'Re: [inn-workers] innd 2.x LDAP authorization support'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       inn-workers
Subject:    Re: [inn-workers] innd 2.x LDAP  authorization support
From:       Jonathan Siegle <jsiegle () psu ! edu>
Date:       2008-08-26 12:59:21
Message-ID: 48B3FE29.1060801 () psu ! edu
[Download RAW message or body]


Julien ÉLIE said the following on 8/25/08 3:59 PM:
> Hi Jonathan,
> 
>>     Here at Penn State, we use kerberos to authenticate users and ldap 
>> for authorization information. I'm considering writing this type of 
>> authorization procedure for nnrpd so that I don't need to write 8k 
>> userids for the staff group, 90k for students, etc. I would rather 
>> create a new token for readers.conf that implies an ldap group. For 
>> now, I'll say the token is LDAP_GROUP.
> 
> There is no need to create a token for what you want to achieve.
> 
> 
>> 1.) User logs in as abc123@psu.edu via auth_krb5.c on port 563
> 
> Is this first step (authentication) working fine with your configuration?
> 
>    http://www.eyrie.org/~eagle/software/inn/docs/auth_krb5.html
> 
>    auth kerberos {
>        auth: "auth_krb5 -i nntp"
>    }
> 
>    access kerberos {
>        users: "*/nntp"
>        newsgroups: example.*
>    }
> 

It doesn't like my -i nntp on the auth line. I get

Aug 26 08:54:32 tr22n12 news:warn|warning nnrpd[323712]: 
cider.aset.psu.edu auth_err auth_krb5: unknown user "jsiegle/nntp"

So I'm taking that -i off.


> 
>> 2.) When the user selects a group that requires them to be in the ldap 
>> group psu.test, psu.test is expanded to see if abc123 is in there and 
>> therefore what access(readers.conf:access,read,post) is granted abc123.
> 
> As you want a dynamic generation of authorization, group by group,
> I suggest that you use python_dynamic: as explained here:
> 
>    http://www.eyrie.org/~eagle/software/inn/docs/hook-python.html#S4
> 
> See especially the subsection entitled "Dynamic Access Control".
> 
> 
> 
>> 2.) On login, all ldap group information is stored by something and 
>> when user selects a usenet group, the readers.conf file is used to 
>> determine access(ACCESS/read/post).
> 
> If you want to do that on login, just generate the right access group
> and do not bother to generate it at every change of group.
> See perl_access: or python_access: in readers.conf:
> 
>    http://www.eyrie.org/~eagle/software/inn/docs/readers.conf.html
>    http://www.eyrie.org/~eagle/software/inn/docs/hook-python.html#S4
> 
>    http://www.eyrie.org/~eagle/software/inn/docs/hook-perl.html#S8  <- Perl
> 

Ok thanks! Works for me.

-Jonathan




["smime.p7s" (application/x-pkcs7-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic