New authentication method

Alexey Melnikov alexey.melnikov at isode.com
Thu Dec 1 06:33:45 EST 2005


Joe Ammann wrote:

>On Wednesday 30 November 2005 13:48, Alexey Melnikov wrote:
>  
>
>>Joe Ammann wrote:
>>    
>>
>>>That's what I got down to also. Good to hear that you agree :-)
>>>
>>>Looked around in the saslauthd code a bit deeper, adding a mechanism seems
>>>rather straightforward. One question: Would there be any chance that a
>>>clean patch would be accepted into the baseline of cyrus-sasl?
>>>      
>>>
>>Clean patch with no dependencies is likely to be accepted.
>>    
>>
>
>Great. By "no dependencies" I presume you mean "no additional libraries".
>
Yes. (This is not to say that no extra libraries would ever be allowed 
saslauthd, but this will require more extensive changes to configure 
script, etc.)

>Or are you referring to something else?
>  
>
>>>Currently I'm looking into adding 2 new mechanims:
>>>
>>>auth_externalscript: call an external script, pass it the info (user,
>>>info, service, realm) via stdout, check the exit status of the script for
>>>indication of success/failure, in case of failure take the first line of
>>>stdout as the response string of the auth function
>>>      
>>>
>>Sounds like CGI :-).
>>
>>I need to think about this one.
>>    
>>
>
>Yes, that would be something like CGI. I thought that this might be a very 
>simple way of extending saslauthd for sites with low volume of 
>authentication. Of course, this mechanism would not scale very well. But it 
>would give people a simple hook to plugin their mechanisms.
>
>  
>
>>>auth_httpform: pass the info to a HTTP POST form, expect either a HTTP
>>>status 200 (meaning success) or 403 (meaning forbidden). In case of 403
>>>take the HTTP response as the response string of the auth function
>>>      
>>>
>>What if you get a 5XX or another 4XX response? Make the code general,
>>please.
>>    
>>
>
>Of course, it will also handle all other responses, but somewhat differently. 
>
>200 would mean: positively accepted credentials
>403 would mean: positively refused credentials (hopefully with some meaningful 
>reason)
>
>Anything else would mean: Something went technically wrong during 
>authentication. This would be treated as if the HTTP server could not be 
>contacted at all, or as if there was some problem within the saslauthd code. 
>A meaningful reason would then be returned.
>  
>
I think this is a bit simplistic, but let's defer this discussion until 
you write some code.

>Later, I might make it configurable which HTTP codes will be interpreted as 
>"credentials accepted" and which ones as "credentials refused".
>
>BTW: It might be wise to offer the option to use HTTPS instead of HTTP as an 
>option :-) That would of course mean that I would need the OpenSSL or GNUTLS 
>libraries. Since OpenSSL is already used within several saslauthd mechanisms, 
>I guess it would be acceptable if I used that one, too?
>  
>
Yes. Are you planning to use client side certificates?



More information about the Cyrus-sasl mailing list