[inn-workers] innd 2.x LDAP authorization support
Jonathan Siegle
jsiegle at psu.edu
Tue Aug 26 12:59:21 UTC 2008
Julien ÉLIE said the following on 8/25/08 3:59 PM:
> Hi Jonathan,
>
>> Here at Penn State, we use kerberos to authenticate users and ldap
>> for authorization information. I'm considering writing this type of
>> authorization procedure for nnrpd so that I don't need to write 8k
>> userids for the staff group, 90k for students, etc. I would rather
>> create a new token for readers.conf that implies an ldap group. For
>> now, I'll say the token is LDAP_GROUP.
>
> There is no need to create a token for what you want to achieve.
>
>
>> 1.) User logs in as abc123 at psu.edu via auth_krb5.c on port 563
>
> Is this first step (authentication) working fine with your configuration?
>
> http://www.eyrie.org/~eagle/software/inn/docs/auth_krb5.html
>
> auth kerberos {
> auth: "auth_krb5 -i nntp"
> }
>
> access kerberos {
> users: "*/nntp"
> newsgroups: example.*
> }
>
It doesn't like my -i nntp on the auth line. I get
Aug 26 08:54:32 tr22n12 news:warn|warning nnrpd[323712]:
cider.aset.psu.edu auth_err auth_krb5: unknown user "jsiegle/nntp"
So I'm taking that -i off.
>
>> 2.) When the user selects a group that requires them to be in the ldap
>> group psu.test, psu.test is expanded to see if abc123 is in there and
>> therefore what access(readers.conf:access,read,post) is granted abc123.
>
> As you want a dynamic generation of authorization, group by group,
> I suggest that you use python_dynamic: as explained here:
>
> http://www.eyrie.org/~eagle/software/inn/docs/hook-python.html#S4
>
> See especially the subsection entitled "Dynamic Access Control".
>
>
>
>> 2.) On login, all ldap group information is stored by something and
>> when user selects a usenet group, the readers.conf file is used to
>> determine access(ACCESS/read/post).
>
> If you want to do that on login, just generate the right access group
> and do not bother to generate it at every change of group.
> See perl_access: or python_access: in readers.conf:
>
> http://www.eyrie.org/~eagle/software/inn/docs/readers.conf.html
> http://www.eyrie.org/~eagle/software/inn/docs/hook-python.html#S4
>
> http://www.eyrie.org/~eagle/software/inn/docs/hook-perl.html#S8 <- Perl
>
Ok thanks! Works for me.
-Jonathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3485 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/inn-workers/attachments/20080826/1207d7e9/attachment.bin>
More information about the inn-workers
mailing list