[courier-users] Splitting out PRE from AUTH

The background info is that I'm interested in doing something like
storing account info in either USERDB or LDAP, but authenticating via
PAM.

I'm wondering if there is any interest in separating the
"authentication" in courier-authlib into two parts -- "auth" and
"account"? The "AUTH" and "PASSWD" messages would go to "auth" modules,
and the "PRE" and "ENUMERATE" messages would go to "account" modules.
The changes involved would be:

(1) Modify the "AUTH" protocol to return "SUCCESS" instead of the result
of a "PRE" request upon sucessfully authenticating a user/password
combination.

(2) Modify the auth_<type>() functions in each backend module to not
return auth_<type>_pre(...) but rather just 1 or 0 depending on
whether the user/password combination is good or not.

(3) Modify authdaemond.c so that it keeps and uses two module lists --
authmodulelist and acctmodulelist, whose contents are set from
authdaemonrc using variables with the same name.

These changes in authdaemond can be insulated from a client that uses
the authlib API by modifying the auth() function in authdaemond.c to
look like:

void auth(...)
{
int authenticated = 0;

/* Loop over modules for authentication. */
for (l=authmodulelist; l, l=l->next)
{
authenticated = <call auth_func for module l>;
if (authenticated = 1)
break;
}
if (authenticated == 0) {
/* All modules rejected so just return "FAIL" */
...
return;
}
/* We authenticated successfully, so now get the account info. */
pre(...)
}

This would loop over the "auth" modules until one of them successfully
authenticates, then invoke pre() which loops over the "account" modules
until one of them successfully returns the account information. A
backend module could then have "pre" function hooks that just return
"FAIL", and authdaemond would simply move on down the acctmodulelist.

As an example, to do what I was describing in the background info, I
would make the following settings in authdaemonrc:

authmodulelist="authpam authuserdb authldap"
acctmodulelist="authuserdb authldap"

This would cause "auth" queries to try PAM, then USERDB, then LDAP, but
cause "account" queries to try USERDB, then LDAP. This would provide an
easy way to do password authentication against a KDC using pam_krb5, but
still use USERDB to store a virtual mail folder setup.

Is there any interest in making this type of change to courier-authlib?
I would be happy to provide a patch for this if Mr. Varshavchik approves
of this change. If not, please let me know and I'll drop this idea.

Thanks!

-- Johnny Lam <jlam@pkgsrc.org>


-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/.../courier-users