Program Authentication and Streaming

With the Program User Lookup method, CanIt-Domain-PRO invokes an external program to authen- ticate users and map addresses to streams. If you select Program as your User Lookup type, the Program User Lookup Wizard appears:

Figure 7.6: Program User Lookup To configure the Program User Lookup:

• Enter the full path to your “account-info” script. This is an executable script or program that you must supply. The path you supply must be an absolute path name. If you are running a CanIt-Domain-PRO cluster, this script must exist (and be identical!) on all scanning servers and the Web server.

• If you would like to strip the domain name from the login name before attempting authenti- cation, set the “Strip domain name” setting toYes. If someone logs in to CanIt-Domain-PRO as[email protected] and this setting is Yes, then the username passed to the program is simplyuser. The home stream, however, is normally[email protected].

• If you would like to strip the domain name from the home stream, set “Strip domain name from home stream after authentication?” to Yes. This means that if someone logs in as [email protected], her home stream will beuser.

• If you would like to cache stream lookups, set “Cache stream lookups in database?” toYes. We strongly recommend enabling caching.

How the Program User Lookup is Invoked

• Forauthentication, the program is invoked as follows: /path/to/script --authenticate

The program is then expected to read two lines from its standard input: The first line is a login name, and the second line is a password. The program must then validate the login name and password, and exit with one of the following exit codes:

– 0— Authentication was successful.

– 1— Authentication failed.

• Forobtaining user information, the program is invoked as follows: /path/to/script --info username

Here, the program is passed the successfully logged-on user name as a command-line argument. It should print a series of key=value lines to its standard output, and exit with an exit status of 0. (The script doesn’thaveto produce any output, but itcanproduce output if you want to pass extra information to CanIt-Domain-PRO.)

The key/value pairs currently used by CanIt-Domain-PRO are:

– home stream=stream-name— sets the user’s home stream tostream-nameinstead of his or her login name. One possible use could be to convert a login name to all lower- case on systems that permit case-insensitive authentication. This ensures that no matter how the person logs in, she is directed to the correct stream name.

– groups=group1,group2,...,groupN — when the user logs in, add her to all of the groups listed in the comma-separated list.

– mail=email-address— set the user’s e-mail address toemail-address.

• Formapping an e-mail address to a stream, the program is invoked as follows: /path/to/script --info-email address

Here, addressis an e-mail address that must be streamed. The script should write key=value lines to its standard output, and exit with one of the following exit codes:

7.2. USER LOOKUPS 131

– 0— the address exists and was successfully streamed.

– 1— there was a temporary failure streaming the address. The mail will be tempfailed.

– 67— the address is not valid. CanIt-Domain-PRO will fail the SMTP RCPT command with a “User unknown” failure code.

If the address was streamed successfully, the script must print the following line to standard output:

stream=stream-name

This causes address to be mapped to stream-name. If no stream=stream-name line is emitted, but the script exits with a zero status, then CanIt-Domain-PRO falls back to database lookups, as described in Section2.5on page33.

Sample Program for the Program User Lookup Method

The following is a very simple Bourne shell script illustrating how the Program User Lookup method works. Real scripts would obviously be more complex and probably written in a more appropriate language like Perl.

#!/bin/sh do_auth () {

read user read pass

# In reality, we would do a directory lookup against LDAP or similar if test "$user" = "foo" -a "$pass" = "bar" ; then

exit 0 fi exit 1 } do_info () { user="$1"

# In reality, we would do a directory lookup against LDAP or similar if test "$user" = "foo" ; then

echo "home_stream=foobar"; echo "[email protected]"; fi exit 0 } do_info_email () { email="$1"

# In reality, we would do a directory lookup against LDAP or similar if test "$email" = "[email protected]" ; then

echo "stream=foobar-stream"; fi

if test "$email" = "[email protected]" ; then # No such user exit 67 fi exit 0 } # Main program case "$1" in --authenticate) do_auth ;; --info) do_info "$2" ;; --info-email) do_info_email "$2" ;; *) exit 1; ;; esac

7.2. USER LOOKUPS 133