New authentication method
alexey.melnikov at isode.com
Mon Nov 28 09:36:59 EST 2005
Joe Ammann wrote:
>I've been tasked to implement a new way of authentication for SASL, which
>works like this: A HTTP POST request with username, cleartext password and
>realm is passed to a webserver which either answers with a HTTP 200 response
>(meaning authentication is ok) or a HTTP 403 response (meaning that
>I have used SASL purely as an administrator until now, this is the first time
>I looked into extending it. After reading docs and the source, I have come up
>with the following conclusions/possibilities to tackle this task:
>1) An auxprop plugin is not adequate, because such a plugin would need to
>fetch the password from somewhere and return it to SASL, which then performs
>the verification. This does not fit the pattern at hand.
>2) A saslauthd mech type (like PAM or RIMAP) looks like an easy way to go, but
>saslauthd does not seem to have a "runtime plugin concept" (with shared
>libraries). I would need to change the source of saslauthd an replace the
>existing binary on the machine.
saslauthd has replaced the pwcheck daemon. So I think this is the proper
>3) The pwcheck daemon would probably be the easiest to implement, but again,
>this would mean to replace the existing pwcheck daemon program (and also rely
>on the fact that the SASL implementation on the system has been compiled with
>Am I correct that these are the simple options I have. Of course, I could also
>implement a totally new pwcheck_method, or even a full plugin, but either of
>these look too complicated to me.
>Before I go into more detail, I'd like to know if I overlooked something?
>Feedback is most welcome - and as I said, this is the first time I look into
>SASL, so I might be totally wrong with my ideas :-)
Isode M-Box Message Store developer
IETF standard related pages:
Personal Home Page: http://www.melnikov.ca
More information about the Cyrus-sasl