#
# Diablo dreaderd authentication control file
#
# Some options are required, others are optional
#
# Last match wins
#
# MOST THINGS IN THIS FILE ARE CASE SENSITIVE
#
# The format of this file is:
#definition	name
#  option   value
#end
#
# RULES:
#  - Lines starting with a '#' are skipped
#  - Multiple of all definitions are allowed.
#  - If you use 2 of the same name, the first one will be used.
#  - A maximum of 32 characters is allowed for the name of each definition
#  - A name of DEFAULT is reserved for each definition and using it
#    will override the defaults. Use with caution.
#
###################################################
# This defines a virtual server. A virtual server allows you set
# different strings that are seen by the client or added to local
# postings.
#
# hostname	 : The visible hostname - this defaults to the current hostname
# clustername	 : The name of this cluster - used in various posting headers
#		   Defaults to the same as the hostname
#
# postpath	 : The Path: entry to add to posts (Default: None)
#
# newsadmin	 : News Admin contact address added to connect banners
#		   Defaults to news@hostname.
# organisation	 : Organisation: line added to local posts (the US spelling
#		   with a 'z' can be used too). (Default: None)
# abuseto	 : X-Complaints-To: line. (Default: None)
#
# cryptpw	 : The password used to DES encrypt X-Trace, if set in vendor.h
#		   Default: No crypting of X-Trace:
#
# interface	 : IP address for which we accept connections for this vserver
#		   Default: All interfaces
# accessfile	 : Which access file to use if we matched on an interface
#		   Not that the file only accepts 'access' lines - see below
#		   All the definitions must exist in %s/dreader.access
#		   If '%s' is used, the file is relative to PathLib
#		   Default: %s/dreader.access
# noxrefhostupdate : Don't update the Xref: host to be the
#		     clustername/hostname. Some clients get upset if the
#		     last entry in the Path: doesn't match the Xref: host
#		     so be careful about enabling this option. With it
#		     enabled, you preserve where the Xref: was last
#		     generated.
#
#vserverdef ahost
#  hostname	current.host.name
#  clustername	cluster.host.name
#  postpath	path.host
#  viewpath	path.host
#  newsadmin	news@current.host.name
#  organisation	An Organisation
#  abuseto	abuse@current.host.name
#  cryptpw	apassword
#  interface	1.2.3.4
#  accessfile	%s/access.ahost
#end
#
###################################################
# This defines a group access list.
# - A default of !* is implied at the beginning of the list if a list
#   is defined.
# - The value is a wildmat pattern.
# - Use a single wildmat value per 'group' option.
#
#groupdef grouplist
#  group		alt.*
#  group		!alt.binaries*
#end
#
###################################################
# This defines a type of authentication. Any number of options
# can be used, but the usage is currently undefined in such a case.
# Rather use a single option per authdef definition.
#
# The user and pass options are a special case and both must be
# used to allow a user to authenticate with AUTHINFO
#
# The user option can be used alone with ident to allow only
# a specific user to match this definition based on the response
# from the ident lookup
#
# The ident option is a boolean (enable with 'yes'), to enable
# ident lookups for this auth deifnition.
#
# The realm is used to match the 'domain' part of an AUTHINFO user
# specified as 'user@domain'.
# 
#authdef anauth
#  file		/news/etc/userpass
#  radius	/news/etc/radius.conf
#  user		username
#  pass		password
#  realm	domain
#  ident	yes
#end
#
###################################################
# This is the basic authentication for an access line (see access below)
# 
# The groups, auth and vserver options refer to previous definitions.
# If none of them is specified, suitable defaults are used. The vserver
# defaults are the current hostname. The group defaults are '*'. The
# auth defaults are empty (i.e: no authentication required)
#
# read   : connections can read articles (default is 'no')
# post   : connections can post articles (default is 'no')
# feed   : connections can feed articles to this server (default is 'no')
# status : connections are given a short status report and disconnected.
#
# controlpost	 : client is allowed to post non-cancel Control: messages
#		   (default is 'yes')
# maxconnperhost : Maximum connections from a specific IP address (across all
#                  reader definitions
# maxconnpergroup: Max connections allowed for hosts matching this group
# maxconnperuser : Max connections for a specific user. This option is only
#                  valid if the user name is available (via ident or
#                  AUTHINFO - see authdef)
# 
# ratelimit    : A crude download rate limit in bytes/second
# ratelimittax : A tax imposed on the ratelimit for each subsequent
#                connection from a user/host. The ratelimit is decreased
#                by (ratelimittax * number of existing connections) and
#                only applied to the new connection, not to the old ones.
#
# idletimeout    : Time (in seconds) a connection is allowed to be idle
#		   before being closed. Note that the check for idleness
#		   is only done every minute + up to 20 seconds (depending
#		   on machine load).
# sessiontimeout : Time (in seconds) since the connection was established
#		   before it is closed.
#
# pathcomponents : The number of Path: components allowed in local postings
#		   before the article is rejected. The default is '0',
#		   which means don't check.
#
# allowdnsmismatch : Allow connections that have a mismatched Fwd/Rev
#		     DNS entry to connect. They are normally rejected.
#
# grouplog : Log groups accessed by reader in dreaderd.status and via
#	     syslog
#
# checkpostgroups : Verify that all groups in the Newsgroups: header of
#		    a post request are actually valid on this server.
#
# logcmd : Log every reader command issued (via syslog). Overrides the
#	   global configuration option "readerdetaillog" for this reader.
#
#readerdef areader
#  read			yes
#  post			yes
#  feed			yes
#  status		no
#  auth			anauth
#  groups		grouplist
#  vserver		ahost
#  maxconnperhost	5
#  maxconnpergroup	2
#  maxconnperuser	1
#  ratelimit		20000
#  ratelimittax		10
#  pathcomponents	3
#  allowdnsmismatch	no
#  grouplog		yes
#  checkpostgroups	yes
#  logcmd		yes
#end
#
# Some suitable basic options are:

# Allow reading and posting with no authentication required
readerdef rp
  read			yes
  post			yes
end

# Allow read-only with no authentication
readerdef ro
  read			yes
end

# Allow feed-only
readerdef feed
  feed			yes
end

# Allow read-only, but only if the total connections for the server is < 50
readerdef rolimit
  read			yes
  maxconn		50
end

# Define fred as a user and allow fred to read and post
authdef fred
  user			fred
  pass			fredspass
end

readerdef userfred
  read			yes
  post			yes
  auth			fred
end

# NOTE about the feeder: If the read/post options are not used for a
# feed definition, the incoming feed will be allocated one of the
# feed-only processes which greatly improves the incoming article
# rate on busy servers
#
###################################################
###################################################
#
# These are the actual access definition lines.
# 
# hostpattern refers to an IP address/wildcard/CIDR or a hostname/wildcard.
#	      Multiple hostpatterns can be specified as a comma separated
#             list.
#
# readerdefname refers to a readerdef defined above.
#
# The results are not cummulative.
#
# Last match (including any authentication, if used) applies
#
#access hostpattern     areader
#
# Anyone on the 1.* network can connect readonly
access	1/8			ro
# Anyone under example.com can read if there less than 50 total connections
access	*.example.com		rolimit
# Anyone under domain.example.com can read and post
access	*.domain.example.com	rp
# User fred an use AUTHINFO to read+post when coming from *.example.com
access  *.example.com		userfred
# Our feed machine gets a special process
access	feed.example.com	feed