NNRP Perl Auth and LDAP Authentication

Sundaram Divya-QDIVYA1 Divya.Sundaram at motorola.com
Mon Feb 25 19:31:48 UTC 2002 

Hi,

Thanks for the note. I guess that there are a few options
to consider. The following is my goal and perhaps you can
help me decide the best way to address this:

	I would like to authenticate users based upon their
	credentials in an LDAP Directory Server.

	I would additionally like to control access to 
	newsgroups based upon the subscribers' membership 
	in an LDAP group associated with the newsgroup.

For example, for the newsgroup "foobar.forsale", there would
be a group in LDAP "cn=foobar.forsale,ou=newsserver,ou=groups,
dc=foo,dc=com". If this group does not exist, then all users
who authenticate properly would have access. If this group
exists, then you'd have to be a member of this group to read
this group.

In reality, this is useful only when we are providing access
control to "local" newsgroups. I wouldn't expect that this
is how I'd control access to public Usenet newsgroups. I'd 
want to use regular readers.conf style access control for
those.

There are two ways to approach this problem. One is to have
a cron job that peruses the groups and builds a readers.conf
and then executes a "ctlinnd reload readers.conf" on a periodic
basis. The other way is to use LDAP for access control as well.

I would like to build a way that can be re-used by future
deployments of INND. (In fact, this feature was the primary
reason for us choosing to go with Netscape Collabra in
the first place).

Any advice?

-----Original Message-----
From: Jeffrey M. Vinocur [mailto:jeff at litech.org]
Sent: Monday, February 25, 2002 12:37 PM
To: Sundaram Divya-QDIVYA1
Cc: inn-workers at isc.org
Subject: Re: NNRP Perl Auth and LDAP Authentication


On Mon, 25 Feb 2002, Sundaram Divya-QDIVYA1 wrote:

> Thanks for all the help in getting the INN based news server
> set up. I have a couple of other questions.

I believe you are using 2.3.x -- if not, the below information is wrong.



> In inn.conf, I saw the following:
>
> 	nnrpperlauth:           false
>
> I assumed that this is what I'd be able to use to authenticate
> users with a Perl script using Mozilla::LDAP::Conn module.

Yes, if you set that to true, you can use perl scripts.  Some
documentation is in the doc/hook-perl file (or instead you could do
`perldoc doc/pod/hook-perl.pod`).


> Where can I find documentation on how to use this feature
> and is this the feature that I should be using to authenticate
> users?

Well, you could.  However, it would be much less work, if you are on a
system which supports PAM, to use pamckpasswd in readers.conf and
configure your PAM to use LDAP.

You can get pamckpasswd from http://www.mathie.cx/~graeme/software.shtml


> Also, does setting this to true totally make irrelevant the
> information in readers.conf file?

Yes.  If you would like to combine perl authentication and readers.conf,
you could try using the 2.4 prerelease (called "CURRENT" on the ftp site)
which has support for this.


-- 
Jeffrey M. Vinocur
jeff at litech.org

More information about the inn-workers mailing list