Innd and ldap
Jeffrey M.Vinocur
jeff at litech.org
Thu Nov 25 15:44:46 UTC 2004
On Nov 25, 2004, at 6:55 AM, Dominik Klein wrote:
> So all users with a "foreign" IP-Adress shall have to authenticate
> themselves against an LDAP Server. This would happen (according to my
> enquiry) through PAM.
Yes, if your operating system has PAM support, that's an excellent way
to authenticate news clients against LDAP. I would do this:
---begin readers.conf---
auth "foreign" {
hosts: "*"
auth: "ckpasswd"
default-domain: "fernuni-hagen.de"
}
auth "feu" {
hosts: "fernuni-hagen.de, *.fernuni-hagen.de"
default: "<local>"
default-domain: "fernuni-hagen.de"
}
access "feu" {
users: "*@fernuni-hagen.de"
newsgroups: "*,!junk"
}
---end readers.conf---
Then you have to make your PAM configuration know what to do with
queries from INN. There used to be documentation for this when
pamckpasswd was a separate package (I wonder if that documentation made
it into INN at all...guess it probably should live in samples/ or
something like that). Anyway, I -think- what you need to do is this:
Put a PAM configuration called "nnrpd" in /etc/pam.d (or wherever your
PAM configs are stored). If you want to use LDAP, you probably want to
refer to pam_ldap instead of pam_unix, but consult your PAM
documentation for how to do that.
---begin /etc/pam.d/nnrpd---
#
# The PAM configuration file for the Shadow `nnrpd' service
#
# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth requisite pam_nologin.so
# Ensure that system users cannot login -- this is probably a bit
# hacky, but it'll do for now.
auth required pam_listfile.so \
onerr=succeed item=user sense=deny file=/etc/news/readers.deny
# Standard Un*x authentication. The "nullok" line allows passwordless
# accounts.
auth required pam_unix.so
---end /etc/pam.d/nnrpd---
You'll notice that the above refers to an /etc/news/readers.deny file.
This is simply a list of usernames that should not be able to
authenticate via PAM for INN. You can store it in any location that is
convenient for you, simply change the /etc/pam.d/nnrpd line to point to
the correct location.
---begin /etc/news/readers.deny---
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
majordom
postgres
www-data
backup
msql
operator
list
irc
gnats
nobody
postfix
identd
debbugs
mrtg
mysql
gup
sashroot
---end /etc/news/readers.deny---
--
Jeffrey M. Vinocur
jeff at litech.org
More information about the inn-workers
mailing list