-example.conf --- a/dovecot-example.conf Sat Sep 24 15:51:25 2005 +0300 +++ b/dovecot-example.conf Sat Sep 24 15:55:23 2005 +0300 @@ -569,6 +569,16 @@ # http://wiki.dovecot.org/Authentication # + # Users can be temporarily disabled by adding a passdb with deny=yes. + # If the user is found from that database, authentication will fail. + # The deny passdb should always be specified before others, so it gets + # checked first. Here's an example: + #passdb passwd-file { + # File contains a list of usernames, one per line + #args = /etc/imap.deny + #deny = yes + #} + # PAM authentication. Preferred nowadays by most systems. # Note that PAM can only be used to verify if user's password is correct, # so it can't be used as userdb. If you don't want to use a separate user diff -r b86d4c76efdf -r ea2266d0a07f src/auth/auth-request.c --- a/src/auth/auth-request.c Sat Sep 24 15:51:25 2005 +0300 +++ b/src/auth/auth-request.c Sat Sep 24 15:55:23 2005 +0300 @@ -236,8 +236,14 @@ strlen(request->passdb_password)); } - if (result != PASSDB_RESULT_OK && - request->passdb->next != NULL) { + if (result != PASSDB_RESULT_USER_UNKNOWN && request->passdb->deny) { + /* user found from deny passdb. deny this authentication. */ + auth_request_log_info(request, "passdb", + "User found from deny passdb"); + result = PASSDB_RESULT_USER_DISABLED; + } else if (result != PASSDB_RESULT_OK && + result != PASSDB_RESULT_USER_DISABLED && + request->passdb->next != NULL) { /* try next passdb. */ if (result == PASSDB_RESULT_INTERNAL_FAILURE) request->passdb_internal_failure = TRUE; @@ -249,9 +255,8 @@ auth_request_verify_plain(request, request->mech_password, request->private_callback.verify_plain); return; - } - - if (request->passdb_internal_failure && result != PASSDB_RESULT_OK) { + } else if (request->passdb_internal_failure && + result != PASSDB_RESULT_OK) { /* one of the passdb lookups returned internal failure. it may have had the correct password, so return internal failure instead of plain failure. */ diff -r b86d4c76efdf -r ea2266d0a07f src/auth/auth.c --- a/src/auth/auth.c Sat Sep 24 15:51:25 2005 +0300 +++ b/src/auth/auth.c Sat Sep 24 15:55:23 2005 +0300 @@ -17,6 +17,7 @@ struct auth *auth_preinit(void) { struct auth *auth; + struct auth_passdb *auth_passdb; const char *driver, *args; pool_t pool; unsigned int i; @@ -35,7 +36,10 @@ break; args = getenv(t_strdup_printf("PASSDB_%u_ARGS", i)); - passdb_preinit(auth, driver, args); + auth_passdb = passdb_preinit(auth, driver, args); + + if (getenv(t_strdup_printf("PASSDB_%u_DENY", i)) != NULL) + auth_passdb->deny = TRUE; } t_pop(); diff -r b86d4c76efdf -r ea2266d0a07f src/auth/auth.h --- a/src/auth/auth.h Sat Sep 24 15:51:25 2005 +0300 +++ b/src/auth/auth.h Sat Sep 24 15:55:23 2005 +0300 @@ -11,6 +11,8 @@ #ifdef HAVE_MODULES struct auth_module *module; #endif + /* if user is found from this passdb, deny authentication immediately */ + unsigned int deny:1; }; struct auth_userdb { diff -r b86d4c76efdf -r ea2266d0a07f src/auth/passdb.c --- a/src/auth/passdb.c Sat Sep 24 15:51:25 2005 +0300 +++ b/src/auth/passdb.c Sat Sep 24 15:55:23 2005 +0300 @@ -116,7 +116,8 @@ callback(PASSDB_RESULT_OK, password, auth_request); } -void passdb_preinit(struct auth *auth, const char *driver, const char *args) +struct auth_passdb *passdb_preinit(struct auth *auth, const char *driver, + const char *args) { struct passdb_module **p; struct auth_passdb *auth_passdb, **dest; @@ -153,6 +154,7 @@ if (auth_passdb->passdb->preinit != NULL) auth_passdb->passdb->preinit(auth_passdb->args); + return auth_passdb; } void passdb_init(struct auth_passdb *passdb) diff -r b86d4c76efdf -r ea2266d0a07f src/auth/passdb.h --- a/src/auth/passdb.h Sat Sep 24 15:51:25 2005 +0300 +++ b/src/auth/passdb.h Sat Sep 24 15:55:23 2005 +0300 @@ -69,7 +69,8 @@ const char *passdb_credentials_to_str(enum passdb_credentials credentials); -void passdb_preinit(struct auth *auth, const char *driver, const char *args); +struct auth_passdb *passdb_preinit(struct auth *auth, const char *driver, + const char *args); void passdb_init(struct auth_passdb *passdb); void passdb_deinit(struct auth_passdb *passdb); diff -r b86d4c76efdf -r ea2266d0a07f src/master/auth-process.c --- a/src/master/auth-process.c Sat Sep 24 15:51:25 2005 +0300 +++ b/src/master/auth-process.c Sat Sep 24 15:55:23 2005 +0300 @@ -429,6 +429,8 @@ env_put(t_strdup_printf("PASSDB_%u_ARGS=%s", i, ap->args)); } + if (ap->deny) + env_put(t_strdup_printf("PASSDB_%u_DENY=1", i)); } for (au = set->userdbs, i = 1; au != NULL; au = au->next, i++) { env_put(t_strdup_printf("USERDB_%u_DRIVER=%s", i, au->driver)); diff -r b86d4c76efdf -r ea2266d0a07f src/master/master-settings.c --- a/src/master/master-settings.c Sat Sep 24 15:51:25 2005 +0300 +++ b/src/master/master-settings.c Sat Sep 24 15:55:23 2005 +0300 @@ -197,6 +197,7 @@ static struct setting_def auth_passdb_setting_defs[] = { DEF(SET_STR, driver), DEF(SET_STR, args), + DEF(SET_BOOL, deny), { 0, NULL, 0 } }; diff -r b86d4c76efdf -r ea2266d0a07f src/master/master-settings.h --- a/src/master/master-settings.h Sat Sep 24 15:51:25 2005 +0300 +++ b/src/master/master-settings.h Sat Sep 24 15:55:23 2005 +0300 @@ -135,6 +135,7 @@ const char *driver; const char *args; + int deny; }; struct auth_userdb_settings {