[inn-workers] innd 2.x LDAP authorization support

Julien ÉLIE julien at trigofacile.com
Mon Aug 25 19:59:49 UTC 2008

Hi Jonathan,

>     Here at Penn State, we use kerberos to authenticate users and ldap for authorization information. I'm considering writing this 
> type of authorization procedure for nnrpd so that I don't need to write 8k userids for the staff group, 90k for students, etc. I 
> would rather create a new token for readers.conf that implies an ldap group. For now, I'll say the token is LDAP_GROUP.

There is no need to create a token for what you want to achieve.

> 1.) User logs in as abc123 at psu.edu via auth_krb5.c on port 563

Is this first step (authentication) working fine with your configuration?


    auth kerberos {
        auth: "auth_krb5 -i nntp"

    access kerberos {
        users: "*/nntp"
        newsgroups: example.*

> 2.) When the user selects a group that requires them to be in the ldap group psu.test, psu.test is expanded to see if abc123 is in 
> there and therefore what access(readers.conf:access,read,post) is granted abc123.

As you want a dynamic generation of authorization, group by group,
I suggest that you use python_dynamic: as explained here:


See especially the subsection entitled "Dynamic Access Control".

> 2.) On login, all ldap group information is stored by something and when user selects a usenet group, the readers.conf file is 
> used to determine access(ACCESS/read/post).

If you want to do that on login, just generate the right access group
and do not bother to generate it at every change of group.
See perl_access: or python_access: in readers.conf:


    http://www.eyrie.org/~eagle/software/inn/docs/hook-perl.html#S8  <- Perl

Julien ÉLIE

« Acta est fabula. »

More information about the inn-workers mailing list