[JDEV] custom registration [was authenticated registration]

Robert Temple robert.temple at dig.com
Sun Mar 11 03:14:58 CST 2001 

In each of the 3 auth modules that I know of, there is this one common
line of code that gets passwords:

foo = xdb_get(m->si->xc, m->user->id, NS_AUTH_0K);

If we create custom modules that replace each of the 3 default auth
modules, then all we need to do is to just swap that line of code out
for some of our own custom code.  Not too much of a big deal, but in
the future if you guys need to make changes to one of those modules, 
then we will need to go back change our code the same way.  Or if you
come out with a great new super secure authentication module, using
something like kerberos, then we will have to go through and swap out
that one line for our replacement lines again.

Simply from a maintenence standpoint, its going to require a lot of
extra work and communication trying keep up with changes the jabber
team makes.

now if those lines where replaced with something like

if (use_custom_auth)
  foo = (*custom_get_password_function_pointer)(m->si->xc, m->user->id);
else
  foo = xdb_get(m->si->xc, m->user->id, NS_AUTH_0K);

It would be a lot easier to supply our own passwords.

-Robert

-----Original Message-----
From: Thomas Muldowney [mailto:temas at box5.net]
Sent: Tuesday, March 06, 2001 11:55 PM
To: jdev at jabber.org
Subject: Re: [JDEV] custom registration [was authenticated registration]


Well we designed the module system for this reason, to be able to plugin new
modules for items that are needed.  Need a different auth system, boom hook
in the module and it should be running.  Want to verify users on
registration?
Hook in a new mod_register.  If you are not a coder at this point I would
suggest adding the ideas to the Asylum (http://www.jabber.org/?oid=425) so
that
they can get even more exposure and perhaps hacked together if someone can
do
it easily.

--temas

On Tue, Mar 06, 2001 at 09:31:27PM -0800, Robert Temple wrote:
> We are in the same boat as you. We have a large database of 
> users we would like to get into the Jabber system.  It would 
> work best for us if all registration messages sent by clients 
> got rejected. And when the jabber server received an auth 
> message the it wouldn't look into its own database for a 
> password, but instead it would  somehow fetch the password 
> from our system.   And if the password matched but the user 
> didn't exist in the Jabber system yet, it would create the 
> new database entry (the users xml file) for that new user.
> 
> I'd rather not have users passwords stored in the Jabber 
> database at all, we already have a database of usernames &
> passwords. The less password we have, the more secure we are.
> 
> Further, it would be really nice if when someone added someone 
> else to their roster but that person didn't exist, the server 
> would check our registration system to see if they exist there, 
> and if they did, send a special message back to the client that 
> lets them send an email to that new person that would ask if 
> they want to sign up for Jabber.
> 
> Short of rewriting a few server modules, there isn't an easy
> way to do this.   I'd like to see a standard auth API to do 
> what we need in the Jabber server or instead of an API, 
> pehaps a configuration where the server would get auth 
> auth verification from an external agent over exterx instead.
> 
> It seems like custom authentication is needed by a lot of 
> groups.
> 
> -Robert
> 
> > -----Original Message-----
> > From: kadokev at msg.net [mailto:kadokev at msg.net]
> > Sent: Tuesday, March 06, 2001 9:57 PM
> > To: jdev at jabber.org
> > Subject: Re: [JDEV] authenticated registration
> > 
> > 
> > > I would like to stop just anyone from registering with my 
> > jabber server.
> > 
> > I have a similar issue. I need to authenticate new users 
> > registering with
> > the jabber server, to ensure that the 'login' being created is their
> > 'official' username. That is, to ensure that 
> > 'login at jabber.ourdomain.com'
> > is the same as their 'login' for the 'ourdomain' NT domain.
> > 
> > No matter how big disclaimers I put up as to the 
> > non-verifiability of user
> > information, I cannot risk having 'Bob HelpDeskGuy' register 
> > as 'Jim TheCEO'.
> > 
> > It would probably be excessive (yet fun) to try to build 
> > strong authentication
> > into the Jabber server, but perhaps the server *could* be 
> > extended to 'proxy'
> > user authentication to a web server?
> > 
> > 
> > > I hear you could set the spool directory read only to stop 
> > people from
> > > adding themselves. Ideally, jabberd should be able to 
> > require that a user
> > > wishing to be added to the server supply the administrator 
> > account login
> > > information, or be added to the server by the administrator 
> > him/herself.
> > 
> > Has anybody looked into having the 'spool' directory owned by 
> > a web server,
> > and use a CGI script on the HTTPd to create the XML files?  
> > This would allow
> > for authentication of initial account creation via any 
> > mechanism supported
> > by Apache- RADIUS, LDAP, NIS, mSQL, DCE, NDS, TACACS+, etc.
> > 
> > What I'll most likely end up with is a web site that uses an Apache
> > NT domain authentication module 
> > (http://www.asaban.com/index_pl.html) to
> > verify their identity and create the XML file the first time. 
> > The script
> > may also go to an LDAP server and extract their full name and 
> > other detail
> > at the same time.
> > 
> > Kevin
> > 
> > _______________________________________________
> > jdev mailing list
> > jdev at jabber.org
> > http://mailman.jabber.org/listinfo/jdev
> > 
> 
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev

More information about the JDev mailing list