On Mon, Jun 16, 2008 at 10:49:11PM +0530, Ashay Chitnis wrote: > > I need to access pop and imap on user based IP level restrictions. I > found pam to be best suited for this service level restriction. The > restriction will be as below. > User pqr should be allowed POP from IPADDR-1 > User B should be allowed IMAP from IPADDR-2 > User C should be allowed POP and IMAP from IPADDR-3 > and so on. > To achieve this below settings are done in /etc/pam.d/pop > cat /etc/pam.d/pop > auth required /lib/security/pam_ldap.so > account required /lib/security/pam_access.so debug > accessfile=/usr/local/etc/popaccess.conf > account required /lib/security/pam_ldap.so > cat /usr/local/etc/popaccess.conf > +:pqr:[1]192.168.2.66/32 > OR > -:pqr:ALL EXCEPT [2]192.168.2.66/32 > But this does not see to be working as it is not yielding desired > effect even after restarting saslauthd and cyrus.. We use a similar restriction in the account management section of PAM, except that the checks are for account status and service class. To make this work properly, it's necessary to modify SASL. Specifically, the pam_acct_mgmt() call must be removed from saslauthd/auth_pam.c and added to lib/server.c instead. -- -Gary Mills- -Unix Support- -U of M Academic Computing and Networking- ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
