Products Downloads Prices Support Company
Index FAQ Configs Feeds In Feeds Out Feeds Out  

access.conf

The access.conf file is very powerful, it can be used to control access to your server in many different ways and as a result it is also tricky to use. The main source of confusion comes because of two features; first the file is passed twice, once when a user connects, and a second time when/if they supply a password. The second tricky bit is that the 'last' matching rule in the file is used. So the order of rules is very significant.

Access.conf allows you to do all of the following:

NOTE: You must issue a TELLNEWS RELOAD command after changing access.conf before the changes will take effect. With dmulti and ihave feed entries DNews must be restarted to notice changes.

All access rules in access.conf have the following Syntax:

Syntax: host:perm:user:pass:groups [:extension settings]

Parameter Example Description
host *.my.domain
161.29.4.*
151.29.4.0/19
A wildcard name or number, this rule is only used if the connection matches this address. You can use CIDR notation or simple wild card notation, or ranges, e.g.  1.2.3.0-255 however, you should not mix the notations, e.g. 1.2.*.2-20 would NOT work.  Please note CIDR abbreviations of the form x.x.x/nn DO NOT work, you must specify a four digit address e.g. x.x.x.x/nn 
perm Read, Post, Ihave, logoff Allow any combination of reading posting or ihave feeding from this site.
user chrisp Some news readers can send a user name, if so then it will be matched here, and the password can be checked.
pass rumplestiltskin The password in plain text.
groups *,!*.erotic.* Allow access to groups matching this wild card.
extensions con=3 Limit individual ip addresses to 3 simultaneous connections.
extensions users=20 Limit the users in this domain to 20 concurrent users
extensions con=3,users=20 If both settings are set separate with a comma, not a colon
extensions mb=20 Limits user/ip to 20mb per day, (Only in DNews 5.3 or later)
extensions area=bob Specifies an area, users=n limit applies to everyone in the same area, (Only in DNews 5.3 or later)
extensions max_in=10000 Limits input speed to 10K bytes per second, (Only in DNews 5.3 or later)
extensions add Adds and removes the group list if the user is a member of the group specified in the user field. This means if the group list is secret.* and the user is a member of the usergroup specified then the access list as 'secret.*' added to it, if the user is not a member then the access list has "!secret.*" added to it.
extensions addonly Adds the group list if the user is a member of the group specified in the user field, this option doesn't add !grouplist if the user is not a member.    e.g.  *:read,post:,groups=staff::staff.*,secret.*:add
extensions max_out=20000 Limits output speed to 20K bytes per second to this channel

Notes:

After changing access.conf do a 'tellnews reload' - this will only affect new connections.  When adding feeds (ihave entries) and using dmulti you must restart DNews as dmulti only reads access.conf on startup.

Password Authenticating using the system database (Windows Users)

If <user> is "$lookup$" and <pass> is "$lookup$" then NT Authorization is used to lookup users via the nt database. Use a line like this in access.conf:

your.ip.range.*:read,post:$lookup$:$lookup$:*

At the same time you must add to dnews.conf "auth_case true" as NT username/passwords are case sensitive and by default DNews is not case sensitive.

NOTE: You MUST also modify DNEWS to run as a specific user, and grant that user rights to do user lookups on the system DNEWS is running on, and on the system where the users are registered if it is not the same system.

First in control panel/services/DNews News Server, set the username and password to something, then do the following for the same account:

To set user rights in Windows NT, follow these steps:
Click "Start", point to "Programs", click "Administrative Tools (Common)", click "User Manager"
Select the "Policies" menu, click "User Rights"
Check "Show Advanced Rights"
Select "Act as part of operating system"
Click "Add"
Select the User or Users to give the right to...
Click "OK"

To set user rights in Windows 2000, follow these steps:
Click Start, point to Settings, and then click Control Panel.
Double-click Administrative Tools, and then double-click Local Security Policy.
Double-click Security Settings, double-click Local Policies, and then
double-click User Rights Assignment.
Double-click the user right you want to change.
	"Act as part of the operating system"
Click Add, and then click the accounts to which you want to assign the right.
Click OK, and then click OK again.

You can permit reading and posting to different combinations of news groups, for example you may wish to allow students to read all groups but only post to local news groups.

The last matching line in the file is used. This file can be tricky to setup, if it doesn't work as expected check that you have the entries in the right order so that the last matching ip name does what you want.

Extensions, limiting user connections

The extension settings can get complex because they are not applied strictly by order as with the other settings. This is because in both cases the extension rule is affected by other users so the logic cannot be worked out by a single parse of the file. As a result you cannot limit the number of concurrent users to overlapping ip ranges, for example:

*:read,post:::*:users=2
*netwinsite.com:read,post:::*:users=10

Would NOT work, because the limit of '2' would apply to everyone not just netwinsite.com users.

Example 1 : Extract access.conf

*:logoff:::*
*netwin.co.nz:read,post:chrisp:passwd:*
*netwin.co.nz:read,post:::*,!*sex*
161.29.1.*:read,post:::*,!*sex*
news*.mci.net:ihave:::*
mypc.netwin.co.nz:read,post:::*

Command Description
*:logoff:::* Immediately closes a connection from anyone outside our domain
*netwin.co.nz:read,post:chrisp:passwd:* Allows me to read and post to any news group (including the naughty ones) as long as I configure my news reader with the username: chrisp and password: passwd
*netwin.co.nz:read,post::*,!*sex* Allows users to read and post to any newsgroup except ones with the word ‘sex’ in the name.
news*.mci.net:ihave:::* Allows an ihave feed from an MCI machine, e.g. news12.mci.net
mypc.netwin.co.nz:read,post:::* Allows me to read all groups, even the naughty ones, from my own PC as long as it has a reverse DNS entry.

Note: Reverse DNS translation is often not properly set up, don’t rely on it, always give ip numbers as well as names. You can give wildcard numbers like 122.33.44.* to allow everyone from a given subnet. Also consider using the 'nodns true' setting which stops DNews even trying to perform the reverse name translation, this can improve performance. Alternatively there is a setting 'access_twice true' placed in dnews.conf which will let DNews try and match on numbers first, this can have side effects as the name matching isn't attempted if the number matching worked.

Complex access.conf Example

Here is a more complex example that would work: In this example we have two domains, 161.29.3.* and 161.29.4.*, one of which can have 50 concurrent users, the other 10. Both are limited to 5 connections per reader to prevent a single reader hogging the system. We also have a username and password for the 'sex' groups. "naughty,secret", and two users have access to a private news group "netwin.private"

Example 2 - Extract access.conf

*:logoff:::*
161.29.*:read,post:naughty:secret:*,!netwin.private
161.29.*:read,post:joe:secret2:*,!*sex*
161.29.*:read,post:fred:secret3:*,!*sex*
161.29.3.*:read,post:::*,!*sex*,!netwin.private:users=50,con=5
161.29.4.*:read,post:::*,!*sex*:!netwin.private:users=10,con=5

Using NT usergroups to control access (requires DNews 4.6 or later)

Where none,limited,unlimited are NT groups that you have assigned users to.

	*:logoff:::*
	your.ip.range.*:Read,Post:$lookup$:$lookup$:*
	*:read,post:,groups=none::!*:add
	*:read,post:,groups=limited::!*sex*:add
	*:read,post:,groups=limited::!*erotic*:add
	*:read,post:,groups=unlimited::*:add

Example of allowing everyone to read news, but only users with passwords to read and post

*:logoff:::*
*:read,post:$lookup$:$lookup$:*
*:post:::!*
*:read:::*

Example with multiple usergroups and private groups

I have several private newsgroups private.group1,private.group2 and private.group3
and several users, Sally, Jim, Jane and Joe.
Sally should have access to private.group1.
Jim should have access to private.group2.
Jane should have access to private.group1 and private.group3
Joe should have access to all groups.
Also all users should have access to our public newsgroups public.*
except for user's from outside our domain 1.2.3.* which should be refused
access altogether.

How can I set that up?

---------------------------access.conf-----------------------------------
*:logoff:::*
1.2.3.*:read,post:$lookup$:$lookup$:public.*
1.2.3.*:read,post:groups=usergroup1::private.group1:add
1.2.3.*:read,post:groups=usergroup2::private.group2:add
1.2.3.*:read,post:groups=usergroup3::private.group3:add
1.2.3.*:read,post:groups=usergroupall::*
1.2.3.*:read,post:::public.*
---------------------------users.dat----------------------------------------
sally:sallypassword:None:*:sally:usergroup1
jim:jimpassword:None:*:jim:usergroup2
jane:janepassword:None:*:jane:usergroup1,usergroup3
joe:joepassword:None:*:joe:usergroupall
-------------------------------------------------------------------------------

Brief Explanation

The access.conf configuration above reads something like this...
*:logoff:::*
- Log off any users that don't match any of the following rules.
1.2.3.*:read,post:$lookup$:$lookup$:public.*
- Any user that logs in from our domain 1.2.3.* using a username and password from either
users.dat or the operating systems authentication is given access to public.* groups.
Note that the 'groups' lines below will not work unless their is a '$lookup$' rule like this
above them.
1.2.3.*:read,post:groups=usergroup1::private.group1:add
1.2.3.*:read,post:groups=usergroup2::private.group2:add
1.2.3.*:read,post:groups=usergroup3::private.group3:add
- If the the user is a member of a specific user group then add access to the appropriate
newsgroups.
1.2.3.*:read,post:groups=usergroupall::*
- If the user is a member of user group usergroupall then give them access to all groups.
1.2.3.*:read,post:public.*
- If the user doesn't login with a username and password then give them access to the public.*
groups only.

Users.dat defines the four users, their passwords and which if any usergroups they belong to.
For example the following entry defines user jane with password janepassword as a member of
usergroups usergroup1 and usergroup3.
jane:janepassword:None:*:jane:usergroup1,usergroup3

Example: Giving students read only access, and staff read/write

Lets assume all groups ending in '.lecture' must be read only except to members of the 'staff' usergroup.

---------------------------access.conf-----------------------------------
*:logoff:::*
*:read:$lookup$:$lookup$:*
*:post:$lookup$:$lookup$:*,!*.lecture
*:read,post:,groups=staff::*:
---------------------------users.dat----------------------------------------
sally:sallypassword:None:*:sally:student
jim:jimpassword:None:*:jim:staff
jane:janepassword:None:*:jane:staff
-------------------------------------------------------------------------------

So if you then create newsgroups;

tvwatching.lecture
tvwatching.class

Then anyone will be able to read all of those groups, or post to the tvwatching.class group, but only 'staff' (jim,jane) will be able to post to the 'tvwatching.lecture' group

 

Protecting groups (private.*) by an NT user group (Leadership)

	*:logoff:::*
	*lpcorp.com:read,post:$lookup$:$lookup$:*
	*:read,post:,groups=Leadership::private.*:add
> P.s.: In communicator 4.0x you enable password prompting by right clicking
> the forum's property!


Use authentication via your POP server, protecting one group (test.3) 

First to use pop authentication you must define in dnews.conf

    auth_pophost pop.your.domain

You can list several pop servers, in which case the user can login with a username 'fred@pop.server' and if the pop.server is in the list you specified in auth_pophost then the user will be allowed to login and DNews will check the password with the named host.

In it's simplist form you then just have this line in access.conf:

    *:read,post:$lookup$:$lookup$:*

However you can get much fancier as outlined below:

--------

Here's an example that works it lets a user called 'fred' login via pop authentication and only access the group 'test.3' which is listed below as being accessible to people in the 'members' usergroup as defined in users.dat

Normal users who don't give a username/password can read/post all other groups.

users.dat
#user:password:manager access(none,full):managed groups:full name:usergroups
fred::Full:*:Mr Test:members


access.conf
## DO NOT EDIT BY HAND except between the manual parts
## User/passwords should be in users.dat rather than this file
## UserGroups can be defined in users.dat

## DEFAULT RULE
*:logoff:::*

## BEGIN MANUAL PART1 - Anything here will be preserved
## END MANUAL PART1


## DOMAINS
*:read,post,:$lookup$:$lookup$:*:
161.29.2.15:read,post,:$lookup$:$lookup$:*:
*:read,post,:::*:
161.29.2.15:read,post,:::*:

## PROTECTED GROUPS
*:read,post:,groups=members::test.3:add

## IHAVE FEEDS
161.29.2.15:ihave::::

## BEGIN MANUAL PART2 - Anything here will be preserved
## END MANUAL PART2

 


Example of protecting some news groups

>I want to setup one group "local.postone" that only 'fred' can
>post to but anyone can read, and I want another group "private.chat"
>which only certain users (joe,mike,jack) can read and post to.

First install 4.6, and try the WEB BASED GUI user/access manager which allows this sort of thing. The following example WILL NOT work with DNews 4.5

Here is an example access.conf AND users.dat for the above

The access.conf protects the group "private.chat" so only members of the usergroup "private" as defined in users.dat can read,post to it.

The group local.postone is specifically blocked from posting for everyone except the user fred.

----------CUT HERE---- access.conf --------------
## UserGroups can be defined in users.dat

## DEFAULT RULE
*:logoff:::*

## DOMAINS
*:read:$lookup$:$lookup$:*:
*:post:$lookup$:$lookup$:*,!local.postone:
*:read:::*:
*:post:::*,!local.postone:

## PROTECTED GROUPS
*:read,post:,groups=private::private.chat:add
*:read,post:,groups=postone::local.postone:add

## IHAVE FEEDS
161.29.2.15:ihave::::

-------- users.dat ----------------------------
fred:fredspassword:none:*::postone
joe:joespassword:none:*::private
mike:password:none:*::private
jack:password:none:*::private

Example of protecting some news groups (simpler)

> >Okay, here's another news server question. Can access to a newsgroup be
> >restricted with a password? For example, I want to setup a discussion group
> >for some kind of evaluation, say das.frontpage98. Can I restrict the viewing
> >& participation in the newsgroup with a password that I distribute to my
> >evaluators?
> >

In access.conf add lines like this (the order is significant)

	*:logoff::*
	*:read,post:das:secret:!*,das.frontpage98
	*dowagro.com:read,post:*

Then non local users would only be able to read das.frontpage98 by supplying the username "das" and the password "secret"


Password Authenticating using LDAP

To add ldap auth use the ldap module that comes with SurgeMail, in DNews add to dnews.conf

    auth_spawn d:\dnews\ldapauth.exe

The module LDAPAuth can be downloaded from the SurgeMail distribution, there you will also find the full docs explaining the LDAPAuth configuration file, see http://netwinsite.com/authent for more details. In particular you need to configure the LDAPAuth ini file.

In access.conf you must add $Lookup$ entries, e.g.
...
*:read,post:$lookup$:$lookup$:*
...


Password Authenticating using NWAuth

The NWAuth module is the default user database that comes with SurgeMail, you can use it with DNews thusly, in dnews.conf add:

    auth_spawn d:\dnews\nwauth.exe

Don't forget to add $Lookup$ to access.conf
...
*:read,post:$lookup$:$lookup$:*
...


Password Authenticating using Radius

This requires DNews 5.2, add to dnews.conf

        auth_radius_host 1.2.3.4
        auth_radius_secret fred
        auth_radius_attribute 26
The secret is the shared secret that you must have defined on your radius server, the attribute is optional it is the attribute number as defined in your /etc/raddb/dictionary file which you want DNews to use as a list of 'usergroups' e.g.
    "adults,private"
Don't forget to add a lookup entry to access.conf
...
*:read,post:$lookup$:$lookup$:*
...


Password Authenticating using PAM

If this is linked in then just add $Lookup$ to access.conf and DNews will start doing lookups via PAM, you will need a distribution with the name _pam in it, (e.g. dnews53a_linux_pam.tar.Z), as we have to link this in specifically or the binary doesn't work on platforms without pam (e.g. other flavours of linux)
...
*:read,post:$lookup$:$lookup$:*
...

Add to dnews.conf

    pam_type DNews

And in /etc/pam.d/dnews put three lines like this

#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so


Password Authenticating using an external program

Add a dnews.conf setting auth_spawn, if defined this should point to a program (with parameters) that should be run to do user lookups, the program should respond to the two commands 'check' and 'exit' sent to it on stdin, and respond on stdout, it should only exit when told to. Here is an example of testing such a program interactively.

c:> nwuath
check fred fredspassword ip.address
+OK fred groups="adults,staff"
check jack jackspassword ip.number
-ERR jack unknown user
exit
+OK exiting

Two examples are available, one is NWAuth which uses a text file as a user database and comes with DMail, the other is LDAPAuth (for doing ldap authentication) which is a self extracting windows archive . Both come with full source and can be found in SurgeMail.  You must flush stdout in your program for it to work correctly.

Don't forget to add $Lookup$ to access.conf
...
*:read,post:$lookup$:$lookup$:!*
...
If you are using usergroups like "adults,staff" then add to access.conf rules to use these usergroups, e.g.
*:read,post:,groups=adults::*erotic*,*.sex.*:addonly
*:read,post:,groups=staff::private.staff:addonly

 


Password Authenticating using a DLL

External authentication mechanism added for NT and modified for UNIX (the old mechanism for unix still exists for backward compatibility)

auth_extern true    # Attempt to call the dll to authenticate users
auth_nosystem true  # Don't lookup users via the nt or unix database
auth_lib c:\dnews\mylib.dll   # Give a path for the dll, the default is dnewsauth.dll

If auth_extern is true then DNews will try and load a dll called dnewsauth.dll and call this function to verify passwords, optionally the function can return a list of 'usergroups' (not news groups)

int dnewsauth(char *user, char *pass, char *usergrps, int bfsz, char *msg)
  usergrps = A list of groups, e.g. "adults", "staff" etc..
  bfsz = Max size of usergrps
  msg = String which will be printed in the DNews log file
Don't forget to add $Lookup$ to access.conf
...
*:read,post:$lookup$:$lookup$:*
...
Sample DLL for Visual C
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

__declspec( dllexport ) int dnewsauth(char *user, char *pass, char *usergrps,
								int bfsz, char *msg)
{
        if (strcmp(user,"chrisp")!=0) {
                strcpy(msg,"No such user"); 
                return FALSE;
        }
        if (strcmp(pass,"fred")!=0) {
                strcpy(msg,"Wrong password"); 
                return FALSE;
        }
        strncpy(usergrps,"adults,gold",bfsz); usergrps[bfsz] = 0;
        strcpy(msg,"User logged in ok");  /* Optional */        
        return TRUE;
}