[inn-workers] innd 2.x LDAP authorization support

Jonathan Siegle jsiegle at psu.edu
Tue Aug 26 12:59:21 UTC 2008 

Julien ÉLIE said the following on 8/25/08 3:59 PM:
> Hi Jonathan,
> 
>>     Here at Penn State, we use kerberos to authenticate users and ldap 
>> for authorization information. I'm considering writing this type of 
>> authorization procedure for nnrpd so that I don't need to write 8k 
>> userids for the staff group, 90k for students, etc. I would rather 
>> create a new token for readers.conf that implies an ldap group. For 
>> now, I'll say the token is LDAP_GROUP.
> 
> There is no need to create a token for what you want to achieve.
> 
> 
>> 1.) User logs in as abc123 at psu.edu via auth_krb5.c on port 563
> 
> Is this first step (authentication) working fine with your configuration?
> 
>    http://www.eyrie.org/~eagle/software/inn/docs/auth_krb5.html
> 
>    auth kerberos {
>        auth: "auth_krb5 -i nntp"
>    }
> 
>    access kerberos {
>        users: "*/nntp"
>        newsgroups: example.*
>    }
> 

It doesn't like my -i nntp on the auth line. I get

Aug 26 08:54:32 tr22n12 news:warn|warning nnrpd[323712]: 
cider.aset.psu.edu auth_err auth_krb5: unknown user "jsiegle/nntp"

So I'm taking that -i off.


> 
>> 2.) When the user selects a group that requires them to be in the ldap 
>> group psu.test, psu.test is expanded to see if abc123 is in there and 
>> therefore what access(readers.conf:access,read,post) is granted abc123.
> 
> As you want a dynamic generation of authorization, group by group,
> I suggest that you use python_dynamic: as explained here:
> 
>    http://www.eyrie.org/~eagle/software/inn/docs/hook-python.html#S4
> 
> See especially the subsection entitled "Dynamic Access Control".
> 
> 
> 
>> 2.) On login, all ldap group information is stored by something and 
>> when user selects a usenet group, the readers.conf file is used to 
>> determine access(ACCESS/read/post).
> 
> If you want to do that on login, just generate the right access group
> and do not bother to generate it at every change of group.
> See perl_access: or python_access: in readers.conf:
> 
>    http://www.eyrie.org/~eagle/software/inn/docs/readers.conf.html
>    http://www.eyrie.org/~eagle/software/inn/docs/hook-python.html#S4
> 
>    http://www.eyrie.org/~eagle/software/inn/docs/hook-perl.html#S8  <- Perl
> 

Ok thanks! Works for me.

-Jonathan



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3485 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/inn-workers/attachments/20080826/1207d7e9/attachment.bin>

More information about the inn-workers mailing list