Mercurial > dovecot > original-hg > dovecot-1.2
changeset 3609:ea2266d0a07f HEAD
Added deny password databases.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Sat, 24 Sep 2005 15:55:23 +0300 |
parents | b86d4c76efdf |
children | 24d9c17b4cb6 |
files | dovecot-example.conf src/auth/auth-request.c src/auth/auth.c src/auth/auth.h src/auth/passdb.c src/auth/passdb.h src/master/auth-process.c src/master/master-settings.c src/master/master-settings.h |
diffstat | 9 files changed, 36 insertions(+), 8 deletions(-) [+] |
line wrap: on
line diff
--- a/dovecot-example.conf Sat Sep 24 15:51:25 2005 +0300 +++ b/dovecot-example.conf Sat Sep 24 15:55:23 2005 +0300 @@ -569,6 +569,16 @@ # http://wiki.dovecot.org/Authentication # + # Users can be temporarily disabled by adding a passdb with deny=yes. + # If the user is found from that database, authentication will fail. + # The deny passdb should always be specified before others, so it gets + # checked first. Here's an example: + #passdb passwd-file { + # File contains a list of usernames, one per line + #args = /etc/imap.deny + #deny = yes + #} + # PAM authentication. Preferred nowadays by most systems. # Note that PAM can only be used to verify if user's password is correct, # so it can't be used as userdb. If you don't want to use a separate user
--- a/src/auth/auth-request.c Sat Sep 24 15:51:25 2005 +0300 +++ b/src/auth/auth-request.c Sat Sep 24 15:55:23 2005 +0300 @@ -236,8 +236,14 @@ strlen(request->passdb_password)); } - if (result != PASSDB_RESULT_OK && - request->passdb->next != NULL) { + if (result != PASSDB_RESULT_USER_UNKNOWN && request->passdb->deny) { + /* user found from deny passdb. deny this authentication. */ + auth_request_log_info(request, "passdb", + "User found from deny passdb"); + result = PASSDB_RESULT_USER_DISABLED; + } else if (result != PASSDB_RESULT_OK && + result != PASSDB_RESULT_USER_DISABLED && + request->passdb->next != NULL) { /* try next passdb. */ if (result == PASSDB_RESULT_INTERNAL_FAILURE) request->passdb_internal_failure = TRUE; @@ -249,9 +255,8 @@ auth_request_verify_plain(request, request->mech_password, request->private_callback.verify_plain); return; - } - - if (request->passdb_internal_failure && result != PASSDB_RESULT_OK) { + } else if (request->passdb_internal_failure && + result != PASSDB_RESULT_OK) { /* one of the passdb lookups returned internal failure. it may have had the correct password, so return internal failure instead of plain failure. */
--- a/src/auth/auth.c Sat Sep 24 15:51:25 2005 +0300 +++ b/src/auth/auth.c Sat Sep 24 15:55:23 2005 +0300 @@ -17,6 +17,7 @@ struct auth *auth_preinit(void) { struct auth *auth; + struct auth_passdb *auth_passdb; const char *driver, *args; pool_t pool; unsigned int i; @@ -35,7 +36,10 @@ break; args = getenv(t_strdup_printf("PASSDB_%u_ARGS", i)); - passdb_preinit(auth, driver, args); + auth_passdb = passdb_preinit(auth, driver, args); + + if (getenv(t_strdup_printf("PASSDB_%u_DENY", i)) != NULL) + auth_passdb->deny = TRUE; } t_pop();
--- a/src/auth/auth.h Sat Sep 24 15:51:25 2005 +0300 +++ b/src/auth/auth.h Sat Sep 24 15:55:23 2005 +0300 @@ -11,6 +11,8 @@ #ifdef HAVE_MODULES struct auth_module *module; #endif + /* if user is found from this passdb, deny authentication immediately */ + unsigned int deny:1; }; struct auth_userdb {
--- a/src/auth/passdb.c Sat Sep 24 15:51:25 2005 +0300 +++ b/src/auth/passdb.c Sat Sep 24 15:55:23 2005 +0300 @@ -116,7 +116,8 @@ callback(PASSDB_RESULT_OK, password, auth_request); } -void passdb_preinit(struct auth *auth, const char *driver, const char *args) +struct auth_passdb *passdb_preinit(struct auth *auth, const char *driver, + const char *args) { struct passdb_module **p; struct auth_passdb *auth_passdb, **dest; @@ -153,6 +154,7 @@ if (auth_passdb->passdb->preinit != NULL) auth_passdb->passdb->preinit(auth_passdb->args); + return auth_passdb; } void passdb_init(struct auth_passdb *passdb)
--- a/src/auth/passdb.h Sat Sep 24 15:51:25 2005 +0300 +++ b/src/auth/passdb.h Sat Sep 24 15:55:23 2005 +0300 @@ -69,7 +69,8 @@ const char *passdb_credentials_to_str(enum passdb_credentials credentials); -void passdb_preinit(struct auth *auth, const char *driver, const char *args); +struct auth_passdb *passdb_preinit(struct auth *auth, const char *driver, + const char *args); void passdb_init(struct auth_passdb *passdb); void passdb_deinit(struct auth_passdb *passdb);
--- a/src/master/auth-process.c Sat Sep 24 15:51:25 2005 +0300 +++ b/src/master/auth-process.c Sat Sep 24 15:55:23 2005 +0300 @@ -429,6 +429,8 @@ env_put(t_strdup_printf("PASSDB_%u_ARGS=%s", i, ap->args)); } + if (ap->deny) + env_put(t_strdup_printf("PASSDB_%u_DENY=1", i)); } for (au = set->userdbs, i = 1; au != NULL; au = au->next, i++) { env_put(t_strdup_printf("USERDB_%u_DRIVER=%s", i, au->driver));