[JDEV] custom registration [was authenticated registration]

Schuyler Heath sheath at jabber.org
Wed Mar 7 14:07:26 CST 2001 

Hello,

As temas says, we already have this API.  FYI, you don't have to
write it as a JSM module in C.  You could write it as an external perl
script or just about any other language.

You would need to implement two components, a custom xdb backend for
register/auth data and an auth component.

I wrote a brief description of how to do the auth part here:
http://mailman.jabber.org/pipermail/jdev/2000-November/003899.html

If you or anyone else is interested I would be happy to elaborate on
these XDB and auth components.  I really should write this up into
a doc...

Schuyler

On Tue, Mar 06, 2001 at 09:31:27PM -0800, Robert Temple wrote:
> We are in the same boat as you. We have a large database of 
> users we would like to get into the Jabber system.  It would 
> work best for us if all registration messages sent by clients 
> got rejected. And when the jabber server received an auth 
> message the it wouldn't look into its own database for a 
> password, but instead it would  somehow fetch the password 
> from our system.   And if the password matched but the user 
> didn't exist in the Jabber system yet, it would create the 
> new database entry (the users xml file) for that new user.
> 
> I'd rather not have users passwords stored in the Jabber 
> database at all, we already have a database of usernames &
> passwords. The less password we have, the more secure we are.
> 
> Further, it would be really nice if when someone added someone 
> else to their roster but that person didn't exist, the server 
> would check our registration system to see if they exist there, 
> and if they did, send a special message back to the client that 
> lets them send an email to that new person that would ask if 
> they want to sign up for Jabber.
> 
> Short of rewriting a few server modules, there isn't an easy
> way to do this.   I'd like to see a standard auth API to do 
> what we need in the Jabber server or instead of an API, 
> pehaps a configuration where the server would get auth 
> auth verification from an external agent over exterx instead.
> 
> It seems like custom authentication is needed by a lot of 
> groups.
> 
> -Robert
> 
> > -----Original Message-----
> > From: kadokev at msg.net [mailto:kadokev at msg.net]
> > Sent: Tuesday, March 06, 2001 9:57 PM
> > To: jdev at jabber.org
> > Subject: Re: [JDEV] authenticated registration
> > 
> > 
> > > I would like to stop just anyone from registering with my 
> > jabber server.
> > 
> > I have a similar issue. I need to authenticate new users 
> > registering with
> > the jabber server, to ensure that the 'login' being created is their
> > 'official' username. That is, to ensure that 
> > 'login at jabber.ourdomain.com'
> > is the same as their 'login' for the 'ourdomain' NT domain.
> > 
> > No matter how big disclaimers I put up as to the 
> > non-verifiability of user
> > information, I cannot risk having 'Bob HelpDeskGuy' register 
> > as 'Jim TheCEO'.
> > 
> > It would probably be excessive (yet fun) to try to build 
> > strong authentication
> > into the Jabber server, but perhaps the server *could* be 
> > extended to 'proxy'
> > user authentication to a web server?
> > 
> > 
> > > I hear you could set the spool directory read only to stop 
> > people from
> > > adding themselves. Ideally, jabberd should be able to 
> > require that a user
> > > wishing to be added to the server supply the administrator 
> > account login
> > > information, or be added to the server by the administrator 
> > him/herself.
> > 
> > Has anybody looked into having the 'spool' directory owned by 
> > a web server,
> > and use a CGI script on the HTTPd to create the XML files?  
> > This would allow
> > for authentication of initial account creation via any 
> > mechanism supported
> > by Apache- RADIUS, LDAP, NIS, mSQL, DCE, NDS, TACACS+, etc.
> > 
> > What I'll most likely end up with is a web site that uses an Apache
> > NT domain authentication module 
> > (http://www.asaban.com/index_pl.html) to
> > verify their identity and create the XML file the first time. 
> > The script
> > may also go to an LDAP server and extract their full name and 
> > other detail
> > at the same time.
> > 
> > Kevin
> > 
> > _______________________________________________
> > jdev mailing list
> > jdev at jabber.org
> > http://mailman.jabber.org/listinfo/jdev
> > 
> 
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <https://www.jabber.org/jdev/attachments/20010307/ebdd6226/attachment-0002.pgp>

More information about the JDev mailing list