New authentication method

Joe Ammann joe at pyx.ch
Fri Nov 25 06:58:35 EST 2005


Hi all

I've been tasked to implement a new way of authentication for SASL, which 
works like this: A HTTP POST request with username, cleartext password and 
realm is passed to a webserver which either answers with a HTTP 200 response 
(meaning authentication is ok) or a HTTP 403 response (meaning that 
authentication failed).

I have used SASL purely as an administrator until now, this is the first time 
I looked into extending it. After reading docs and the source, I have come up 
with the following conclusions/possibilities to tackle this task:

1) An auxprop plugin is not adequate, because such a plugin would need to 
fetch the password from somewhere and return it to SASL, which then performs 
the verification. This does not fit the pattern at hand.

2) A saslauthd mech type (like PAM or RIMAP) looks like an easy way to go, but 
saslauthd does not seem to have a "runtime plugin concept" (with shared 
libraries). I would need to change the source of saslauthd an replace the 
existing binary on the machine.

3) The pwcheck daemon would probably be the easiest to implement, but again, 
this would mean to replace the existing pwcheck daemon program (and also rely 
on the fact that the SASL implementation on the system has been compiled with 
pwcheck support)

Am I correct that these are the simple options I have. Of course, I could also 
implement a totally new pwcheck_method, or even a full plugin, but either of 
these look too complicated to me.

Before I go into more detail, I'd like to know if I overlooked something? 
Feedback is most welcome - and as I said, this is the first time I look into 
SASL, so I might be totally wrong with my ideas :-)

CU, Joe

-- 
Remember when web browsers were just for viewing HTML pages, and not as a 
platform agnostic instant-rollout applications platform?

Yeah, me neither.


More information about the Cyrus-sasl mailing list