Re: [Dovecot] Default fallback behaviour
Yes, thanks a lot - this config is working as expected.
Re: [Dovecot] Default fallback behaviour
On 27.11.2012, at 9.37, Nikita Koshikov wrote: >>> Here is the problem: >>> I have few: >>> passdb { >>> #1 >>> } >>> passdb { >>> #2 >>> } >>> And relative userdb sections. If user not found in 1) section it >> fallbacks >>> to next one - it's expected and right, IMHO. But when the user exists in >>> both section and password verification fails on 1) database it >> successfully >>> authenticated on next one. I think this behaviour should be configured. >> The >>> main goal of 1) section for this server is to overwrite users in main >>> (section2) database. >> > Thank's for the anwer. It's a pity to hear, because it's security feature I > need to provide. The problem - that main passdb - is ldap and there are > about - 5-7 people who can edit it and simply to login as different users. > Yes, activity is logged - but mailbox can be read\stolen. The main goal for > passwd-file database is to revrite ldap very critical mailboxes to local > file. It can be edited only but 1 person - it is nativly to trust 1, but > not to 7. Try if a modified version of Alessio's suggestion works: passdb { driver = passwd-file args = /etc/passwd.important } passdb { driver = passwd-file args = /etc/passwd.important deny = yes } passdb { driver = ldap }
Re: [Dovecot] Default fallback behaviour
On Tue, Nov 27, 2012 at 3:04 AM, Timo Sirainen wrote: > On 23.11.2012, at 9.46, Nikita Koshikov wrote: > > > Hello list, > > > > Here is the problem: > > I have few: > > passdb { > > #1 > > } > > passdb { > > #2 > > } > > And relative userdb sections. If user not found in 1) section it > fallbacks > > to next one - it's expected and right, IMHO. But when the user exists in > > both section and password verification fails on 1) database it > successfully > > authenticated on next one. I think this behaviour should be configured. > The > > main goal of 1) section for this server is to overwrite users in main > > (section2) database. > > It's not always possible to know why #1 failed. For example PAM doesn't > always tell if the password was wrong or if the user didn't exist. > > > Maybe I missed something and this option is already in dovecot code and I > > can't find it ? Or if not - will it be added in the future ? > > > I'm not very interested in adding it, especially because it can't be done > reliably. > > Thank's for the anwer. It's a pity to hear, because it's security feature I need to provide. The problem - that main passdb - is ldap and there are about - 5-7 people who can edit it and simply to login as different users. Yes, activity is logged - but mailbox can be read\stolen. The main goal for passwd-file database is to revrite ldap very critical mailboxes to local file. It can be edited only but 1 person - it is nativly to trust 1, but not to 7.
Re: [Dovecot] Default fallback behaviour
On 23.11.2012, at 9.46, Nikita Koshikov wrote: > Hello list, > > Here is the problem: > I have few: > passdb { > #1 > } > passdb { > #2 > } > And relative userdb sections. If user not found in 1) section it fallbacks > to next one - it's expected and right, IMHO. But when the user exists in > both section and password verification fails on 1) database it successfully > authenticated on next one. I think this behaviour should be configured. The > main goal of 1) section for this server is to overwrite users in main > (section2) database. It's not always possible to know why #1 failed. For example PAM doesn't always tell if the password was wrong or if the user didn't exist. > Maybe I missed something and this option is already in dovecot code and I > can't find it ? Or if not - will it be added in the future ? I'm not very interested in adding it, especially because it can't be done reliably.
Re: [Dovecot] Default fallback behaviour
On Fri, 23 Nov 2012 12:20:23 +0100 Alessio Cecchi wrote: > Il 23/11/2012 08:46, Nikita Koshikov ha scritto: > > Hello list, > > > > Here is the problem: > > I have few: > > passdb { > > #1 > > } > > passdb { > > #2 > > } > > And relative userdb sections. If user not found in 1) section it fallbacks > > to next one - it's expected and right, IMHO. But when the user exists in > > both section and password verification fails on 1) database it successfully > > authenticated on next one. I think this behaviour should be configured. The > > main goal of 1) section for this server is to overwrite users in main > > (section2) database. > > > > Maybe I missed something and this option is already in dovecot code and I > > can't find it ? Or if not - will it be added in the future ? > > > > Dovecot version 2.1.10. > > > > You can enable this features by adding "deny=yes" in the passdb > extra_fields of specific users. > > You can find more information here: > http://wiki2.dovecot.org/AuthDatabase/PasswdFile ot you can use the > "auth-deny.conf.ext" example configuration. > > Ciao Maybe I was not so clear - but this is not what I'm searching for. deny=yes will deny user in corresponding database - I want - allow user to login, if and only if, users password matches and if it fail(in current passdb) - not trying next passdb for checking his password, even if user exists in the next database.
Re: [Dovecot] Default fallback behaviour
Il 23/11/2012 08:46, Nikita Koshikov ha scritto: Hello list, Here is the problem: I have few: passdb { #1 } passdb { #2 } And relative userdb sections. If user not found in 1) section it fallbacks to next one - it's expected and right, IMHO. But when the user exists in both section and password verification fails on 1) database it successfully authenticated on next one. I think this behaviour should be configured. The main goal of 1) section for this server is to overwrite users in main (section2) database. Maybe I missed something and this option is already in dovecot code and I can't find it ? Or if not - will it be added in the future ? Dovecot version 2.1.10. You can enable this features by adding "deny=yes" in the passdb extra_fields of specific users. You can find more information here: http://wiki2.dovecot.org/AuthDatabase/PasswdFile ot you can use the "auth-deny.conf.ext" example configuration. Ciao -- Alessio Cecchi is: @ ILS -> http://www.linux.it/~alessice/ on LinkedIn -> http://www.linkedin.com/in/alessice Assistenza Sistemi GNU/Linux -> http://www.cecchi.biz/ @ PLUG -> ex-Presidente, adesso senatore a vita, http://www.prato.linux.it
[Dovecot] Default fallback behaviour
Hello list, Here is the problem: I have few: passdb { #1 } passdb { #2 } And relative userdb sections. If user not found in 1) section it fallbacks to next one - it's expected and right, IMHO. But when the user exists in both section and password verification fails on 1) database it successfully authenticated on next one. I think this behaviour should be configured. The main goal of 1) section for this server is to overwrite users in main (section2) database. Maybe I missed something and this option is already in dovecot code and I can't find it ? Or if not - will it be added in the future ? Dovecot version 2.1.10.