Access realm read/post lists from external source (was Re: mods to readers.conf?)

Aidan Cully aidan at panix.com
Tue May 9 13:32:55 UTC 2000


On Tue, May 09, 2000 at 12:39:10AM, Mike Forster said:
> Not certain if interest in this has dwindled, but I'll post it anyway.
> 
> I've modified nnrpd.h and perm.c to support LDAP-based authentication _and_
> read/post permissions in readers.conf.  Here's a snippit of my readers.conf:

I'd thought about read/post permissions being settable from the
auth/resolve hooks (which I think is still a good feature to add, and
quite possibly a better way to handle your particular case than what
you did), but being able to set them from an 'access' realm hook is
probably also a good idea.  Cool.

I've got no idea how you implemented it, but if you didn't do it this
way, I'd suggest using a protocol like is used for the auth/resolve
hooks, rather than, e.g., running 'permldap username', and just
reading back the first two lines, where the first is assumed to be
readable newsgroups, and the second postable.  One of my projects that
will probably never be gotten to is a rewrite of nnrpd to run in a
(mostly) monolithic mode, and have it keep all of its hook programs
running for the life of the nnrpd process.  Then these hooks could
authenticate for several users, without any additional fork()/exec()/
hook setup/teardown overhead.

--aidan

> auth "default" {
> 	auth: "ckldap"
> 	default: "<public>"
> 	default-domain: "armchair.mb.ca"
> }
> 
> access "public" {
> 	users: "<public>@armchair.mb.ca"
> 	newsgroups: "public.*"
> }
> 
> access "private" {
> 	users: "*, !<public>@armchair.mb.ca"
> 	perm: "permldap"
> }
> 
> I use a simple "ckldap" program in the auth realm to authenticate the user 
> via LDAP.
> Initial connections (no res: in the auth realm) default to the "public" 
> access realm: users
> can read and post to public groups.  Authenticated users hit the "private" 
> access realm: the
> "permldap" program specified by my newly-added "perm:" field queries LDAP 
> and retrieves
> read/post group permissions for the user.
> 
> I wanted to see if this would work for our purposes -- and it does -- but 
> I'm delaying the
> necessary code cleanup and testing pending the direction of the recent 
> "parsing
> infrastructure" thread.  I'm also tied up with some other projects right 
> now, but I'd be
> interested in discussing this further if anyone is interested.
> 
> Mike Forster, mike at armchair.mb.ca
> 
> Armchair Airlines Computer Services Inc.
> www.armchair.mb.ca
> (204) 726-8291
> 
> 
> 
> 

-- 
Aidan Cully       "Billy's mother was enormous.  I looked at her, then looked
Not Panix Staff    at the trailer door, than back at her, and I was faced
aidan at panix.com    with my first real math problem."	-- Tom Waits



More information about the inn-workers mailing list