auth external/internal issue

Hi..

I've run into an issue (not exactly a bug) (with the rc1 release).

I have 1 virtual host setup with external auth (script access mysql db).

The actual db is still mnesia. The problem I have is best explained the following scenario:

* I log in with a user that exists in the mysql db. This works perfectly.
* I create a couple of shared roster groups: 'everybody', 'admins'.
'everybody' specifies @all@, displays 'admins' group
'admins' has a couple of users
* By specifying auth external, users are never actual registered with the mnesia db.
If I try to register a user via the web admin or ejabberdctl (extra), it just complains that they're already registered
(presumably it's doing an auth request before).
This means that, @all@ (which is a list of registered users), is always empty, which means I can't use it as an option.

So a couple of problematic solutions, I have thought of:

1. Use auth internal. When I create a user in my mysql db, call a script to register the user on the jabber server.

Problem: I have a web app and when people log in I log them in (via http-bind) to the jabber server. Since I don't have there password, I use a autogenerated token as the password which my auth external script would recognize and authorize. If I now use auth internal, I can no longer do this.

2. Create two separate hosts: jabber.example.com (main host - auth external), jabberreg.example.com (auth internal)
I user jabber.example.com as the main host (people/web log in to this). I use jabberreg.example.com to register new users via a script.

Problem: These two hosts hold completely different users db's. So it doesn't make much sense. i.e. any users you add to one isn't reflected in the other. What I'd really need is for jabberreg.example.org to be an alias of jabber.example.org but which allows for auth internal.

As you can see I don't have a satisfactory solution for this problem.
Any ideas?

Sorry for the long post.

Can somebody please correct

Can somebody please correct me if I'm wrong with the following statement:

* If using external authentication, you can't register a new user with the mnesia db.

I did some experiments trying to register a user on a virtual host using an external script. When using PSI to register a user, the only method called is 'isuser' so:

1. I modified the script to return false for isuser. => When the jabber client tries to register the user, the server returns a 'conflict' i.e. that the user is already registered.

2. I modified the script to return false for isuser. => When the jabber client tries to register the user, the server returns a 'Not Allowed'(The recipient or server does not allow any entity to perform that action) even though I have {access, register, [{allow, all}]}.

So I'm a bit stuck. I need to use an external script as I need to be able to authenticate users via the password they used when they signed up or via a generated token for people who signed up via openid (or which I'm logging in transparently to the jabber server). If I use an external script, then I can't user shared roster groups (@all@) as users are never actually registered in the mnesia db.

Can anyone see a possible solution to this problem?

Many thanks,

Saimon

[SOLVED] With patch

So I got my hands dirty for a while and here's the result.

I patched (http://pastie.caboo.se/pastes/148772) ejabberd_auth_external.erl and extauth.erl to:

* continue proxying check_password/is_user_exists to the external script
* added try_register which performs same action as auth_internal (i.e. registers user with mnesia) AND proxies to the external script.
* Added rest of code of auth_internal

This means that:

When registering a new user:

* ejabberd proxies directly to external script which receives 'isuser' command (should return false) (I use a jabber_registered_at column in my db table)

* ejabberd 'registers' with mnesia (performs same code as in auth_internal) AND send the external script a 'tryregister' command. (my script, then authenticates user, and updates the jabber_registered_at column)

* subsequent is_user and auth attempts are all proxied to the external script.

* commands like remove_user, get_vh_registered_users now just do what they do in auth_internal.

This way I get the best of both authentication schemes. I think this should propably be put in it's own scheme (perhaps ejabberd_auth_external_db_internal.erl? Thoughts?) rather than a patch but it's working beautifully for me right now.

While I'm here can anyone tell me a quick way to recompile an erlang src file and dynamically load it into the server (other than 'ejabberdctl compile' which didn't seem to work)?

Regards,

Saimon

Patch stored and promoted

saimonmoore wrote:

I patched ( http://pastie.caboo.se/pastes/148772 )

I've created a page to publitice your patch, and stored a copy of your patch in the webserver:
Authenticating Against a Mixed Internal/External

saimonmoore wrote:

While I'm here can anyone tell me a quick way to recompile an erlang src file and dynamically load it into the server (other than 'ejabberdctl compile' which didn't seem to work)?

Put all the source files in ejabberd src/ directory. Then compile and install as usual. Instead of restarting ejabberd, you can tell it to update the modified binary files: in Web Admin -> Nodes -> your node -> Update -> it should show the modified files, so click Update and good luck :)

Syndicate content