Previous | Next | Contents | Index |
PMDF supports fetching "auxiliary properties", that is, per-user attributes, during the user authentication process since under some circumstances this can be the most efficient approach. A primary use for this facility is to associate an e-mail address with an authenticated user during SMTP AUTH processing.
A SASL authentication source can provide values for attributes, or a separate auxiliary properties module can provide values for attributes.
A RULESET security ruleset definition can include:
AUXPROP_ENABLE=auxprop-module-name,... |
AUXPROP_ENABLE=+auxprop-module-name,... |
auxprop-module-name
would be defined in a
PROP_SOURCE section of the form
[PROP_SOURCE=auxprop-module-name] IMAGE=unix-path-or-openvms-logical-or-nt-dll FUNCTION=entry-point |
FUNCTION
option can be omitted if the entry point is
called sasl_auxprop_init
. Contact Process Software for
information on the API for writing site-supplied auxiliary property
modules; note that the API is currently subject to change.
Normally, the auxiliary properties modules are called in order to fill
in any attributes they support which haven't already been filled in
automatically by an authentication source. An initial plus character,
+
, as the first character of the
AUXPROP_ENABLE
option value causes an auxiliary properties
module to override values for properties from a previous auxiliary
properties module or authentication source.
The supplied pre-defined auxiliary properties modules are:
Note that these modules are designed to do nothing if the caller didn't ask for the appropriate properties. Currently, the auxiliary property of main interest is an "authenticated" e-mail address; for instance, the PMDF SMTP server will ask for the "SASL_AUX_MAILADDR" property (used if theMSGSTORE
Determine the e-mail address if a PMDF user profile (PMDF MessageStore or PMDF popstore profile) for the user exists and has a store type of popstore or msgstore.PASSWD (UNIX only)
Look up attributes via thegetpwnam
API.LOCALMAIL
Determine the local e-mail address for a user by looking up the local channel official host name and glueing that onto the user name. However, if the ruleset being applied has theMAIL_DOMAIN
option set to a different domain, then that other domain will instead be used to glue onto the user name. Thus if
is set, this means that if user
MAIL_DOMAIN=domainchris
authenticates using that security ruleset, then his email address ischris@domain
rather thanchris@local-channel-domain
. As this is implemented by the LOCALMAIL auxiliary properties module, it doesn't override the behavior of the MSGSTORE auxiliary properties module.DEFAULT
This is the default, and is equivalent on UNIX to having
or on OpenVMS or NT systems to having
AUXPROP_ENABLE=MSGSTORE,PASSWD,LOCALMAIL
set in the ruleset being applied. Note that an initial plus character,
AUXPROP_ENABLE=MSGSTORE,LOCALMAIL+
, has no effect in front of DEFAULT.
authrewrite
keyword is present on the incoming TCP/IP
channel). And the MSGSTORE and LOCALMAIL auxiliary properties modules
supply such a property.
A PROP_SOURCE section need not be present in the security configuration file for the above pre-defined auxiliary properties module, unless it is desired to modify some portion of the modules usual operation. But site-supplied auxiliary property modules must be established via a PROP_SOURCE definition.
When the MSGSTORE authentication source is used, its auxiliary properties behavior is automatically that of the MSGSTORE auxiliary properties module. When the PASSDB or SYSTEM authentication sources are used, their auxiliary properties behavior is automatically that of the LOCALMAIL auxiliary properties module.
Previous | Next | Contents | Index |