[inn-workers] innd 2.x LDAP authorization support
Julien ÉLIE
julien at trigofacile.com
Mon Aug 25 19:59:49 UTC 2008
Hi Jonathan,
> Here at Penn State, we use kerberos to authenticate users and ldap for authorization information. I'm considering writing this
> type of authorization procedure for nnrpd so that I don't need to write 8k userids for the staff group, 90k for students, etc. I
> would rather create a new token for readers.conf that implies an ldap group. For now, I'll say the token is LDAP_GROUP.
There is no need to create a token for what you want to achieve.
> 1.) User logs in as abc123 at psu.edu via auth_krb5.c on port 563
Is this first step (authentication) working fine with your configuration?
http://www.eyrie.org/~eagle/software/inn/docs/auth_krb5.html
auth kerberos {
auth: "auth_krb5 -i nntp"
}
access kerberos {
users: "*/nntp"
newsgroups: example.*
}
> 2.) When the user selects a group that requires them to be in the ldap group psu.test, psu.test is expanded to see if abc123 is in
> there and therefore what access(readers.conf:access,read,post) is granted abc123.
As you want a dynamic generation of authorization, group by group,
I suggest that you use python_dynamic: as explained here:
http://www.eyrie.org/~eagle/software/inn/docs/hook-python.html#S4
See especially the subsection entitled "Dynamic Access Control".
> 2.) On login, all ldap group information is stored by something and when user selects a usenet group, the readers.conf file is
> used to determine access(ACCESS/read/post).
If you want to do that on login, just generate the right access group
and do not bother to generate it at every change of group.
See perl_access: or python_access: in readers.conf:
http://www.eyrie.org/~eagle/software/inn/docs/readers.conf.html
http://www.eyrie.org/~eagle/software/inn/docs/hook-python.html#S4
http://www.eyrie.org/~eagle/software/inn/docs/hook-perl.html#S8 <- Perl
--
Julien ÉLIE
« Acta est fabula. »
More information about the inn-workers
mailing list