[prev in list] [next in list] [prev in thread] [next in thread]
List: inn-workers
Subject: Re: [inn-workers] innd 2.x LDAP authorization support
From: Jonathan Siegle <jsiegle () psu ! edu>
Date: 2008-08-26 12:59:21
Message-ID: 48B3FE29.1060801 () psu ! edu
[Download RAW message or body]
Julien ÉLIE said the following on 8/25/08 3:59 PM:
> Hi Jonathan,
>
>> Here at Penn State, we use kerberos to authenticate users and ldap
>> for authorization information. I'm considering writing this type of
>> authorization procedure for nnrpd so that I don't need to write 8k
>> userids for the staff group, 90k for students, etc. I would rather
>> create a new token for readers.conf that implies an ldap group. For
>> now, I'll say the token is LDAP_GROUP.
>
> There is no need to create a token for what you want to achieve.
>
>
>> 1.) User logs in as abc123@psu.edu via auth_krb5.c on port 563
>
> Is this first step (authentication) working fine with your configuration?
>
> http://www.eyrie.org/~eagle/software/inn/docs/auth_krb5.html
>
> auth kerberos {
> auth: "auth_krb5 -i nntp"
> }
>
> access kerberos {
> users: "*/nntp"
> newsgroups: example.*
> }
>
It doesn't like my -i nntp on the auth line. I get
Aug 26 08:54:32 tr22n12 news:warn|warning nnrpd[323712]:
cider.aset.psu.edu auth_err auth_krb5: unknown user "jsiegle/nntp"
So I'm taking that -i off.
>
>> 2.) When the user selects a group that requires them to be in the ldap
>> group psu.test, psu.test is expanded to see if abc123 is in there and
>> therefore what access(readers.conf:access,read,post) is granted abc123.
>
> As you want a dynamic generation of authorization, group by group,
> I suggest that you use python_dynamic: as explained here:
>
> http://www.eyrie.org/~eagle/software/inn/docs/hook-python.html#S4
>
> See especially the subsection entitled "Dynamic Access Control".
>
>
>
>> 2.) On login, all ldap group information is stored by something and
>> when user selects a usenet group, the readers.conf file is used to
>> determine access(ACCESS/read/post).
>
> If you want to do that on login, just generate the right access group
> and do not bother to generate it at every change of group.
> See perl_access: or python_access: in readers.conf:
>
> http://www.eyrie.org/~eagle/software/inn/docs/readers.conf.html
> http://www.eyrie.org/~eagle/software/inn/docs/hook-python.html#S4
>
> http://www.eyrie.org/~eagle/software/inn/docs/hook-perl.html#S8 <- Perl
>
Ok thanks! Works for me.
-Jonathan
["smime.p7s" (application/x-pkcs7-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic