ejabberd icon indicating copy to clipboard operation
ejabberd copied to clipboard

Published 20 hours ago verified publisher icon processone

How to get the client IP for authentication purposes in an external auth script?

Open joe-average-user opened this issue 9 months ago • 7 comments

Hello all,

for lack of a better way of communication I try this one :-) I'd like to make an external authentication script like those published on the website. But reading the ones already there I see no option to get the client ip in such a script. Can anyone capable please elaborate on how to do that? Thank you!

Regards

joe-average-user avatar May 07 '24 02:05 joe-average-user

for lack of a better way of communication I try this one :-)

There's the [email protected] room, for example.

I'd like to make an external authentication script like those published on the website. But reading the ones already there I see no option to get the client ip in such a script. Can anyone capable please elaborate on how to do that?

This would require an ejabberd patch for passing the IP address to the authentication script. I need that myself and could give you my local commit if you happen to build ejabberd from source.

weiss avatar May 07 '24 07:05 weiss

Hello,

thank you for your immediate reaction. It would be great to have your commit! And please add a short info on what version to apply best, as I am doing this on a productive platform. I am building it on arch linux. Thanks again!

-- Regards

joe-average-user avatar May 07 '24 08:05 joe-average-user

Hello @weiss,

Do you think we could have a patch that is backward compliant with older version of the script for people that use it in production already ?

mremond avatar May 14 '24 14:05 mremond

It would be great to have your commit!

It's currently used with a very old ejabberd version and it's based on other local commits, but I had a quick go at rebasing it onto ejabberd 24.02:

https://github.com/weiss/ejabberd/tree/feature/extauth-ip

I did not yet get around to testing this version (beyond "it compiles"), sorry.

Do you think we could have a patch that is backward compliant with older version of the script

I think this would require a new ejabberd option to specify the extauth format/version.

weiss avatar May 14 '24 15:05 weiss

Hello again, we made further tests and seem to have included your patch into ejabberd 23.10. Now some questions arise, mainly from and around checking the system.

  • is there an ejabberdctl command which allows to feed an example IP so one can see it comes out at the script?
  • is there a way to reduce the number of spawned scripts? For 100 domains ejabberd spawns 100 scripts that just sit around most of the time. sure they are all "parked" in a stdin read, but still the whole idea to make a script pool for every hosted domain is ... oversized?
  • I am not all that fond of the way the data is handed over on stdin. It effectively prevents using a shell script as there seems no way to read a binary 2-byte length from stdin and then the corresponding command string. Sure this works in a lot of script languages, but why it cannot be a plain and simple null-terminated string is at least unclear.
  • the dev example python script does not work at exactly this position because actual python3 cannot sys.stdin.read(2), but needs sys.stdin.buffer.read(2), same for output string. So even the demo code falls over this weird construct. Nevertheless many thanks for helping out with the extauth-ip patch! -- Regards

joe-average-user avatar Jun 27 '24 17:06 joe-average-user

Hello Holger,

I can confirm that your patch works perfectly with 24.02. Thanks a lot! Can I send you a PM?

joe-average-user avatar Jul 09 '24 23:07 joe-average-user

Can I send you a PM?

Yes, [email protected] works both as email and XMPP address.

weiss avatar Jul 10 '24 09:07 weiss