NNRP Perl Auth and LDAP Authentication

Russ Allbery rra at stanford.edu
Mon Feb 25 19:41:23 UTC 2002


Sundaram Divya <Divya.Sundaram at motorola.com> writes:

> Thanks for the note. I guess that there are a few options to
> consider. The following is my goal and perhaps you can help me decide
> the best way to address this:

> 	I would like to authenticate users based upon their credentials in
> 	an LDAP Directory Server.

> 	I would additionally like to control access to newsgroups based
> 	upon the subscribers' membership in an LDAP group associated with
> 	the newsgroup.

INN wants to get from the Perl auth hooks a wildmat pattern of groups that
a given user can read, so somewhere along the line you want to transform
those access groups into that sort of table.

Alternately, you could use the Python authentication hooks, which for the
moment are actually more capable in this area.  (It's on the list of
things I'd like to do to make the Perl hooks match the Python hooks in
this area.)  There are Python callbacks whenever a user tries to read or
post to a newsgroup, and from that you could check directly in LDAP using
a Python LDAP module whether they have access to that group.

Based on your requirements, I think that's the direction you want to go.
The resulting Python authenticator would likely be generally useful and
something we'd at least want to put into contrib.

This does require knowing Python, however.

> There are two ways to approach this problem. One is to have a cron job
> that peruses the groups and builds a readers.conf and then executes a
> "ctlinnd reload readers.conf" on a periodic basis. The other way is to
> use LDAP for access control as well.

You really want to do the latter; it's just nicer.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the inn-workers mailing list