[ejabberd] external authentication patch

Leif Johansson leifj at it.su.se
Mon May 3 20:50:32 MSD 2004


I respectfully submit a patch to support external authentication
mechanisms in ejabberd through an erlang port for your consideration.

A few notes:

- I have separated auth_method() from user_method(). This allows
the server to run with (say) PAM auth but keep mnesia users.

- I have implemented a set_password wrapper - external auth may
implement this.

- I have enclosed an example external auth mech written in perl using
Authen::Krb5::Simple to provide kerberos authentication. I use this
with sub-principals (e.g user/jabber at REALM) in my experimental setup.

The extauth.erl module contains the erlang port. The protocol is
very simple. My first implementation was done using a port driver dll
but since erlang doesn't dlopen using RLTD_GLOBAL you get into all
kinds of dynamic-library dependency problems. It should really run
under a supervisor.

The external mech would actually benefit from getting the full JID
instead of just the username. What are your thoughts on that?

	Best R
	Leif Johansson

PS My team also works on a major erlang project:

	http://www.stacken.kth.se/projekt/yxa/

We are interested in building a jabber/simple-gw based on ejabber. DS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: extauth.tar.gz
Type: application/x-tar
Size: 2165 bytes
Desc: not available
Url : http://lists.jabber.ru/pipermail/ejabberd/attachments/20040503/c7117467/extauth.tar.tar
-------------- next part --------------
#!/usr/local/bin/perl

use Authen::Krb5::Simple;
my $krb = Authen::Krb5::Simple->new();

while(1)
  {
   # my $rin = '',$rout;
   # vec($rin,fileno(STDIN),1) = 1;
   # $ein = $rin;
   # my $nfound = select($rout=$rin,undef,undef,undef);

    my $buf = "";
    my $nread = sysread STDIN,$buf,2;
    #do { warn "Protocol error $nread != 2\n"; next } unless $nread == 2;
    next unless $nread == 2;
    my $len = unpack "n",$buf;
    my $nread = sysread STDIN,$buf,$len;

    my ($op,$user,$password) = split /:/,$buf;
    $user =~ s/\./\//og;
    my $res;

  SWITCH:
      {
	$op eq 'auth' and do
	  {
	    $res = $krb->authenticate($user,$password);
            #warn "$user $password: ".($res ? $res->errstr : "")."\n";
	  },last SWITCH;

	$op eq 'setpass' and do
	  {
             $res = 99;
	  },last SWITCH;
      };
    my $out = pack "nn",2,!$res ? 1 : 0;
    syswrite STDOUT,$out;
  }


More information about the ejabberd mailing list