New authentication method
Alexey Melnikov
alexey.melnikov at isode.com
Wed Nov 30 07:48:17 EST 2005
Joe Ammann wrote:
>On Monday 28 November 2005 15:36, Alexey Melnikov wrote:
>
>
>>Joe Ammann wrote:
>>
>>
>>>I've been tasked to implement a new way of authentication for SASL, which
>>>works like this: A HTTP POST request with username, cleartext password and
>>>realm is passed to a webserver which either answers with a HTTP 200
>>>response (meaning authentication is ok) or a HTTP 403 response (meaning
>>>that authentication failed).
>>>
>>>
>[..]
>
>
>>>1) An auxprop plugin is not adequate, because such a plugin would need to
>>>fetch the password from somewhere and return it to SASL, which then
>>>performs the verification. This does not fit the pattern at hand.
>>>
>>>
>>Correct.
>>
>>
>
>Thank you for confirmation.
>
>
>>>2) A saslauthd mech type (like PAM or RIMAP) looks like an easy way to go,
>>>but saslauthd does not seem to have a "runtime plugin concept" (with
>>>shared libraries). I would need to change the source of saslauthd an
>>>replace the existing binary on the machine.
>>>
>>>
>>saslauthd has replaced the pwcheck daemon. So I think this is the proper
>>way.
>>
>>
>
>That's what I got down to also. Good to hear that you agree :-)
>
>Looked around in the saslauthd code a bit deeper, adding a mechanism seems
>rather straightforward. One question: Would there be any chance that a clean
>patch would be accepted into the baseline of cyrus-sasl?
>
>
Clean patch with no dependencies is likely to be accepted.
>Currently I'm looking into adding 2 new mechanims:
>
>auth_externalscript: call an external script, pass it the info (user, info,
>service, realm) via stdout, check the exit status of the script for
>indication of success/failure, in case of failure take the first line of
>stdout as the response string of the auth function
>
Sounds like CGI :-).
I need to think about this one.
>
>
>auth_httpform: pass the info to a HTTP POST form, expect either a HTTP status
>200 (meaning success) or 403 (meaning forbidden). In case of 403 take the
>HTTP response as the response string of the auth function
>
What if you get a 5XX or another 4XX response? Make the code general,
please.
This sounds Ok.
>
>
>Any comments? Does this sound reasonable?
>
>
>
More information about the Cyrus-sasl
mailing list