Alternative to perl_access and python_access?
Todd Olson
tco2 at cornell.edu
Mon Jun 13 06:20:40 UTC 2005
Hi Felix
At 11:19 +0200 2005-06-11, Felix E. Klee wrote:
>At Sat, 11 Jun 2005 02:11:03 -0700,
>Russ Allbery wrote:
>> > For controlling news group access, I'd like INN to use a custom
>> > program, but not one executed with perl_access of python_access (for
>> > more details, read below). What options do I have?
>>
>> You can also run an external authenticator.
>
>That's what I'm already doing. I was asking, though, for possibilities
>of running an external program which specifies news group access
>permission. Unfortunately, it seems that one is bound to perl_access of
>python_access.
>
There is a hack that might do what you want.
Configure nnrpd to always
a) run an external authenticator
and then
b) run an *_access script
Have the external authenticator do all the work, perhaps including
computing the desired news group access permissions .. and then
write it to a file on disk.
Then have the *_access script read that file and do what it says.
NOTE: that this gets around the problem of the *_access script
not being able to fork ... all the forking is done in the extern auth'er
NOTE: that you have to develop a naming scheme that permits the *_access
script to know what file to look for. I am using the PID of
the nnrpd process. In the case of the *_access script it will
just be the PID. In the case of the external auth'er it will be the PPID
NOTE: My current externals are all ksh scripts.
This is the sort of solution I used for a similar but different problem.
We use kerberos/sidecar. I was finding that our policy required a lot
of auth blocks and hence when kerberos 'failed' we were probing for kerberos
10 times per connection. To reduce this I set things up so the first
executed auth block calls and external auth'er that writes the results
to a file. Then all subsequent auth'ers just read the result from that
file, rather than reprobing for kerberos/sidecar.
It is my intent to extend it to something like the above
because each person at Cornell potentially sees a different group
list based on 'permits' in the 'permit server'. I can't use *_access
directly because of the no-fork issue.
I've not yet implemented this part due to the higher priority of
other projects ... but I think it will work.
Regards,
Todd Olson
Cornell University
More information about the inn-workers
mailing list