[JDEV] custom registration [was authenticated registration]

Robert Temple robert.temple at dig.com
Tue Mar 6 23:31:27 CST 2001 

We are in the same boat as you. We have a large database of 
users we would like to get into the Jabber system.  It would 
work best for us if all registration messages sent by clients 
got rejected. And when the jabber server received an auth 
message the it wouldn't look into its own database for a 
password, but instead it would  somehow fetch the password 
from our system.   And if the password matched but the user 
didn't exist in the Jabber system yet, it would create the 
new database entry (the users xml file) for that new user.

I'd rather not have users passwords stored in the Jabber 
database at all, we already have a database of usernames &
passwords. The less password we have, the more secure we are.

Further, it would be really nice if when someone added someone 
else to their roster but that person didn't exist, the server 
would check our registration system to see if they exist there, 
and if they did, send a special message back to the client that 
lets them send an email to that new person that would ask if 
they want to sign up for Jabber.

Short of rewriting a few server modules, there isn't an easy
way to do this.   I'd like to see a standard auth API to do 
what we need in the Jabber server or instead of an API, 
pehaps a configuration where the server would get auth 
auth verification from an external agent over exterx instead.

It seems like custom authentication is needed by a lot of 
groups.

-Robert

> -----Original Message-----
> From: kadokev at msg.net [mailto:kadokev at msg.net]
> Sent: Tuesday, March 06, 2001 9:57 PM
> To: jdev at jabber.org
> Subject: Re: [JDEV] authenticated registration
> 
> 
> > I would like to stop just anyone from registering with my 
> jabber server.
> 
> I have a similar issue. I need to authenticate new users 
> registering with
> the jabber server, to ensure that the 'login' being created is their
> 'official' username. That is, to ensure that 
> 'login at jabber.ourdomain.com'
> is the same as their 'login' for the 'ourdomain' NT domain.
> 
> No matter how big disclaimers I put up as to the 
> non-verifiability of user
> information, I cannot risk having 'Bob HelpDeskGuy' register 
> as 'Jim TheCEO'.
> 
> It would probably be excessive (yet fun) to try to build 
> strong authentication
> into the Jabber server, but perhaps the server *could* be 
> extended to 'proxy'
> user authentication to a web server?
> 
> 
> > I hear you could set the spool directory read only to stop 
> people from
> > adding themselves. Ideally, jabberd should be able to 
> require that a user
> > wishing to be added to the server supply the administrator 
> account login
> > information, or be added to the server by the administrator 
> him/herself.
> 
> Has anybody looked into having the 'spool' directory owned by 
> a web server,
> and use a CGI script on the HTTPd to create the XML files?  
> This would allow
> for authentication of initial account creation via any 
> mechanism supported
> by Apache- RADIUS, LDAP, NIS, mSQL, DCE, NDS, TACACS+, etc.
> 
> What I'll most likely end up with is a web site that uses an Apache
> NT domain authentication module 
> (http://www.asaban.com/index_pl.html) to
> verify their identity and create the XML file the first time. 
> The script
> may also go to an LDAP server and extract their full name and 
> other detail
> at the same time.
> 
> Kevin
> 
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
>

More information about the JDev mailing list