October 11, 2021 4:44 PM, gil...@poolp.org wrote:
> October 8, 2021 11:34 PM, "aisha" <openbsd.t...@aisha.cc> wrote:
>
>> Hi all,
>> I am still working on the table-procexec for opensmtpd
>> and while there, I was thinking of how to do authentication
>> using LDAP, which the current table-ldap from ports does not
>> support.
>> The primary reason for that, I believe, is that LDAP
>> authentication should be done by bind and not by returning
>> the userPassword and us doing the authentication with
>> crypt_checkpass. That kind of defeats one of the uses of LDAP.
>>
>> Here I've added a patch which pushes the authentication step
>> to the table backend and it only returns the final AUTH/NOAUTH
>> kind of values.
>>
>> While here, I also made another small change with mailaddrmap,
>> where instead of returning ALL possible aliases that a user
>> may use, we now pass the current mailaddr to the table, so
>> it can now return a smaller set of addresses.
>>
>> It should not affect any workflow, so testing from others
>> would be appreciated.
>>
>> Cheers,
>> Aisha
>
> Hello,
>
> I understand what you're trying to achieve but I don't think this is
> the right way to achieve that.
>
> First, the lookup operation is a key-value mapping returning a value
> that the daemon gets to decide what to do with. You're trying to fit
> K_CREDENTIALS in it but it doesn't work that way: it takes a key and
> an additional parameter (the password) so the table can do something
> with it and return a decision. This is why your diff has lookup take
> a parameter that's used by none of the lookups, except K_CREDENTIALS
> which is handled as particular case.
>
> I think the proper way to implement is to have a low level operation
> that is specifically meant to take a key, a parameter then let table
> do whatever it wants and return a boolean.
>
Today, there's:
int
table_match(struct table *table, enum table_service kind, const char *key)
that's used to attempt matching a key in a table assumed to hold list:
match from src <ip_addresses> [...]
Maybe this should be extended similarly to this:
int
table_match(struct table *table, enum table_service kind, const char *key,
const char *value)
K_SOURCE match on a list, key is not set:
table_match(table, K_SOURCE, NULL, "192.168.0.1");
K_CREDENTIALS match on a mapping, key is used to resolve:
table_match(table, K_CREDENTIALS, "gilles", "ilovecandies");
This is just an idea, but I still think this should be done
after proc-exec :-)
