[JDEV] Limiting Registrations

jabber at msg.net jabber at msg.net
Wed May 30 12:52:27 CDT 2001 

> If you just want to disable that, then you need to remove the register stuff 
> from your config.  If you want to change code, it should all be in mod_register,
> what specific problems are you having?

The proble I had was, I can create an account when not logged in, but a lgged
in user cannot create a new account- I was hoping to have my server set such
that an 'admin' JID could create new accounts, but not normal users. I've
taken another approach, see below.



I have a solution to restricting new account creation. It is not pretty,
and I'm hoping somebody can suggest a better mechanism than what I have:


For my deployment, I need to restrict new account creation. Rather than "cheat"
by having my account registration CGI build the spool/sitename/username.xml file
from scratch, I'm trying to "play by the rules", and instead add an additional
setting to 'jabber.xml' in <register ...> and the code in 'mod_register.c' to
prevent random users from registering the JID of their choice.


Here's what I have done-

I have a Perl CGI script in a directory for which the user has to authenticate
to the web server, the script takes the username they used, retrieves their
full name and other details from LDAP, has the user pick a new password,
then creates a new account using Net::Jabber.


To forbid account creation by any other users, but allow my script to create
accounts through the Jabber protocol, I have a modified server. In my
'jabber.xml' I have this line:

	<register notify="yes" secret="SECRETSTRINGHERE">

I have modified 'mod_register.c'- if there is a secret defined, then new
account creation will only succeed if the secret is sent as the 'misc' field
of the new account request. This is enough security for my purposes, if somebody
wants to code this as an official feature of the server, crypto should be used.

I destroy the contents of the 'misc' field before creating the account, so
the secret doesn't get stored into the xml spool files.


If anybody else needs this feature right away, my code is really ugly, it does
what I need. I can publish the changes to 'mod_register.c', however, under my
current contract, sharing my original work, (the Perl CGI script) is a problem.


BTW, I tried doing this as:
	<register notify="yes">
	<secret>SECRETSTRINGHERE</secret>
	<instructions>
	Choose a username and password to register with this server.
	 </instructions>
	<name/>
	<email/>
	</register>

Unfortunately, in this case the secret is sent as part of the instructions when
a client sends a blank register request 'get' message, which is definitely not
what I wanted :-)

Kevin Kadow
MSG.Net, Inc.

More information about the JDev mailing list