access.conf¶

• access.conf
• Wildmats
• Arguments
• Aliases
• Profiles
• Includes
• Authentication
• Access

The access.conf has all information about users, profiles, authentication and accounting. For general system configuration use the NntpswitchConf. This file is a brief explanation of the access.conf. Each option and parameter should be defined before used.

Options can be listed only in this order:

1. Wildmats
2. Arguments
3. Aliases
4. Profiles
5. Includes
6. Authentication
7. Access

See also example access.conf

Wildmats¶

Wildmats are used to define group patterns which can be used in the profiles below.

 wildmat all     *
 wildmat none    !*
 wildmat nl      nl.*
 wildmat big8    sci.*,comp.*,news.*,talk.*,misc.*,soc.*,rec.*,humanities.*
 wildmat local   news-service.*

Arguments¶

Argument blocks for some of the aliases. Only NNTPSwitch commercial grade modules need these currently but you can use args your own mods if you like.

 args defaultdb host=localhost user=example password=example

Aliases¶

Aliases define the modules and their parameters used for authentication and accounting. Each module has it's own specific set of options.

# Always create a reasonable default
alias   auth_default    auth_passwd.so  /usr/local/etc/nntpswitch/passwd
alias   acct_default    acct_syslog.so  local6

# Plaintext password file
#alias  authCustomer1   auth_passwd.so  /usr/local/etc/nntpswitch/passwd.cust1

# POP3 relay
#alias  authSupportNet  auth_pop3.so    mail.support.net:110

# NNTP relay authentication
#alias  authNewsService auth_remote.so  news.news-service.com:119

# Radius
#alias  authRadius1     auth_radius.so  radius.example.com:secretexample
#alias  acctRadius1     acct_radius.so  radius.example.com:secretexample

# Postgres
#alias  authPostgres    auth_postgres.so  dbname=users
#alias  authPgSQL2      auth_postgres.so  hostaddr=127.0.0.1 port=5432 dbname=users user=test password=test

# MySQL
#alias  authMySQL1      auth_mysql.so   hostname=localhost,dbname=users
#alias  authMySQL2      auth_mysql.so   hostname=localhost dbname=test username=test password=test

# LDAP
#alias  authLDAP        auth_ldap.so    # no options, hack auth_ldap.c

# A parameter of "true" always returns Authentication OK
# Any other parameter always returns authentication rejected
#alias  authTrue        auth_ignore.so  true
#alias  authFalse       auth_ignore.so

# Some Accounting aliases
#alias  acctAuthInfo    acct_syslog.so  auth.info
#alias  acctLocal4      acct_syslog.so  local4
#alias  acctNone        acct_none.so

Profiles¶

#
# Profiles. Always leave the "default" profile!
# If a user connects, a profile is assigned based on the ip address (see
# access.conf) If after that a user authenticates (see auth.conf) a
# different profile can be assigned.
#

profile default
# Patterns are defined using "wildmats" above
    ReadPat             none
    PostPat             none

# Disable this profile. Used in some authentication modules.
    Disabled            0

# Allow SSL on this profile. Only supported in the commercial version.
#   AllowSSL            0

# Which type of accounting to use in this profile. This field is required.
    Accounting          acct_default

# Put replacebanner to 1 to only see this banner and
# not the connection and version stuff.
# This only works for acl based connections.
    Banner              www.News-Service.com
    ReplaceBanner       0

# Footer to add to every post. Leave blank to have no footer
#   FooterFile          /etc/nntpswitch/spam.txt

# Global max
    MaxConnections      500
    MaxUsers            50

# Allow users to connect only from 1 ip address.
    SingleHostUser      1

# Max per user
    MaxHostConcurrent   4
    MaxUserConcurrent   4
    MaxSessionTime      86400
    MaxSessionBytes     1000000000

# Limits. Enforce fair use policy by slowing connection down after X gb.
# Supported in commercial version of nntpswitch and needs an external
# accounting database with some scripts.
    Limits              0 0

# Kill connection after this many seconds
    ClientReadTimeout   180

# Those 3 are practically the same. Pick one for the user speed
#   MaxUserBPS          125000
#   MaxUserKbit         1000
    MaxUserMbit         1

# Same here, pick one but for all users together in a this profile
#   MaxProfileBPS       3125000
#   MaxProfileKbit      25000
    MaxProfileMbit      25

# Stuff to put in headers of posts
    XComplaintsTo       abuse@example.com
    Hostname            news.example.com
    Organization        www.News-Service.com
# Force to 1 to overwrite user specified Organization: header
    ForceOrganization   1
# Add nntp-posting-host and nntp-posting-date to posts
    AddNNTPPostingHost  1
# Whether we allow control messages or not
    NoControl           0

# Acct as transparant ihave slave.
    Slave               0

# Allow article lookups by message-id without joining a group first
# This can force more connects and history lookups on your spoolservers.
    ArticleSearch       1

# Ratelimit tuning. This is the factor to increase or decrease the delay
# each time the current bandwidth drops below or above the specified
# MaxLimits values. The default config says reach the maximum bandwidth
# faster then slowing it down. Normally not needed tuning unless you
# need kbit resolution on a gbit scale.
    UserRLFactorU       1.6
    UserRLFactorD       1.4
    ProfileRLFactorD    1.6
    ProfileRLFactorU    1.4
end

# all other profiles are inherited from profile "default" 
# only list options different from default profile

profile world
    ReadPat             local
    PostPat             none
    MaxSessionTime      7200
    MaxConnections      500
end

profile big8
    ReadPat             big8
    PostPat             none
    MaxSessionTime      86400
    MaxConnections      500
end

Includes¶

#
# Includes can only be at this point, after the default profile has been specified
# and before the default authentication and acl mapping.
#
# include customers/news-service.conf
# include customers/customer1.conf

Authentication¶

#
# Authentication Configuration
#
# Use a pattern to match authorization aliases
# A "pattern" must have one *, actually its a wildmat pattern
# Read/Post patterns are wildmats names specified in access.conf
# Specifying them here will overrule the one from access.conf
# If you specify no profile, it defaults to the default profile.
#

# auth mask                  auth-alias         profile

#auth *@support.net          authSupportNet
#auth *@news-service.com     authNewsService
#auth cust1_*                authCustomer1      default

# Always leave 1 "auth *" line, alias names are auth_default and acct_default, by default
# This is a catch-all line if no patterns are specified

auth *                       auth_default       world

# Or this will do the same, using all defaults
#auth *

Access¶

#
# ACL Configuration
#
#
# Possible options are:
#  read    - allow read access
#  post    - allow post access
#  auth    - force authentication
#  stats   - possibility to use statistics command
#  unlimit - don't enforce concurrent connections limits
#  apost   - allow approved postings. if you don't specifiy this nntpswitch
#            will strip the Approved: header and so newgroup and rmgroup
#            messages will not work.
#
# The format file is:
# CIDR/range  Options  Profile
#
# If no profile is specified it will use "default" profile.
#

acl 127.0.0.0/16    read,post,apost,stats,unlimit
acl 192.168.0.0/16  read,post

# Always use a 0/0 entry as the default!
acl 0/0             deny

# Everyone has read and post rights after authentication
#acl 0/0            read,post,auth                  world

# Let everyone just read big8 without posting rights
#acl 0/0            read                            big8