Innd and ldap

Thu Nov 25 15:44:46 UTC 2004

On Nov 25, 2004, at 6:55 AM, Dominik Klein wrote:

> So all users with a "foreign" IP-Adress shall have to authenticate
> themselves against an LDAP Server. This would happen (according to my
> enquiry) through PAM.

Yes, if your operating system has PAM support, that's an excellent way 
to authenticate news clients against LDAP.  I would do this:

---begin readers.conf---
auth "foreign" {
      hosts: "*"
      auth: "ckpasswd"
      default-domain: "fernuni-hagen.de"
}

auth "feu" {
      hosts: "fernuni-hagen.de, *.fernuni-hagen.de"
      default: "<local>"
      default-domain: "fernuni-hagen.de"
}

access "feu" {
      users: "*@fernuni-hagen.de"
      newsgroups: "*,!junk"
}
---end readers.conf---

Then you have to make your PAM configuration know what to do with 
queries from INN.  There used to be documentation for this when 
pamckpasswd was a separate package (I wonder if that documentation made 
it into INN at all...guess it probably should live in samples/ or 
something like that).  Anyway, I -think- what you need to do is this:

Put a PAM configuration called "nnrpd" in /etc/pam.d (or wherever your 
PAM configs are stored).  If you want to use LDAP, you probably want to 
refer to pam_ldap instead of pam_unix, but consult your PAM 
documentation for how to do that.

---begin /etc/pam.d/nnrpd---
#
# The PAM configuration file for the Shadow `nnrpd' service
#

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth            requisite       pam_nologin.so

# Ensure that system users cannot login -- this is probably a bit
# hacky, but it'll do for now.
auth            required        pam_listfile.so \
         onerr=succeed item=user sense=deny file=/etc/news/readers.deny

# Standard Un*x authentication. The "nullok" line allows passwordless
# accounts.
auth            required        pam_unix.so
---end /etc/pam.d/nnrpd---

You'll notice that the above refers to an /etc/news/readers.deny file.  
This is simply a list of usernames that should not be able to 
authenticate via PAM for INN.  You can store it in any location that is 
convenient for you, simply change the /etc/pam.d/nnrpd line to point to 
the correct location.

---begin /etc/news/readers.deny---
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
majordom
postgres
www-data
backup
msql
operator
list
irc
gnats
nobody
postfix
identd
debbugs
mrtg
mysql
gup
sashroot
---end /etc/news/readers.deny---

--  
Jeffrey M. Vinocur
jeff at litech.org