dnsauth plugin
158 views
Skip to first unread message
Oliveiros Neto
Jul 21, 2023, 8:37:58 AM7/21/23
to e2guardian
Oliveiros Neto
Jul 28, 2023, 7:46:27 AM7/28/23
to e2guardian
e2guardian is a good tool, but documents are missing. A simple unanswered question.
Philip Pearce
Jul 31, 2023, 5:15:33 AM7/31/23
to Oliveiros Neto, e2guardian
Hi,
My responses to this group, have to be fitted into any spare time I have from the work I'm actually paid for and so it can be a while before I am able to respond.
In order to answer I have had to look at the code for the detail.
The dnsauth authentication plug-in was developed so the the authentication process can separated from the open source code and also to make use of the distributed database that is DNS to facilitate the look up of user and group information on an array of e2guardian servers. This separation is required as the authentication system may have to use closed-source code in order to access the information required.
Basically, dnsauth allows e2g to look up the user and group information based on the client IP.
This is achieved by creating a private domain which is only accessible by the authentication service and the the e2g system(s) involved. For example my.privatedomain.
After authenticating the user by some means the authentication service inserts a TXT record in DNS with the name, (for example for the client IP address 192.168.34.1,) of 192-168-34-1.my.privatedomain which contains 'user_name,group_number,timestamp' e.g 'phi...@e2guardian.org,4,12345678'. e2g then looks this record up in order to set the user_name and group. The 'timestamp' field is ignored by e2g. If the record does not exist and the dnsauth.conf setting 'redirect_to_auth' is 'yes' the user is redirected to the web authentication page defined in the 'authurl' setting, if 'no' then any other auth methods will be tried, if they all fail then the default group will be applied.
It is the responsibility of the authentication service to remove stale entries to ensure that the correct user and filter group is applied. Also the TTL of the DNS record should be kept short (say 15 secs) to avoid stale records being applied.
As the authentication service is supplied by the the e2g implementer this gives a great deal of flexibility on methods of authentication and on the logic of how the group is determined.
Regards
Philip
--
E2guardian:
https://groups.google.com/d/forum/e2guardian
Github:
https://github.com/e2guardian/e2guardian
Follow us on twitter:
https://twitter.com/e2guardian
---
You received this message because you are subscribed to the Google Groups "e2guardian" group.
To unsubscribe from this group and stop receiving emails from it, send an email to e2guardian+...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/e2guardian/dd0f7f09-aa22-4224-b69d-02b2a439bb05n%40googlegroups.com.
Oliveiros Peixoto
Aug 3, 2023, 4:12:21 PM8/3/23
to e2gua...@googlegroups.com
Sorry for inconvenient!!
Thanks for explain. After this, dnsauth work for me and congratulations for your great work!!
Em 31 de jul. de 2023, à(s) 06:15, Philip Pearce <philip...@e2bn.org> escreveu:
JHONATAN ANDRES RENDON CARMONA
Oct 11, 2023, 9:50:34 PM10/11/23
to e2guardian
Hello everyone
I am trying to configure the dnsauth plugin in e2 5.5.3, as indicated by Philip, but when I activate the plugin and restart the service I get the following error, auth_plugin_load() returned NULL pointer with config file: /etc/ e2guardian/authplugins/dnsauth.conf, is there anything additional I need to configure?
I am trying to configure the dnsauth plugin in e2 5.5.3, as indicated by Philip, but when I activate the plugin and restart the service I get the following error, auth_plugin_load() returned NULL pointer with config file: /etc/ e2guardian/authplugins/dnsauth.conf, is there anything additional I need to configure?
Oliveiros Peixoto
Oct 12, 2023, 1:10:39 AM10/12/23
to JHONATAN ANDRES RENDON CARMONA, e2guardian
Hi!!
paste the content off /etc/ e2guardian/authplugins/dnsauth.conf
> Em 11 de out. de 2023, à(s) 22:50, JHONATAN ANDRES RENDON CARMONA <jhonata...@gmail.com> escreveu:
>
> /etc/ e2guardian/authplugins/dnsauth.conf
paste the content off /etc/ e2guardian/authplugins/dnsauth.conf
> Em 11 de out. de 2023, à(s) 22:50, JHONATAN ANDRES RENDON CARMONA <jhonata...@gmail.com> escreveu:
>
> /etc/ e2guardian/authplugins/dnsauth.conf
JHONATAN ANDRES RENDON CARMONA
Oct 12, 2023, 7:48:55 AM10/12/23
to e2guardian
Hi!
This is the content of file
# IP/DNS-based auth plugin
#
# Obtains user and group from domain entry maintained by separate authentication# program.
plugname = 'dnsauth'
# ports - restrict this plugin to these portsthis applies too i
# - default is blank = no restriction - applies to all ports
#ports = 8081,8082
# Base DNS domain
basedomain = "e2guardian.domain.com"
# Authentication URL
authurl = "http://192.168.1.3/auth/login/login.pl?url"
# Prefix for auth URLs
prefix_auth = "http://192.168.1.3/auth/"
# Redirect to auth (i.e. log-in)
# yes - redirects to authurl to login
# no - drops through to next auth plugin
redirect_to_auth = "yes"
#
# Obtains user and group from domain entry maintained by separate authentication# program.
plugname = 'dnsauth'
# ports - restrict this plugin to these portsthis applies too i
# - default is blank = no restriction - applies to all ports
#ports = 8081,8082
# Base DNS domain
basedomain = "e2guardian.domain.com"
# Authentication URL
authurl = "http://192.168.1.3/auth/login/login.pl?url"
# Prefix for auth URLs
prefix_auth = "http://192.168.1.3/auth/"
# Redirect to auth (i.e. log-in)
# yes - redirects to authurl to login
# no - drops through to next auth plugin
redirect_to_auth = "yes"
I clarify that the login URL still does not work, I just wanted to test the DNS part, for which I do have the txt record
;; ANSWER SECTION:
192-168-35-251.e2guardian.domain.com. 845 IN TXT "ped...@e2guardian.domain.com,3,1234567"
192-168-35-251.e2guardian.domain.com. 845 IN TXT "ped...@e2guardian.domain.com,3,1234567"
thank you
Reply all
Reply to author
Forward
0 new messages