authentification domains/realms/whatever

Jeffrey M.Vinocur jeff at litech.org
Sun Mar 6 21:54:08 UTC 2005


On Mar 6, 2005, at 1:26 PM, Christoph Biedl wrote:

> I'd like to use different ways of authentification based on something
> like a domain name in the user name of the AUTHINFO command.
>
> For example:
> "user at example1.com" -> check against radius using 
> bin/auth/passwd/radius
> "user"              -> ditto ("example1.com" is a default)
>
> "user at example2.com" -> check against a plain text list

You actually can't quite do this within readers.conf itself.  That is, 
inside an auth block (where you'd check against radius or a file or 
whatever), you can't examine the username.  In retrospect, that's 
probably a mistake given how reasonable your question is, but it can't 
be done as far as I can think of.   However, you've got three options:

1.  If you can distinguish groups of users by incoming IP address 
(e.g., all users from example2.com will be connecting from an IP that 
reverse-resolves to something.example2.com), then the above is 
straightforward using one auth block per group of users (with 
appropriate hosts: parameter).

2.  If there's no harm done to check some users against the wrong 
password databases, you can lump everything together in one auth block 
with multiple auth: parameters.  The caveat here is that if, say, 
example1.com users are authenticated using a RADIUS server under 
external control, you might not want to expose the authentication 
attempts of example2.com users to the example1.com RADIUS server.

3.  You can use one auth block with a perl_auth: or python_auth: 
parameter to call out to a script capable of doing more powerful 
processing.


-- 
Jeffrey M. Vinocur
jeff at litech.org



More information about the inn-workers mailing list