From owner-freebsd-questions@FreeBSD.ORG Sat Sep 25 01:22:28 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A43016A4CE for ; Sat, 25 Sep 2004 01:22:28 +0000 (GMT) Received: from ms-smtp-04.tampabay.rr.com (ms-smtp-04-smtplb.tampabay.rr.com [65.32.5.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id AEA2C43D1D for ; Sat, 25 Sep 2004 01:22:25 +0000 (GMT) (envelope-from ajhonson3391@tampabay.rr.com) Received: from moe.howard (6532128hfc43.tampabay.rr.com [65.32.128.43]) i8P1MMB7002067 for ; Fri, 24 Sep 2004 21:22:22 -0400 (EDT) Received: from moe.howard (localhost.howard [127.0.0.1]) by moe.howard (8.12.10/8.12.10) with ESMTP id i8P1MM4E079882 for ; Fri, 24 Sep 2004 21:22:22 -0400 (EDT) (envelope-from ajhonson3391@tampabay.rr.com) Received: (from walter@localhost) by moe.howard (8.12.10/8.12.10/Submit) id i8P1MMMQ079881 for freebsd-questions@freebsd.org; Fri, 24 Sep 2004 21:22:22 -0400 (EDT) (envelope-from ajhonson3391@tampabay.rr.com) X-Authentication-Warning: moe.howard: walter set sender to ajhonson3391@tampabay.rr.com using -f Date: Fri, 24 Sep 2004 21:22:22 -0400 From: Al Johnson To: freebsd-questions@freebsd.org Message-ID: <20040925012222.GB72298@bhunter.net> References: <20040923113709.GB30497@happy-idiot-talk.infracaninophile.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040923113709.GB30497@happy-idiot-talk.infracaninophile.co.uk> User-Agent: Mutt/1.4.1i X-URL: http://www.landoverbaptist.org X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: Re: Advice: "The Right" authentication method X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Sep 2004 01:22:28 -0000 On Thu, Sep 23, 2004 at 12:37:09PM +0100, Matthew Seaman wrote: > On Thu, Sep 23, 2004 at 11:53:40AM +0100, Andy Holyer wrote: > > I'm working on writing the "Control Panel" scripts which subscribers to > > our ISP will use to set up their eMail accounts and web space. > > > > Here's the Server spec: > > > > FreeBSD-Current; > > Perl 5.6.1, no problem installing any needed modules; > > Apache 2; > > I'm keeping ordinary customers off the machine, so I run Postfix and > > Cyus and use sasl2 for customer passwords. I'd like to use these ID to > > arrange access to the control panel system. > > > > I'm stuck at the very start of my design process. I have two tasks to > > do: > > > > Verify that users have supplied the correct password; and let the perl > > scripts know who that visitor is, so that we can select the correct > > accounts to show. > > > > Do I use SASL directly? or LDAP? or do I implement an Apache module to > > handle access and let Apache do the work? > > > > I want to do "The right thing" - that is, the most general and correct > > thing possible, I've got years of experience in perl scripting, but at > > the moment I wandering around in a twisty litte maze of standards, all > > different. > > > > Clue, please? > > You're basically writing a web application. For which you need access > control. You've got two choices: either use the HTTP basic or HTTP > digest auth mechanisms built into HTTP, and supported by Apache, or > (and this is by far the most popular choice) write your own > authentication mechanism as part of your application[1]. > > The second choice gives you a lot more flexibility about how you > customise things and how you make the login screen look, which is > probably why it's more popular. You can also arrange things to avoid > sending passwords across the net in cleartext if you're cunning > enough. > > However you do it, the authentication process is essentially that the > client sends you two pieces of information: their username (ie. who > they claim to be) and some form of secret. The secret is usually a > password, but it can be something more complicated like an Opie > one-time password or whatever. Then in your application you compare > the secret to your stored version of it, and if they match you believe > that the client is who they say they are and that they should have > access. Of course, you don't want to keep the secret values lying > around in plain text: the standard Unix response to all that is to > generate a password hash using DES or MD5 to store, and to try and > recreate that hash using the password supplied by the user. > > That's where SASL comes in: instead of having to code up all that > stuff your self, SASL is a library of authentication methods that you > can just plug into your application. > > Yes, you will need some sort of user account database -- often > implemented using a RDBMS, but could with little extra effort be made > to operate against an LDAP or RADIUS server. Or whatever the database > type you're already using for your Postfix+Cyrus setup. > > There are several examples of doing this sort of thing within the > ports system -- most are written in PHP, but check out devel/bugzilla > and www/rt3 for perl based examples. > > Cheers, > > Matthew I'd be grateful if someone would point out some examples of SASL authentication using PHP in the ports. I've searched through the ports, but had no luck finding any. -- Wager at the Golden Plate Casino! http://www.landoverbaptist.org/news0502/goldenplate.html