New authentication method

Alexey Melnikov alexey.melnikov at isode.com
Wed Nov 30 07:48:17 EST 2005 

Joe Ammann wrote:

>On Monday 28 November 2005 15:36, Alexey Melnikov wrote:
>  
>
>>Joe Ammann wrote:
>>    
>>
>>>I've been tasked to implement a new way of authentication for SASL, which
>>>works like this: A HTTP POST request with username, cleartext password and
>>>realm is passed to a webserver which either answers with a HTTP 200
>>>response (meaning authentication is ok) or a HTTP 403 response (meaning
>>>that authentication failed).
>>>      
>>>
>[..]
>  
>
>>>1) An auxprop plugin is not adequate, because such a plugin would need to
>>>fetch the password from somewhere and return it to SASL, which then
>>>performs the verification. This does not fit the pattern at hand.
>>>      
>>>
>>Correct.
>>    
>>
>
>Thank you for confirmation.
>  
>
>>>2) A saslauthd mech type (like PAM or RIMAP) looks like an easy way to go,
>>>but saslauthd does not seem to have a "runtime plugin concept" (with
>>>shared libraries). I would need to change the source of saslauthd an
>>>replace the existing binary on the machine.
>>>      
>>>
>>saslauthd has replaced the pwcheck daemon. So I think this is the proper
>>way.
>>    
>>
>
>That's what I got down to also. Good to hear that you agree :-)
>
>Looked around in the saslauthd code a bit deeper, adding a mechanism seems 
>rather straightforward. One question: Would there be any chance that a clean 
>patch would be accepted into the baseline of cyrus-sasl?
>  
>
Clean patch with no dependencies is likely to be accepted.

>Currently I'm looking into adding 2 new mechanims:
>
>auth_externalscript: call an external script, pass it the info (user, info, 
>service, realm) via stdout, check the exit status of the script for 
>indication of success/failure, in case of failure take the first line of 
>stdout as the response string of the auth function
>
Sounds like CGI :-).

I need to think about this one.

>
>
>auth_httpform: pass the info to a HTTP POST form, expect either a HTTP status 
>200 (meaning success) or 403 (meaning forbidden). In case of 403 take the 
>HTTP response as the response string of the auth function
>
What if you get a 5XX or another 4XX response? Make the code general, 
please.

This sounds Ok.

>
>
>Any comments? Does this sound reasonable?
>
>  
>

More information about the Cyrus-sasl mailing list