[Dovecot] auth_bind_userdn patch -> logging with ldap and other sources

Geff boing at boing.com
Sat Jan 7 21:10:28 EET 2006


Quoting Timo Sirainen <tss at iki.fi>:
>> Jan  6 17:48:08 kusanagi dovecot: imap-login: Login:
>> user=<cn=boing,ou=people,o=boing>, method=PLAIN, rip=127.0.0.1,
>> lip=127.0.0.1, secured
>
> If you make LDAP's userdb query return the DN as "user", and also make
> sure that you're not using %u in default_mail_env, you could have that.
>
> I'm not sure if I'd want to make a separate "log-user" variable to
> confuse things..

 From a security perspective audit logs or access control mechanisms 
have what's called SRA or subject resource action.  So in the simple 
case of a website that's as follows:

subject:  user, also called user princple.
resource:  host + url + query string
action:  get (post, etc)

Or in the case of mail:

subject: user
resource:  mail file
action:  read / login / search / select.

However it seems that we have two subjects.  We have one for the passdb 
and one of the userdb.  On my setup the passdb's subject is 
theoretically the ldap dn and the userdb's subject is the /etc/passwd 
getpwnam type unix account.  So we really have two subjects that need 
to be logged in general unless they match of course.  Yeah that can be 
messy, but perhaps worse not to know about both principles in the event 
of a security incident.

Just food for thought.

Geff



More information about the dovecot mailing list