Jim Ramsay wrote: > I'm currently working on "Auth.py" to try to make it more of a > general solution to authentication than it currently is. I think > David Guerizec planned to have it eventually replace the > authentication parts of tmda-cgi, tmda-ofmipd, and be used in > tmda-gui / tmda-manager - all in the name of reducing code > duplication.
Sounds good to me, but I haven't looked at the code yet. You've definately got your work cut out for you though. Good luck! (more comments below) <snip> > 4) What features are necessary? What are useful? > > Here's the list I have so far of things I think it should do: > > - (If a class) Initialize the object with or without choosing the > authentication method > > - Choose/change the authentication method (currently possible but > not neatly encapsulated) > > - Frontend: Check a plaintext password (currently possible, needs > some prettying up) > > - Frontend: Check a cram-md5 digest given the digest and the > original ticket. (Can only be done if there is a plaintext > password, I think) (currently not supported) > > - Backend: Check against a tmda-ofmipd-style username:cleartext > file (must be mode 400 or 600) (Necessary to support cram-md5 > authentication) (Not implemented yet) > > - Backend: Check against a tmda-cgi-style username:crypt-password > file (may be any mode) (Not implemented yet) > > - Backend: Use checkpassword authentication (implemented and > seems to work) > > - Backend: Use remote authentication (implemented and seems to > work with imap, other protocols not tested yet) > > Here's the list of what it might be able to do: > > - Setup the HOME and USER environment variables for a user > (should support virtual users) (Not really implemented yet) > > - Set the userid of the current process to that of a user (should > support virtual users) (May be implemented for regular users) > > - Fork off, set the userid, and run a program as a user > (Partially implemented, I think) Yes. But wait, there's more! Currently tmda-ofmipd also calls an external program to retrieve virtual user home directories. (See the -S option) Something like that is a must for virtual users. I'd be more than willing to work with you on this as far as requirements and implementation go with virtual users. I'd love to see virtual user support become global in TMDA. > > 4) Since tmda-ofmipd does all these things and more so well, I'm > transferring a lot of that code into Auth.py, and so I have one > question about an undocumented feature in tmda-ofmipd: > What is /etc/ipauthmapfile for in tmda-ofmipd? I understand > how it works, mapping the host and port automatically based on > the local address, but not what it's for. It's overkill. Tim Legant implemented it when he implemented support for vpopmail and VMailMgr virtual users as a way to make sure that future needs would be satisfied. He told me he disliked restrictive programming. tmda-ofmipd now opens IMAP/IMAPS/POP3/etc... ports on the same IP as it is called by default. This is enough for me and my implementation of vpopmail + Courier-IMAP + TMDA with IP alias domain support. But Tim created the ipauthmap file just in case someone wanted to do something crazy and map IPs in a different manner (presumably without ryme or reason). As far as I know, no-one actually uses it yet. > Or should I assume > that tmda-ofmipd would take care of this ipauth mapping jazz and > just past the final uri to Auth.py? Well, that depends on whether or not you want to implement IMAP/POP3 authentication in Auth.py. If you do, then you should probably implement the ipauthmap file in Auth.py too. <snip> > > I think that's all I've got for now, thanks for your time! > -- Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.net We are actively looking for companies that do a lot of long distance faxing and want to cut their long distance bill by up to 50%. Contact [EMAIL PROTECTED] for more info. _________________________________________________ tmda-workers mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-workers
