Alternative to perl_access and python_access?

Todd Olson tco2 at cornell.edu
Mon Jun 13 06:20:40 UTC 2005


Hi Felix

At 11:19 +0200 2005-06-11, Felix E. Klee wrote:
>At Sat, 11 Jun 2005 02:11:03 -0700,
>Russ Allbery wrote:
>> > For controlling news group access, I'd like INN to use a custom
>> > program, but not one executed with perl_access of python_access (for
>> > more details, read below).  What options do I have?
>>
>> You can also run an external authenticator.
>
>That's what I'm already doing.  I was asking, though, for possibilities
>of running an external program which specifies news group access
>permission.  Unfortunately, it seems that one is bound to perl_access of
>python_access.
>


There is a hack that might do what you want.
Configure nnrpd to always
   a) run an external authenticator
and then
   b) run an *_access script

Have the external authenticator do all the work, perhaps including
computing the desired news group access permissions .. and then
write it to a file on disk.

Then have the *_access script read that file and do what it says.

NOTE: that this gets around the problem of the *_access script
      not being able to fork ... all the forking is done in the extern auth'er

NOTE: that you have to develop a naming scheme that permits the *_access
      script to know what file to look for.  I am using the PID of
      the nnrpd process.  In the case of the *_access script it will
      just be the PID.  In the case of the external auth'er it will be the PPID

NOTE: My current externals are all ksh scripts.


This is the sort of solution I used for a similar but different problem.
We use kerberos/sidecar.  I was finding that our policy required a lot
of auth blocks and hence when kerberos 'failed' we were probing for kerberos
10 times per connection.  To reduce this I set things up so the first
executed auth block calls and external auth'er that writes the results
to a file.  Then all subsequent auth'ers just read the result from that
file, rather than reprobing for kerberos/sidecar.

It is my intent to extend it to something like the above
because each person at Cornell potentially sees a different group
list based on 'permits' in the 'permit server'.  I can't use *_access
directly because of the no-fork issue.
I've not yet implemented this part due to the higher priority of
other projects ... but I think it will work.

Regards,
Todd Olson
Cornell University


More information about the inn-workers mailing list