authentification domains/realms/whatever
Jeffrey M.Vinocur
jeff at litech.org
Sun Mar 6 21:54:08 UTC 2005
On Mar 6, 2005, at 1:26 PM, Christoph Biedl wrote:
> I'd like to use different ways of authentification based on something
> like a domain name in the user name of the AUTHINFO command.
>
> For example:
> "user at example1.com" -> check against radius using
> bin/auth/passwd/radius
> "user" -> ditto ("example1.com" is a default)
>
> "user at example2.com" -> check against a plain text list
You actually can't quite do this within readers.conf itself. That is,
inside an auth block (where you'd check against radius or a file or
whatever), you can't examine the username. In retrospect, that's
probably a mistake given how reasonable your question is, but it can't
be done as far as I can think of. However, you've got three options:
1. If you can distinguish groups of users by incoming IP address
(e.g., all users from example2.com will be connecting from an IP that
reverse-resolves to something.example2.com), then the above is
straightforward using one auth block per group of users (with
appropriate hosts: parameter).
2. If there's no harm done to check some users against the wrong
password databases, you can lump everything together in one auth block
with multiple auth: parameters. The caveat here is that if, say,
example1.com users are authenticated using a RADIUS server under
external control, you might not want to expose the authentication
attempts of example2.com users to the example1.com RADIUS server.
3. You can use one auth block with a perl_auth: or python_auth:
parameter to call out to a script capable of doing more powerful
processing.
--
Jeffrey M. Vinocur
jeff at litech.org
More information about the inn-workers
mailing list