pam pop issue

Gary Mills mills at cc.umanitoba.ca
Mon Jun 16 14:39:21 EDT 2008


On Mon, Jun 16, 2008 at 10:49:11PM +0530, Ashay Chitnis wrote:
> 
>    I need to access pop and imap  on user based IP level restrictions. I
>    found pam to be best suited for this service level restriction. The
>    restriction will be as below.
>    User pqr should be allowed POP from IPADDR-1
>    User B should be allowed IMAP from IPADDR-2
>    User C should be allowed POP and IMAP from IPADDR-3
>    and so on.
>    To achieve this below settings are done in  /etc/pam.d/pop
>    cat /etc/pam.d/pop
>    auth    required        /lib/security/pam_ldap.so
>    account required  /lib/security/pam_access.so debug
>    accessfile=/usr/local/etc/popaccess.conf
>    account required        /lib/security/pam_ldap.so
>    cat  /usr/local/etc/popaccess.conf
>    +:pqr:[1]192.168.2.66/32
>    OR
>    -:pqr:ALL EXCEPT [2]192.168.2.66/32
>    But this does not see to be working as it is not yielding desired
>    effect even after restarting saslauthd and cyrus..

We use a similar restriction in the account management section of PAM,
except that the checks are for account status and service class.  To
make this work properly, it's necessary to modify SASL.  Specifically,
the pam_acct_mgmt() call must be removed from saslauthd/auth_pam.c and
added to lib/server.c instead.

-- 
-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-


More information about the Info-cyrus mailing list