diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2020-05-21 01:35:28 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2020-05-21 02:26:16 +0200 |
commit | 5118f8d3394579a245b355c863c69410fe92e26e (patch) | |
tree | 54fbaf5aca0a1d798fbecca9ba7929f3b25a604e /roles/IMAP/files/usr/local/bin/list-users.pl | |
parent | 1df4c30a95abd9e7c6352e2b3d2766281c3e591d (diff) |
dovecot-auth-proxy: replace directory traversal with LDAP lookups.
This provides better isolation opportunity as the service doesn't need
to run as ‘vmail’ user. We use a dedicated system user instead, and
LDAP ACLs to limit its access to the strict minimum.
The new solution is also more robust to quoting/escaping, and doesn't
depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID
instead of %d/%n at some point to make user renaming simpler).
OTOH we no longer lists users that have been removed from LDAP but still
have a mailstore lingering around. This is fair.
Diffstat (limited to 'roles/IMAP/files/usr/local/bin/list-users.pl')
-rwxr-xr-x | roles/IMAP/files/usr/local/bin/list-users.pl | 45 |
1 files changed, 0 insertions, 45 deletions
diff --git a/roles/IMAP/files/usr/local/bin/list-users.pl b/roles/IMAP/files/usr/local/bin/list-users.pl deleted file mode 100755 index 1bcab35..0000000 --- a/roles/IMAP/files/usr/local/bin/list-users.pl +++ /dev/null @@ -1,45 +0,0 @@ -#!/usr/bin/perl - -# Copyright © 2017 Guilhem Moulin <guilhem@fripost.org> -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -use warnings; -use strict; -use Net::LDAPI; -use Net::LDAP::Util qw/ldap_explode_dn escape_dn_value/; -use Authen::SASL; - -my $BASE = 'ou=virtual,dc=fripost,dc=org'; - -my $LDAP = Net::LDAPI::->new(); -$LDAP->bind( undef, sasl => Authen::SASL::->new(mechanism => 'EXTERNAL') ) - or die "Error: Couldn't bind"; - -my $mesg = $LDAP->search( base => $BASE, scope => 'children', deref => 'never' - , filter => '(objectClass=FripostVirtualUser)' - , attrs => ['1.1'] - ); -die $mesg->error if $mesg->code; - -while (defined (my $entry = $mesg->pop_entry())) { - my $dn = $entry->dn() // next; - $dn = ldap_explode_dn($dn, casefold => 'lower'); - next unless defined $dn and $#$dn == 4; - my $l = $dn->[0]->{fvl} // next; - my $d = $dn->[1]->{fvd} // next; - printf "%s@%s\n", $l, $d; -} - -$LDAP->unbind; |