Mercurial > dovecot > original-hg > dovecot-1.2

changeset 3609:ea2266d0a07f HEAD

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Added deny password databases.
author Timo Sirainen <tss@iki.fi>
date Sat, 24 Sep 2005 15:55:23 +0300
parents b86d4c76efdf
children 24d9c17b4cb6
files dovecot-example.conf src/auth/auth-request.c src/auth/auth.c src/auth/auth.h src/auth/passdb.c src/auth/passdb.h src/master/auth-process.c src/master/master-settings.c src/master/master-settings.h
diffstat 9 files changed, 36 insertions(+), 8 deletions(-) [+]
line wrap: on
line diff
--- a/dovecot-example.conf	Sat Sep 24 15:51:25 2005 +0300
+++ b/dovecot-example.conf	Sat Sep 24 15:55:23 2005 +0300
@@ -569,6 +569,16 @@
   # http://wiki.dovecot.org/Authentication
   #
 
+  # Users can be temporarily disabled by adding a passdb with deny=yes.
+  # If the user is found from that database, authentication will fail.
+  # The deny passdb should always be specified before others, so it gets
+  # checked first. Here's an example:
+  #passdb passwd-file {
+    # File contains a list of usernames, one per line
+    #args = /etc/imap.deny
+    #deny = yes
+  #}
+
   # PAM authentication. Preferred nowadays by most systems.
   # Note that PAM can only be used to verify if user's password is correct,
   # so it can't be used as userdb. If you don't want to use a separate user
--- a/src/auth/auth-request.c	Sat Sep 24 15:51:25 2005 +0300
+++ b/src/auth/auth-request.c	Sat Sep 24 15:55:23 2005 +0300
@@ -236,8 +236,14 @@
 			    strlen(request->passdb_password));
 	}
 
-	if (result != PASSDB_RESULT_OK &&
-	    request->passdb->next != NULL) {
+	if (result != PASSDB_RESULT_USER_UNKNOWN && request->passdb->deny) {
+		/* user found from deny passdb. deny this authentication. */
+		auth_request_log_info(request, "passdb",
+				      "User found from deny passdb");
+		result = PASSDB_RESULT_USER_DISABLED;
+	} else if (result != PASSDB_RESULT_OK &&
+		   result != PASSDB_RESULT_USER_DISABLED &&
+		   request->passdb->next != NULL) {
 		/* try next passdb. */
 		if (result == PASSDB_RESULT_INTERNAL_FAILURE)
 			request->passdb_internal_failure = TRUE;
@@ -249,9 +255,8 @@
 		auth_request_verify_plain(request, request->mech_password,
 			request->private_callback.verify_plain);
 		return;
-	}
-
-	if (request->passdb_internal_failure && result != PASSDB_RESULT_OK) {
+	} else if (request->passdb_internal_failure &&
+		   result != PASSDB_RESULT_OK) {
 		/* one of the passdb lookups returned internal failure.
 		   it may have had the correct password, so return internal
 		   failure instead of plain failure. */
--- a/src/auth/auth.c	Sat Sep 24 15:51:25 2005 +0300
+++ b/src/auth/auth.c	Sat Sep 24 15:55:23 2005 +0300
@@ -17,6 +17,7 @@
 struct auth *auth_preinit(void)
 {
 	struct auth *auth;
+	struct auth_passdb *auth_passdb;
 	const char *driver, *args;
 	pool_t pool;
 	unsigned int i;
@@ -35,7 +36,10 @@
 			break;
 
                 args = getenv(t_strdup_printf("PASSDB_%u_ARGS", i));
-		passdb_preinit(auth, driver, args);
+		auth_passdb = passdb_preinit(auth, driver, args);
+
+		if (getenv(t_strdup_printf("PASSDB_%u_DENY", i)) != NULL)
+			auth_passdb->deny = TRUE;
 
 	}
 	t_pop();
--- a/src/auth/auth.h	Sat Sep 24 15:51:25 2005 +0300
+++ b/src/auth/auth.h	Sat Sep 24 15:55:23 2005 +0300
@@ -11,6 +11,8 @@
 #ifdef HAVE_MODULES
 	struct auth_module *module;
 #endif
+        /* if user is found from this passdb, deny authentication immediately */
+	unsigned int deny:1;
 };
 
 struct auth_userdb {
--- a/src/auth/passdb.c	Sat Sep 24 15:51:25 2005 +0300
+++ b/src/auth/passdb.c	Sat Sep 24 15:55:23 2005 +0300
@@ -116,7 +116,8 @@
 	callback(PASSDB_RESULT_OK, password, auth_request);
 }
 
-void passdb_preinit(struct auth *auth, const char *driver, const char *args)
+struct auth_passdb *passdb_preinit(struct auth *auth, const char *driver,
+				   const char *args)
 {
 	struct passdb_module **p;
         struct auth_passdb *auth_passdb, **dest;
@@ -153,6 +154,7 @@
 
 	if (auth_passdb->passdb->preinit != NULL)
 		auth_passdb->passdb->preinit(auth_passdb->args);
+	return auth_passdb;
 }
 
 void passdb_init(struct auth_passdb *passdb)
--- a/src/auth/passdb.h	Sat Sep 24 15:51:25 2005 +0300
+++ b/src/auth/passdb.h	Sat Sep 24 15:55:23 2005 +0300
@@ -69,7 +69,8 @@
 
 const char *passdb_credentials_to_str(enum passdb_credentials credentials);
 
-void passdb_preinit(struct auth *auth, const char *driver, const char *args);
+struct auth_passdb *passdb_preinit(struct auth *auth, const char *driver,
+				   const char *args);
 void passdb_init(struct auth_passdb *passdb);
 void passdb_deinit(struct auth_passdb *passdb);
 
--- a/src/master/auth-process.c	Sat Sep 24 15:51:25 2005 +0300
+++ b/src/master/auth-process.c	Sat Sep 24 15:55:23 2005 +0300
@@ -429,6 +429,8 @@
 			env_put(t_strdup_printf("PASSDB_%u_ARGS=%s",
 						i, ap->args));
 		}
+		if (ap->deny)
+			env_put(t_strdup_printf("PASSDB_%u_DENY=1", i));
 	}
 	for (au = set->userdbs, i = 1; au != NULL; au = au->next, i++) {
 		env_put(t_strdup_printf("USERDB_%u_DRIVER=%s", i, au->driver));
--- a/src/master/master-settings.c	Sat Sep 24 15:51:25 2005 +0300
+++ b/src/master/master-settings.c	Sat Sep 24 15:55:23 2005 +0300
@@ -197,6 +197,7 @@
 static struct setting_def auth_passdb_setting_defs[] = {
 	DEF(SET_STR, driver),
 	DEF(SET_STR, args),
+	DEF(SET_BOOL, deny),
 
 	{ 0, NULL, 0 }
 };
--- a/src/master/master-settings.h	Sat Sep 24 15:51:25 2005 +0300
+++ b/src/master/master-settings.h	Sat Sep 24 15:55:23 2005 +0300
@@ -135,6 +135,7 @@
 
 	const char *driver;
 	const char *args;
+	int deny;
 };
 
 struct auth_userdb_settings {