Access realm read/post lists from external source (was Re: mods to readers.conf?)
mike at armchair.mb.ca
Thu May 11 01:56:30 UTC 2000
At 09:32 AM 5/9/00 -0400, Aidan Cully wrote:
> I'd thought about read/post permissions being settable from the
> auth/resolve hooks (which I think is still a good feature to add, and
> quite possibly a better way to handle your particular case than what
> you did), but being able to set them from an 'access' realm hook is
> probably also a good idea. Cool.
Yes, I'd noted that Russ Allbery (1) suggested, "... that
authenticators could return additional information like this," rather
than the access realm. Further, we'd been using the Perl
authentication option to do authentication and permission assignment
via LDAP in one step; so, naturally, my first inclination was to do
everything from the auth realm and skip the access realm.
However, after grokking the subtleties of readers.conf, listening to the
frustration of some others trying to do the same, and finally, tracing
through perm.c, I came to the following conclusions:
1. Adding "perm: " to the access stanza, to specify an external
program as an alternative to "newsgroups: " or "read: " and "post: ",
seemed a natural extension of the access realm. I was concerned
about altering the semantics of the auth realm, subtly overriding the
access realm from it, and adding to the apparent confusion of the two.
2. Extending the access realm instead -- retaining the flexibility of
separate authentication and access determination -- would permit
the use of LDAP as an authenticator, access controller, or both.
3. Coding an extension to the access realm would be simpler and
easier. Regarding your suggestion...
> I've got no idea how you implemented it, but if you didn't do it this
> way, I'd suggest using a protocol like is used for the auth/resolve
> hooks, rather than, e.g., running 'permldap username', and just
> reading back the first two lines, where the first is assumed to be
> readable newsgroups, and the second postable.
... I simply copied and modified the mechanisms for parsing and
handling "auth: " in the auth stanza. I'd like to post my changes
as a patch, but I'd like to keep testing it in our live environment for
a while. I'm also interested in the rewrite of nnrpd you (and others,
I believe) mentioned.
More information about the inn-workers