NNRP Perl Auth and LDAP Authentication

Mon Feb 25 20:20:22 UTC 2002

Russ,

Thanks for the response.

Since I know LDAP really well (and happen to have a test 
LDAP directory to play with), I will be happy to work on
this.

My insistence on having PERL instead of PYTHON hooks is
due to the relative ubiquitousness of PERL and not wanting
to have Usenet Admins also have to become fluent in 
understanding what PYTHON Scripts do.

I have an install of inn-2.3.2 p5 on RedHat 7.2 ... and
I would like to work using this installation. I will start
by developing the quick fixes (using Perl hooks) and then
move onto the Python hooks that do things right.

What documentation would get me off on the right track?

Divya Sundaram ----------------------------- CONDITUR IN PETRA
We don't need more strength, or greater opportunity. What we
need is to use what we have.                  - BASIL S. WALSH
--------- Motorola OneIT -- Enabling the Enterprise ----------

-----Original Message-----
From: Russ Allbery [mailto:rra at stanford.edu]
Sent: Monday, February 25, 2002 1:41 PM
To: inn-workers at isc.org
Subject: Re: NNRP Perl Auth and LDAP Authentication

Sundaram Divya <Divya.Sundaram at motorola.com> writes:

> Thanks for the note. I guess that there are a few options to
> consider. The following is my goal and perhaps you can help me decide
> the best way to address this:

> 	I would like to authenticate users based upon their credentials in
> 	an LDAP Directory Server.

> 	I would additionally like to control access to newsgroups based
> 	upon the subscribers' membership in an LDAP group associated with
> 	the newsgroup.

INN wants to get from the Perl auth hooks a wildmat pattern of groups that
a given user can read, so somewhere along the line you want to transform
those access groups into that sort of table.

Alternately, you could use the Python authentication hooks, which for the
moment are actually more capable in this area.  (It's on the list of
things I'd like to do to make the Perl hooks match the Python hooks in
this area.)  There are Python callbacks whenever a user tries to read or
post to a newsgroup, and from that you could check directly in LDAP using
a Python LDAP module whether they have access to that group.

Based on your requirements, I think that's the direction you want to go.
The resulting Python authenticator would likely be generally useful and
something we'd at least want to put into contrib.

This does require knowing Python, however.

> There are two ways to approach this problem. One is to have a cron job
> that peruses the groups and builds a readers.conf and then executes a
> "ctlinnd reload readers.conf" on a periodic basis. The other way is to
> use LDAP for access control as well.

You really want to do the latter; it's just nicer.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>