SASL support in INN 2.5.0

Alexander Bartolich alexander.bartolich at gmx.at
Sun Jun 28 16:24:54 UTC 2009


Julien ÉLIE wrote:
> Hi Alexander,
> 
>>> If there is a perl_auth:, python_auth: or auth: parameter along with
>>> "sasl_auth: true", they will not be checked if AUTHINFO SASL is used
>>> (there might be no password with AUTHINFO SASL).
>>
>> What's the problem if $::attributes{password} is undefined or the
>> empty string?
> 
> The problem is that the user is *already* authenticated by SASL
> when auth blocks are checked.
> AUTHINFO SASL does not use nnrpd_auth.pl; it uses its own mechanism
> and return success or failure.  Then, what would nnrpd_auth.pl do?

Perform additional checks and possibly reject the login.

When I receive a substantiated abuse report I do not delete the account
outright but just set a flag. One of the advantages is that mistakes
and misunderstandings can be easily resolved. (The other is that the
user cannot simply reapply for an account with the same email address.)

I once experimented with authentication based on IP address and found
it very limiting that you cannot stack "hosts:" and "perl_auth:".
Having to edit readers.conf to close an account is really awkward.
And simulating a rejected login through "perl_access:" feels silly.

Anyway, I can imagine that in an enterprise setup using NTLM not
every domain account is allowed to access the news server and that
on the other hand the news operator cannot fumble with accounts on
the domain controller.

Ciao

     Alexander.



More information about the inn-workers mailing list