(RADIATOR) Feature Request: <AuthBy IMAPS>

Wed Nov 10 19:29:22 CST 2004

Hello Charly,

On Thursday 11 November 2004 09:38, Karl Gaissmaier wrote:
> Hi Mike,
>
> ...
>
> > Actually, I had a look at the Net::IMAP::Simple and
> > Net::IMAP::Simple::SSL modules yesterday. If AuthIMAP used them, some
> > features would be lost, such as Debug and Timeout, but I note that
> > Mail::IMAPClient has a feature that allows the socket to be replaced
> > with, say, an SSL socket, so that may be an alternative way to go.
>
> yep, I had now also a deeper look and I think Net::IMAP::Simple...
> isn't the proper choice, since there isn't a plain authenticated()
> method. The login() method already selects the INBOX mailfolder
> and the quit() EXPUNGES also, there isn't a plain LOGOUT cmd.

Yes, I noticed that too, and didnt like it much.

>
> And I looked a little bit deeper into AuthByIMAP (nearly a plain
> copy from your AuthByPOP3). I don't understand why you've
> overridden the handle_request() method form AuthGeneric in AuthByPOP3
> and not just the findUser().
>
> One reason could be, that you don't like the DEFAULT(n) user
> handling in the handle_request, but this could be solved
> with a NoDefault initial value.
>
> The second reason could be that you wish to deal yourself
> with the missing check attributes, since the POP3/IMAP
> delivers naturally no check/reply attributes.
>
> But the problem with your solution is the diverging
> handle_request codes in AuthGeneric and a lot of
> different AuthBy... modules. If you invent a new
> config variable like let me say the already used
> 'fork' these modules will not do what the documentation
> describes.

You are right: it is usually best not to override handle_request. The method 
you suggest is quite good. I find that for methods that do remote 
verification of plaintext passwords, it is even better to make findUser 
return a dummy empty user, and implement check_plain_password. It will then 
work with PAP and EAP_TTLS_PAP.

Overriding handle_request is a very simple but effective method that works 
only in simple environments.

Cheers.

>
> What is wrong if I would implement a findUser()
> method with the following meta code:
>
> sub initialize
> {
>      my ($self) = @_;
>      $self->SUPER::initialize;
>      $self->{NoDefault} = 1; # this must explained in the docu!
> }
>
> sub findUser {
>    my ($self, $name, $p) = @_;
>    $pwd = $p->decodedPassword;
>
>    open socket or return (undef, 1)
>    try to login with name/pwd
>    close socket
>
>    $user = Radius::User->new($name);
>
>    if login ok {
>       $user->get_check->add_attr('Auth-Type','Accept');
>    else
>       $user->get_check->add_attr('Auth-Type','Reject');
>
>    return $user;
> }
>
>
> Best Regards
> 	Charly

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.