|
||||||
|
|
|
|
|
|
|
The access.conf file is very powerful, it can be used to control access to your server in many different ways and as a result it is also tricky to use. The main source of confusion comes because of two features; first the file is passed twice, once when a user connects, and a second time when/if they supply a password. The second tricky bit is that the 'last' matching rule in the file is used. So the order of rules is very significant.
Access.conf allows you to do all of the following:
NOTE: You must issue a TELLNEWS RELOAD command after changing access.conf before the changes will take effect. With dmulti and ihave feed entries dnews must be restarted to notice changes.
All access rules in access.conf have the following Syntax:
Syntax: host:perm:user:pass:groups [:extension settings]
| Parameter | Example | Description |
|---|---|---|
| host | *.my.domain 161.29.4.* |
A wildcard name or number, this rule is only used if the connection matches this address. |
| perm | Read, Post, Ihave, logoff | Allow any combination of reading posting or ihave feeding from this site. |
| user | chrisp | Some news readers can send a user name, if so then it will be matched here, and the password can be checked. |
| pass | rumplestiltskin | The password in plain text. |
| groups | *,!*.erotic.* | Allow access to groups matching this wild card. |
| extensions | con=3 | Limit individual ip addresses to 3 simultaneous connections. |
| extensions | users=20 | Limit the users in this domain to 20 concurrent users |
| extensions | con=3,users=20 | If both settings are set separate with a comma, not a colon |
Notes:
After changing access.conf do a 'tellnews reload' - this will only affect new connections. When adding feeds (ihave entries) and using dmulti you must restart dnews as dmulti only reads access.conf on startup.
If <user> is "$lookup$" and <pass> is "$lookup$" then NT Authorization is used to lookup users via the nt database. Use a line like this in access.conf:
your.ip.range.*:read,post:$lookup$:$lookup$:*
At the same time you must add to dnews.conf "auth_case true" as NT username/passwords are case sensitive and by default DNEWS is not case sensitive.
You can permit reading and posting to different combinations of news groups, for example you may wish to allow students to read all groups but only post to local news groups.
The last matching line in the file is used. This file can be tricky to setup, if it doesn't work as expected check that you have the entries in the right order so that the last matching ip name does what you want.
The extension settings can get complex because they are not applied strictly by order as with the other settings. This is because in both cases the extension rule is affected by other users so the logic cannot be worked out by a single parse of the file. As a result you cannot limit the number of concurrent users to overlapping ip ranges, for example:
*:read,post:::*:users=2
*netwinsite.com:read,post:::*:users=10
Would NOT work, because the limit of '2' would apply to everyone not just netwinsite.com users.
*:logoff:::*
*netwin.co.nz:read,post:chrisp:passwd:*
*netwin.co.nz:read,post:::*,!*sex*
161.29.1.*:read,post:::*,!*sex*
news*.mci.net:ihave:::*
mypc.netwin.co.nz:read,post:::*
| Command | Description |
|---|---|
| *:logoff:::* | Immediately closes a connection from anyone outside our domain |
| *netwin.co.nz:read,post:chrisp:passwd:* | Allows me to read and post to any news group (including the naughty ones) as long as I configure my news reader with the username: chrisp and password: passwd |
| *netwin.co.nz:read,post::*,!*sex* | Allows users to read and post to any newsgroup except ones with the word ‘sex’ in the name. |
| news*.mci.net:ihave:::* | Allows an ihave feed from an MCI machine, e.g. news12.mci.net |
| mypc.netwin.co.nz:read,post:::* | Allows me to read all groups, even the naughty ones, from my own PC as long as it has a reverse DNS entry. |
Note: Reverse DNS translation is often not properly set up, don’t rely on it, always give ip numbers as well as names. You can give wildcard numbers like 122.33.44.* to allow everyone from a given subnet. Also consider using the 'nodns true' setting which stops DNEWS even trying to perform the reverse name translation, this can improve performance. Alternatively there is a setting 'access_twice true' placed in dnews.conf which will let dnews try and match on numbers first, this can have side effects as the name matching isn't attempted if the number matching worked.
Here is a more complex example that would work: In this example we have two domains, 161.29.3.* and 161.29.4.*, one of which can have 50 concurrent users, the other 10. Both are limited to 5 connections per reader to prevent a single reader hogging the system. We also have a username and password for the 'sex' groups. "naughty,secret", and two users have access to a private news group "netwin.private"
Example 2 - Extract access.conf
*:logoff:::*
161.29.*:read,post:naughty:secret:*,!netwin.private
161.29.*:read,post:joe:secret2:*,!*sex*
161.29.*:read,post:fred:secret3:*,!*sex*
161.29.3.*:read,post:::*,!*sex*,!netwin.private:users=50,con=5
161.29.4.*:read,post:::*,!*sex*:!netwin.private:users=10,con=5
Using NT usergroups to control access (requires DNEWS 4.6 or later)
Where none,limited,unlimited are NT groups that you have assigned users to.
*:logoff:::* your.ip.range.*:Read,Post:$lookup$:$lookup$:* *:read,post:,groups=none::!*:add *:read,post:,groups=limited::!*sex*:add *:read,post:,groups=limited::!*erotic*:add *:read,post:,groups=unlimited::*:add
Example of allowing everyone to read news, but only users with passwords to read and post
*:logoff:::*
*:read,post:$lookup$:$lookup$:*
*:post:::!*
*:read:::*
I have several private newsgroups private.group1,private.group2 and private.group3
and several users, Sally, Jim, Jane and Joe.
Sally should have access to private.group1.
Jim should have access to private.group2.
Jane should have access to private.group1 and private.group3
Joe should have access to all groups.
Also all users should have access to our public newsgroups public.*
except for user's from outside our domain 1.2.3.* which should be refused
access altogether.
How can I set that up?
---------------------------access.conf-----------------------------------
*:logoff:::*
1.2.3.*:read,post:$lookup$:$lookup$:public.*
1.2.3.*:read,post:groups=usergroup1::private.group1:add
1.2.3.*:read,post:groups=usergroup2::private.group2:add
1.2.3.*:read,post:groups=usergroup3::private.group3:add
1.2.3.*:read,post:groups=usergroupall::*
1.2.3.*:read,post:::public.*
---------------------------users.dat----------------------------------------
sally:sallypassword:None:*:sally:usergroup1
jim:jimpassword:None:*:jim:usergroup2
jane:janepassword:None:*:jane:usergroup1,usergroup3
joe:joepassword:None:*:joe:usergroupall
-------------------------------------------------------------------------------
Brief Explanation
The access.conf configuration above reads something like this...
*:logoff:::*
- Log off any users that don't match any of the following rules.
1.2.3.*:read,post:$lookup$:$lookup$:public.*
- Any user that logs in from our domain 1.2.3.* using a username and password from either
users.dat or the operating systems authentication is given access to public.* groups.
Note that the 'groups' lines below will not work unless their is a '$lookup$' rule like
this
above them.
1.2.3.*:read,post:groups=usergroup1::private.group1:add
1.2.3.*:read,post:groups=usergroup2::private.group2:add
1.2.3.*:read,post:groups=usergroup3::private.group3:add
- If the the user is a member of a specific user group then add access to the appropriate
newsgroups.
1.2.3.*:read,post:groups=usergroupall::*
- If the user is a member of user group usergroupall then give them access to all groups.
1.2.3.*:read,post:public.*
- If the user doesn't login with a username and password then give them access to the
public.*
groups only.
Users.dat defines the four users, their passwords and which if any usergroups they belong
to.
For example the following entry defines user jane with password janepassword as a member
of
usergroups usergroup1 and usergroup3.
jane:janepassword:None:*:jane:usergroup1,usergroup3
*:logoff:::* *lpcorp.com:read,post:$lookup$:$lookup$:* *:read,post:,groups=Leadership::private.*:add
> P.s.: In communicator 4.0x you enable password prompting by right clicking > the forum's property!
Here's an example that works it lets a user called 'fred' login via pop authentication and only access the group 'test.3' which is listed below as being accessible to people in the 'members' usergroup as defined in users.dat
Normal users who don't give a username/password can read/post all other groups.
users.dat #user:password:manager access(none,full):managed groups:full name:usergroups fred::Full:*:Mr Test:members access.conf ## DO NOT EDIT BY HAND except between the manual parts ## User/passwords should be in users.dat rather than this file ## UserGroups can be defined in users.dat ## DEFAULT RULE *:logoff:::* ## BEGIN MANUAL PART1 - Anything here will be preserved ## END MANUAL PART1 ## DOMAINS *:read,post,:$lookup$:$lookup$:*: 161.29.2.15:read,post,:$lookup$:$lookup$:*: *:read,post,:::*: 161.29.2.15:read,post,:::*: ## PROTECTED GROUPS *:read,post:,groups=members::test.3:add ## IHAVE FEEDS 161.29.2.15:ihave:::: ## BEGIN MANUAL PART2 - Anything here will be preserved ## END MANUAL PART2
>I want to setup one group "local.postone" that only 'fred' can
>post to but anyone can read, and I want another group "private.chat"
>which only certain users (joe,mike,jack) can read and post to.
First install 4.6, and try the WEB BASED GUI user/access manager which allows this sort of thing. The following example WILL NOT work with DNews 4.5
Here is an example access.conf AND users.dat for the above
The access.conf protects the group "private.chat" so only members of the usergroup "private" as defined in users.dat can read,post to it.
The group local.postone is specifically blocked from posting for everyone except the user fred.
----------CUT HERE---- access.conf -------------- ## UserGroups can be defined in users.dat ## DEFAULT RULE *:logoff:::* ## DOMAINS *:read:$lookup$:$lookup$:*: *:post:$lookup$:$lookup$:*,!local.postone: *:read:::*: *:post:::*,!local.postone: ## PROTECTED GROUPS *:read,post:,groups=private::private.chat:add ## IHAVE FEEDS 161.29.2.15:ihave:::: -------- users.dat ---------------------------- fred:fredspassword:none:*:: joe:joespassword:none:*::private mike:password:none:*::private jack:password:none:*::private
> >Okay, here's another news server question. Can access to a newsgroup be
> >restricted with a password? For example, I want to setup a discussion group
> >for some kind of evaluation, say das.frontpage98. Can I restrict the viewing
> >& participation in the newsgroup with a password that I distribute to my
> >evaluators?
> >
In access.conf add lines like this (the order is significant)
*:logoff::* *:read,post:das:secret:!*,das.frontpage98 *dowagro.com:read,post:*
Then non local users would only be able to read das.frontpage98 by supplying the username "das" and the password "secret"
To add ldap auth use the ldap module that comes with DMAIL, in dnews add to dnews.conf
auth_spawn d:\dnews\ldapauth.exe
The module ldapauth can be downloaded from the dmail distribution, there you will also find the full docs explaining the ldapauth configuration file, see http://netwinsite.com/dmail for more details.
In access.conf you must add $Lookup$ entries, e.g.
...
*:read,post:$lookup$:$lookup$:*
...
The nwauth module is the default user database that comes with DMAIL, you can use it with dnews thusly, in dnews.conf add:
auth_spawn d:\dnews\nwauth.exe
Don't forget to add $Lookup$ to access.conf
...
*:read,post:$lookup$:$lookup$:*
...
This requires dnews 5.2, add to dnews.conf
auth_radius_host 1.2.3.4
auth_radius_secret fred
auth_radius_attribute 26
The secret is the shared secret that you must have defined on your radius server, the
attribute is optional it is the attribute number as defined in your /etc/raddb/dictionary
file which you want dnews to use as a list of 'usergroups' e.g.
"adults,private"
Don't forget to add a lookup entry to access.conf
...
*:read,post:$lookup$:$lookup$:*
...
If this is linked in then just add $Lookup$ to access.conf and dnews will start
doing lookups via PAM, you will need a distribution with the name _pam in it, (e.g.
dnews53a_linux_pam.tar.Z), as we have to link this in specifically or the binary doesn't
work on platforms without pam (e.g. other flavours of linux)
...
*:read,post:$lookup$:$lookup$:*
...
Add a dnews.conf setting auth_spawn, if defined this should point to a program (with parameters) that should be run to do user lookups, the program should respond to the two commands 'check' and 'exit' sent to it on stdin, and respond on stdout, it should only exit when told to. Here is an example of testing such a program interactively.
c:> nwuath check fred fredspassword ip.address +OK fred (possibly other info) check jack jackspassword ip.number -ERR jack unknown user exit +OK exiting
Two examples are available, one is nwauth which uses a text file as a user database and comes with dmail, the other is ldapauth (for doing ldap authentication) which is a self extracting windows archive . Both come with full source and can be found in dmail. You must flush stdout in your program for it to work correctly.
Don't forget to add $Lookup$ to access.conf ... *:read,post:$lookup$:$lookup$:* ...
External authentication mechanism added for NT and modified for UNIX (the old mechanism for unix still exists for backward compatibility)
auth_extern true # Attempt to call the dll to authenticate users auth_nosystem true # Don't lookup users via the nt or unix database auth_lib c:\dnews\mylib.dll # Give a path for the dll, the default is dnewsauth.dll
If auth_extern is true then dnews will try and load a dll called dnewsauth.dll and call this function to verify passwords, optionally the function can return a list of 'usergroups' (not news groups)
int dnewsauth(char *user, char *pass, char *usergrps, int bfsz, char *msg) usergrps = A list of groups, e.g. "adults", "staff" etc.. bfsz = Max size of usergrps msg = String which will be printed in the dnews log file
Don't forget to add $Lookup$ to access.conf
... *:read,post:$lookup$:$lookup$:* ...
Sample DLL for Visual C
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
__declspec( dllexport ) int dnewsauth(char *user, char *pass, char *usergrps,
int bfsz, char *msg)
{
if (strcmp(user,"chrisp")!=0) {
strcpy(msg,"No such user");
return FALSE;
}
if (strcmp(pass,"fred")!=0) {
strcpy(msg,"Wrong password");
return FALSE;
}
strncpy(usergrps,"adults,gold",bfsz); usergrps[bfsz] = 0;
strcpy(msg,"User logged in ok"); /* Optional */
return TRUE;
}
| Products | Downloads | Prices | Support | Company |
|---|---|---|---|---|
 |
|
|
|
|