authentification domains/realms/whatever

Russ Allbery rra at stanford.edu
Mon Apr 11 07:13:52 UTC 2005 

Christoph Biedl <cbiedl at gmx.de> writes:

> Like many others I'm quite confused about both the possibilities of
> readers.confs and the overloading of words like "domain" or "realm". So,
> after failing to understand both the manpage and the sources:

> I'd like to use different ways of authentification based on something
> like a domain name in the user name of the AUTHINFO command.

> For example:
> "user at example1.com" -> check against radius using bin/auth/passwd/radius
> "user"              -> ditto ("example1.com" is a default)

> "user at example2.com" -> check against a plain text list

> etc...

> How can this be done with the least efforts? An example would be
> helpful.

There is actually a way to do this, although I'm not sure I want to
mention it because it's undocumented and part of the configuration syntax
that I kind of wanted to get rid of since no one (to my knowledge) is
using it.  However, it does work.

You do it like this:

auth {
    hosts: *
    auth {
        users: *@example2.com
        program: ckpasswd -f /path/to/passwd/file
    }
    auth {
        users: *
        program: radius
    }
    default-domain: example1.com
}

However, I'd really like to get rid of the res {} and auth {} blocks in
the syntax, since they were never documented and make converting to a
better parser rather hard.

A better approach would probably be to add a users: key to the top-level
auth block with the same semantics.  This shouldn't be particularly hard
to do, I think, but I'm probably not going to get to it for a while.
(Patches welcome, though.)

The obvious workaround is to write a little script that accepts and parses
the information from nnrpd and then runs the appropriate program based on
the username pattern and then use that program as your authenticator, but
that's kind of annoying to have to do.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.

More information about the inn-workers mailing list