October 8, 2021 11:34 PM, "aisha" <openbsd.t...@aisha.cc> wrote:
> Hi all, > I am still working on the table-procexec for opensmtpd > and while there, I was thinking of how to do authentication > using LDAP, which the current table-ldap from ports does not > support. > The primary reason for that, I believe, is that LDAP > authentication should be done by bind and not by returning > the userPassword and us doing the authentication with > crypt_checkpass. That kind of defeats one of the uses of LDAP. > > Here I've added a patch which pushes the authentication step > to the table backend and it only returns the final AUTH/NOAUTH > kind of values. > > While here, I also made another small change with mailaddrmap, > where instead of returning ALL possible aliases that a user > may use, we now pass the current mailaddr to the table, so > it can now return a smaller set of addresses. > > It should not affect any workflow, so testing from others > would be appreciated. > > Cheers, > Aisha > Hello, I understand what you're trying to achieve but I don't think this is the right way to achieve that. First, the lookup operation is a key-value mapping returning a value that the daemon gets to decide what to do with. You're trying to fit K_CREDENTIALS in it but it doesn't work that way: it takes a key and an additional parameter (the password) so the table can do something with it and return a decision. This is why your diff has lookup take a parameter that's used by none of the lookups, except K_CREDENTIALS which is handled as particular case. I think the proper way to implement is to have a low level operation that is specifically meant to take a key, a parameter then let table do whatever it wants and return a boolean. Then I don't think this should be done before proc-exec because it's much easier than breaking the current API.
