[ejabberd] multiple authentication methods: order and priority of operation

Jesse Thompson jesse.thompson at doit.wisc.edu
Wed Jul 13 20:29:24 MSD 2011

On 7/12/11 2:18 PM, Daniel Dormont wrote:
> 1) Is it possible to restart the extauth program without restarting
> ejabberd?

No. (unless I missed a recent change)

However you can write your extauth program to simply call out to an 
external program.  This will allow you to modify your external program 
without needing to restart the extauth program (assuming that you set it 
up to communicate with the external program in a way that allows it).

e.g., here is a version of extauth that executes the actual 
authentication program via command line with a base64 encoded argument. 
  Each request invokes a completely new version of the program, so you 
can change the program on the fly.

http://p3rl.org/8867TICH  (raw code pasted below also)

Depending on how you want to set it up, instead of command line, you can 
use socket communication, a web service, etc.  You only need to change 
the authenticate() subroutine as you see fit.

Oh, and the [perl] code to process the command line request:

     my $buf = shift;
     my $decoded = decode_base64($buf);
     my ($op,$user,$domain, at buffer_remainder) = split /:/,$decoded;
     my $password = join ':', @buffer_remainder;
     # make sure you sanitize and/or verify the format of input variables!

Again, if you're going to use some other method of communication between 
your extauth program and your authentication program, this code will 
change accordingly.

> 2) Relatedly, if an ejabberd node was started with {auth_method,
> internal} only, is it possible to tell it to add an external auth as
> well without restarting ejabberd?

No. (unless I missed a recent change)



For archival purposes, here is the raw code I linked to above:


use strict;
use MIME::Base64;
use Unix::Syslog qw(:macros :subs);

openlog "authd", LOG_PID, LOG_LOCAL3;
syslog LOG_INFO, "starting up";

my $counter = 0;



     # get the input
     my $request = next_request();
     syslog LOG_INFO, "processing request ($counter)";

     # call the auth script to get the result
     my $result = authenticate($request);
     syslog LOG_INFO, "request ($counter) result is: $result";

     # send the result back

sub next_request {

     # blocking read for incoming requests

     # this code chunk came from the example ejabberd auth script
     my $buf = "";
     my $nread = sysread STDIN,$buf,2;
     do {
     } unless $nread == 2;
     my $len = unpack "n",$buf;
     $nread = sysread STDIN,$buf,$len;

     return $buf;

sub authenticate {

     # encode the request and call the auth script
     # with the request as the argument

     my $request = shift;
     my $enc_request = encode_base64($request);
     $enc_request =~ s/\n//g;
     my $result = `/path/to/auth.pl $enc_request`;
     return $result;

sub send_result {

     # send boolean result back to ejabberd server

     my $result = shift;
     syswrite STDOUT, pack "nn", 2, $result ? 1 : 0;

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7431 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.jabber.ru/pipermail/ejabberd/attachments/20110713/44551ae9/attachment.bin>

More information about the ejabberd mailing list