New authentication method
joe at pyx.ch
Fri Nov 25 06:58:35 EST 2005
I've been tasked to implement a new way of authentication for SASL, which
works like this: A HTTP POST request with username, cleartext password and
realm is passed to a webserver which either answers with a HTTP 200 response
(meaning authentication is ok) or a HTTP 403 response (meaning that
I have used SASL purely as an administrator until now, this is the first time
I looked into extending it. After reading docs and the source, I have come up
with the following conclusions/possibilities to tackle this task:
1) An auxprop plugin is not adequate, because such a plugin would need to
fetch the password from somewhere and return it to SASL, which then performs
the verification. This does not fit the pattern at hand.
2) A saslauthd mech type (like PAM or RIMAP) looks like an easy way to go, but
saslauthd does not seem to have a "runtime plugin concept" (with shared
libraries). I would need to change the source of saslauthd an replace the
existing binary on the machine.
3) The pwcheck daemon would probably be the easiest to implement, but again,
this would mean to replace the existing pwcheck daemon program (and also rely
on the fact that the SASL implementation on the system has been compiled with
Am I correct that these are the simple options I have. Of course, I could also
implement a totally new pwcheck_method, or even a full plugin, but either of
these look too complicated to me.
Before I go into more detail, I'd like to know if I overlooked something?
Feedback is most welcome - and as I said, this is the first time I look into
SASL, so I might be totally wrong with my ideas :-)
Remember when web browsers were just for viewing HTML pages, and not as a
platform agnostic instant-rollout applications platform?
Yeah, me neither.
More information about the Cyrus-sasl