October 11, 2021 4:44 PM, gil...@poolp.org wrote: > October 8, 2021 11:34 PM, "aisha" <openbsd.t...@aisha.cc> wrote: > >> Hi all, >> I am still working on the table-procexec for opensmtpd >> and while there, I was thinking of how to do authentication >> using LDAP, which the current table-ldap from ports does not >> support. >> The primary reason for that, I believe, is that LDAP >> authentication should be done by bind and not by returning >> the userPassword and us doing the authentication with >> crypt_checkpass. That kind of defeats one of the uses of LDAP. >> >> Here I've added a patch which pushes the authentication step >> to the table backend and it only returns the final AUTH/NOAUTH >> kind of values. >> >> While here, I also made another small change with mailaddrmap, >> where instead of returning ALL possible aliases that a user >> may use, we now pass the current mailaddr to the table, so >> it can now return a smaller set of addresses. >> >> It should not affect any workflow, so testing from others >> would be appreciated. >> >> Cheers, >> Aisha > > Hello, > > I understand what you're trying to achieve but I don't think this is > the right way to achieve that. > > First, the lookup operation is a key-value mapping returning a value > that the daemon gets to decide what to do with. You're trying to fit > K_CREDENTIALS in it but it doesn't work that way: it takes a key and > an additional parameter (the password) so the table can do something > with it and return a decision. This is why your diff has lookup take > a parameter that's used by none of the lookups, except K_CREDENTIALS > which is handled as particular case. > > I think the proper way to implement is to have a low level operation > that is specifically meant to take a key, a parameter then let table > do whatever it wants and return a boolean. >
Today, there's: int table_match(struct table *table, enum table_service kind, const char *key) that's used to attempt matching a key in a table assumed to hold list: match from src <ip_addresses> [...] Maybe this should be extended similarly to this: int table_match(struct table *table, enum table_service kind, const char *key, const char *value) K_SOURCE match on a list, key is not set: table_match(table, K_SOURCE, NULL, "192.168.0.1"); K_CREDENTIALS match on a mapping, key is used to resolve: table_match(table, K_CREDENTIALS, "gilles", "ilovecandies"); This is just an idea, but I still think this should be done after proc-exec :-)