Re: pam pop issue
On Tue, Jun 17, 2008 at 6:14 PM, Gary Mills <[EMAIL PROTECTED]> wrote: > On Tue, Jun 17, 2008 at 02:32:46PM +0530, Ashay Chitnis wrote: > > > >On Tue, Jun 17, 2008 at 12:09 AM, Gary Mills > ><[EMAIL PROTECTED]> wrote: > > > >Gary, thanks for your help. > > I have had one sleepless night trying to read out the sasl manuals > >from SUN :). > > > > the pam_acct_mgmt() call must be removed from saslauthd/auth_pam.c > > and > > added to lib/server.c instead. > > > >can you elaborate more on how you have acheived it? > > By modifying the SASL source and recompiling it. I can post my patches > if anyone else is interested. Can you paste you code if poss?? > > > >first the item > >passed by sasl is the service name (pop) and not the remote network ip > >and this is compared with the actual IP address. > >pam_get_item should be getting the IP address and passing it to pam > >NOT the service name.. > > As others have mentioned, the information stored in the PAM handle > depends on the application. Many different types are possible, but > the application has to store the data to make it available to the > PAM module. PAM_RHOST, the remote host name, would be the one that > interests you. That information is not always present. For cyrus > and sasl, it appears not to be present. I haven't confirmed this. > There is a variable defined for ipremoteport in server.c but result = _sasl_conn_init(*pconn, service, flags, SASL_CONN_SERVER, &server_idle, serverFQDN, iplocalport, *ipremoteport,* callbacks, &global_callbacks); But this is unused i guess. > >I have checked its works beautifully in sshd. Now i need to find a way > >to work it in sasl for pop imap service. > > -- > -Gary Mills--Unix Support--U of M Academic Computing and > Networking- > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: pam pop issue
On Tue, Jun 17, 2008 at 02:32:46PM +0530, Ashay Chitnis wrote: > >On Tue, Jun 17, 2008 at 12:09 AM, Gary Mills ><[EMAIL PROTECTED]> wrote: > >Gary, thanks for your help. > I have had one sleepless night trying to read out the sasl manuals >from SUN :). > > the pam_acct_mgmt() call must be removed from saslauthd/auth_pam.c > and > added to lib/server.c instead. > >can you elaborate more on how you have acheived it? By modifying the SASL source and recompiling it. I can post my patches if anyone else is interested. >first the item >passed by sasl is the service name (pop) and not the remote network ip >and this is compared with the actual IP address. >pam_get_item should be getting the IP address and passing it to pam >NOT the service name.. As others have mentioned, the information stored in the PAM handle depends on the application. Many different types are possible, but the application has to store the data to make it available to the PAM module. PAM_RHOST, the remote host name, would be the one that interests you. That information is not always present. For cyrus and sasl, it appears not to be present. I haven't confirmed this. >I have checked its works beautifully in sshd. Now i need to find a way >to work it in sasl for pop imap service. -- -Gary Mills--Unix Support--U of M Academic Computing and Networking- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: pam pop issue
On Mon, Jun 16, 2008 at 7:19 PM, Ashay Chitnis <[EMAIL PROTECTED]> wrote: > Dear All, > > I need to access pop and imap on user based IP level restrictions. I found > pam to be best suited for this service level restriction. The restriction > will be as below. > > User pqr should be allowed POP from IPADDR-1 > User B should be allowed IMAP from IPADDR-2 > User C should be allowed POP and IMAP from IPADDR-3 > > and so on. > > To achieve this below settings are done in /etc/pam.d/pop If you dont find the solution with pam, look a this http://wiki.codemongers.com/NginxImapCoreModule install nginx and wrote a peace of code to handle your need. > > > cat /etc/pam.d/pop > authrequired/lib/security/pam_ldap.so > account required /lib/security/pam_access.so debug > accessfile=/usr/local/etc/popaccess.conf > account required/lib/security/pam_ldap.so > > > cat /usr/local/etc/popaccess.conf > > +:pqr:192.168.2.66/32 > > OR > > -:pqr:ALL EXCEPT 192.168.2.66/32 > > > But this does not see to be working as it is not yielding desired effect > even after restarting saslauthd and cyrus.. > > > Kindly guide me through.. > > regards > Ashay > > > > > > > > > > > > > > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html > -- Alain Spineux aspineux gmail com May the sources be with you Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: pam pop issue
On Tue, Jun 17, 2008 at 12:46 AM, Michael Menge < [EMAIL PROTECTED]> wrote: > Hi, > > sasl does not pass the IP-Address to pam. > Exactly! This is what is happening i guess... coz it takes "ALL" as the token but doesnt react on IP addresses.. any guess how i can MAKE it work?? Any link on this?? regards, Ashay. > > > > Quoting Ashay Chitnis <[EMAIL PROTECTED]>: > > > Dear All, > > > > I need to access pop and imap on user based IP level restrictions. I > found > > pam to be best suited for this service level restriction. The restriction > > will be as below. > > > > User pqr should be allowed POP from IPADDR-1 > > User B should be allowed IMAP from IPADDR-2 > > User C should be allowed POP and IMAP from IPADDR-3 > > > > and so on. > > > > To achieve this below settings are done in /etc/pam.d/pop > > > > > > cat /etc/pam.d/pop > > authrequired/lib/security/pam_ldap.so > > account required /lib/security/pam_access.so debug > > accessfile=/usr/local/etc/popaccess.conf > > account required/lib/security/pam_ldap.so > > > > > > cat /usr/local/etc/popaccess.conf > > > > +:pqr:192.168.2.66/32 > > > > OR > > > > -:pqr:ALL EXCEPT 192.168.2.66/32 > > > > > > But this does not see to be working as it is not yielding desired effect > > even after restarting saslauthd and cyrus.. > > > > > > Kindly guide me through.. > > > > regards > > Ashay > > > > > > > > M.Menge Tel.: (49) 7071/29-70316 > Universitaet Tuebingen Fax.: (49) 7071/29-5912 > Zentrum fuer Datenverarbeitung mail: > [EMAIL PROTECTED] > Waechterstrasse 76 > 72074 Tuebingen > > > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: pam pop issue
Hi, sasl does not pass the IP-Address to pam. Quoting Ashay Chitnis <[EMAIL PROTECTED]>: > Dear All, > > I need to access pop and imap on user based IP level restrictions. I found > pam to be best suited for this service level restriction. The restriction > will be as below. > > User pqr should be allowed POP from IPADDR-1 > User B should be allowed IMAP from IPADDR-2 > User C should be allowed POP and IMAP from IPADDR-3 > > and so on. > > To achieve this below settings are done in /etc/pam.d/pop > > > cat /etc/pam.d/pop > authrequired/lib/security/pam_ldap.so > account required /lib/security/pam_access.so debug > accessfile=/usr/local/etc/popaccess.conf > account required/lib/security/pam_ldap.so > > > cat /usr/local/etc/popaccess.conf > > +:pqr:192.168.2.66/32 > > OR > > -:pqr:ALL EXCEPT 192.168.2.66/32 > > > But this does not see to be working as it is not yielding desired effect > even after restarting saslauthd and cyrus.. > > > Kindly guide me through.. > > regards > Ashay > M.Menge Tel.: (49) 7071/29-70316 Universitaet Tuebingen Fax.: (49) 7071/29-5912 Zentrum fuer Datenverarbeitung mail: [EMAIL PROTECTED] Waechterstrasse 76 72074 Tuebingen Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: pam pop issue
On Mon, Jun 16, 2008 at 10:49:11PM +0530, Ashay Chitnis wrote: > >I need to access pop and imap on user based IP level restrictions. I >found pam to be best suited for this service level restriction. The >restriction will be as below. >User pqr should be allowed POP from IPADDR-1 >User B should be allowed IMAP from IPADDR-2 >User C should be allowed POP and IMAP from IPADDR-3 >and so on. >To achieve this below settings are done in /etc/pam.d/pop >cat /etc/pam.d/pop >authrequired/lib/security/pam_ldap.so >account required /lib/security/pam_access.so debug >accessfile=/usr/local/etc/popaccess.conf >account required/lib/security/pam_ldap.so >cat /usr/local/etc/popaccess.conf >+:pqr:[1]192.168.2.66/32 >OR >-:pqr:ALL EXCEPT [2]192.168.2.66/32 >But this does not see to be working as it is not yielding desired >effect even after restarting saslauthd and cyrus.. We use a similar restriction in the account management section of PAM, except that the checks are for account status and service class. To make this work properly, it's necessary to modify SASL. Specifically, the pam_acct_mgmt() call must be removed from saslauthd/auth_pam.c and added to lib/server.c instead. -- -Gary Mills--Unix Support--U of M Academic Computing and Networking- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
pam pop issue
Dear All, I need to access pop and imap on user based IP level restrictions. I found pam to be best suited for this service level restriction. The restriction will be as below. User pqr should be allowed POP from IPADDR-1 User B should be allowed IMAP from IPADDR-2 User C should be allowed POP and IMAP from IPADDR-3 and so on. To achieve this below settings are done in /etc/pam.d/pop cat /etc/pam.d/pop authrequired/lib/security/pam_ldap.so account required /lib/security/pam_access.so debug accessfile=/usr/local/etc/popaccess.conf account required/lib/security/pam_ldap.so cat /usr/local/etc/popaccess.conf +:pqr:192.168.2.66/32 OR -:pqr:ALL EXCEPT 192.168.2.66/32 But this does not see to be working as it is not yielding desired effect even after restarting saslauthd and cyrus.. Kindly guide me through.. regards Ashay Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html